Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help decode w5n32D5ag log


  • Please log in to reply
15 replies to this topic

#1 ABTOP

ABTOP

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 September 2009 - 11:38 PM

Hello
My computer has been infected few days ago and here is what I am experiencing:
1. Malwarebytes will not run
2. Hijackthis will run once and shut down after about 5 seconds. The only way to get it running again is by reinstalling it (and it shuts down again)
3. Safe mode doesn’t help with any problems
4. IE page redirection
5. tapi.ofn DLL error happens twice during load
6. When running Windows registry repair 2.0 I can scan all of the registries except “Windows Services” as soon as software starts scanning windows services it closes and has to be reinstalled in order to run.
7. Trying to run hijackthis, malwarebytes, windows registry repair or any other repair type software results in an error “….you may not have appropriate permissions”
8. On one of your logs was advised to run win32diag and post txt file. (please find below)

Please advice on what to do next. Thank you.

Log file is located at: C:\Documents and Settings\Yuriy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP149.tmp\ZAP149.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16F.tmp\ZAP16F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1.tmp\ZAPB1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8.tmp\ZAPC8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1273898197-1446760690-1438334007-1004\S-1-5-21-1273898197-1446760690-1438334007-1004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-220523388-1677128483-839522115-500\S-1-5-21-220523388-1677128483-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2256562177-4207961620-2080283332-500\S-1-5-21-2256562177-4207961620-2080283332-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\groups\1_My Albums\1_My Albums

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\trash_images\trash_images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D3GBXAWK\D3GBXAWK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Snapfish\Snapfish

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Updater5\Updater5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\5DNSFV0R\5DNSFV0R

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\7DDYE1MZ\7DDYE1MZ

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\G1D4JYUI\G1D4JYUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SY18FVAF\SY18FVAF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WLANProfiles\WLANProfiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\GUM9.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\tismsi\aucache\aucache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\tismsi\iaudata\_aucache\_aucache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:49 PM

Posted 05 September 2009 - 10:34 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 September 2009 - 11:55 AM

Hi Sam and thank you for helping me. Please find below the log file from the Avenger. In addition after reboot I've got the following error. Microsoft .NET framework Unhandled exception has occurred in your application. If you click continue, the application will ignore this error and attempt to continue. If you click Quit, the application will colse immediately. Object reference not set to an instance of an object. Details, continue quit.

just ran quick scan malware bytes here is the log:

Malwarebytes' Anti-Malware 1.40
Database version: 2745
Windows 5.1.2600 Service Pack 3

9/5/2009 12:08:49 PM
mbam-log-2009-09-05 (12-08-49).txt

Scan type: Quick Scan
Objects scanned: 107220
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\minix32.exe (Rogue.WindowsPolicePro) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\minix32 (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\minix32.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\matidaha.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yuriy\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\registryfix[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Yuriy\Local Settings\Temporary Internet Files\Content.IE5\CV2RG5U1\RegistryConvoy_Setup[1].exe (Rogue.RegTidy) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\ANTI_files.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.




Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sat Sep 05 11:48:06 2009

11:48:06: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by ABTOP, 05 September 2009 - 12:10 PM.


#4 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 05 September 2009 - 12:16 PM

OK machine seems to be on its way to a healthy functionality! Currently running a full scan with malware bytes
Tapi.nfo error is gone but microsoft .NET framework error is still here, below are the contants of the Details button please let me know how this error can be fixed. Thanks AGAIN!

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.NullReferenceException: Object reference not set to an instance of an object.
at QBWebConnector.RegistryManager.anyAppScheduled()
at QBWebConnector.ScheduleManager.Scheduler_Tick(Object sender, EventArgs e)
at QBWebConnector.EventManager.OnClockTicked(Object sender)
at QBWebConnector.QBWebConnector.Clock_Ticked(Object sender, EventArgs args)
at System.Windows.Forms.Timer.OnTick(EventArgs e)
at System.Windows.Forms.Timer.TimerNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
CodeBase: file:///c:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
QBWebConnector
Assembly Version: 2.0.0.139
Win32 Version: 2.0.0.139
CodeBase: file:///C:/Program%20Files/Common%20Files/Intuit/QuickBooks/QBWebConnector/QBWebConnector.exe
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
QBWCUtil
Assembly Version: 2.0.0.139
Win32 Version: 2.0.0.139
CodeBase: file:///C:/Program%20Files/Common%20Files/Intuit/QuickBooks/QBWebConnector/QBWCUtil.DLL
----------------------------------------
QBWCCommon
Assembly Version: 2.0.0.139
Win32 Version: 2.0.0.139
CodeBase: file:///C:/WINDOWS/assembly/GAC_32/QBWCCommon/2.0.0.139__82cc56431f1a971d/QBWCCommon.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3082 (QFE.050727-3000)
CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
QBWCInterfaces
Assembly Version: 2.0.0.139
Win32 Version: 2.0.0.139
CodeBase: file:///C:/WINDOWS/assembly/GAC/QBWCInterfaces/2.0.0.139__82cc56431f1a971d/QBWCInterfaces.dll
----------------------------------------
Interop.QBXMLRP2
Assembly Version: 8.0.0.249
Win32 Version: 8.0.0.249
CodeBase: file:///C:/WINDOWS/assembly/GAC/Interop.QBXMLRP2/8.0.0.249__31d8aec643e18259/Interop.QBXMLRP2.dll
----------------------------------------
Syncfusion.Grid.Windows
Assembly Version: 6.402.0.15
Win32 Version: 6.402.0.15
CodeBase: file:///C:/Program%20Files/Common%20Files/Intuit/QuickBooks/QBWebConnector/Syncfusion.Grid.Windows.DLL
----------------------------------------
Syncfusion.Shared.Base
Assembly Version: 6.402.0.15
Win32 Version: 6.402.0.15
CodeBase: file:///C:/Program%20Files/Common%20Files/Intuit/QuickBooks/QBWebConnector/Syncfusion.Shared.Base.DLL
----------------------------------------
Syncfusion.Core
Assembly Version: 6.402.0.15
Win32 Version: 6.402.0.15
CodeBase: file:///C:/Program%20Files/Common%20Files/Intuit/QuickBooks/QBWebConnector/Syncfusion.Core.DLL
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:49 PM

Posted 06 September 2009 - 09:27 AM

Please do not make any changes or run any scans on your computer while we are in the middle of this process. While I appreciate that you want to fix your computer as quickly as possible you risk creating complications that could make a difficult process even more so.

The error from microsoft .NET framework is probably unrelated to malware, so we need to finish removing the malware infection first and repairing any damage and then we can look to address your other issues.


Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



====================


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 06 September 2009 - 11:38 AM

Sorry about jumping the gun on Malwarebytes I thought we were all good. Any way here is the new win32 log, I will download combofix and run it next. Please let me know what is the next step. Thanks!

Log file is located at: C:\Documents and Settings\Yuriy\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP149.tmp\ZAP149.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP149.tmp\ZAP149.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16F.tmp\ZAP16F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16F.tmp\ZAP16F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1.tmp\ZAPB1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB1.tmp\ZAPB1.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8.tmp\ZAPC8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC8.tmp\ZAPC8.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 07:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1f3207366e96c94d45c070496b08a2d4\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\64cc77a1a7652da2d7ace79940460770\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\8a43415b80a3070aa22efa6c72b3f657\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b86b6a4fb33f1418ba334c3807fa2a23\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cfb5c33fcc73ed7dcd60250b085691a5\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dfd20fda6478d599fc1417f0319287a1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1273898197-1446760690-1438334007-1004\S-1-5-21-1273898197-1446760690-1438334007-1004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1273898197-1446760690-1438334007-1004\S-1-5-21-1273898197-1446760690-1438334007-1004

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-220523388-1677128483-839522115-500\S-1-5-21-220523388-1677128483-839522115-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-220523388-1677128483-839522115-500\S-1-5-21-220523388-1677128483-839522115-500

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2256562177-4207961620-2080283332-500\S-1-5-21-2256562177-4207961620-2080283332-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2256562177-4207961620-2080283332-500\S-1-5-21-2256562177-4207961620-2080283332-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all\all

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\brt\brt

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\can\can

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\eng\eng

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\groups\1_My Albums\1_My Albums

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\groups\1_My Albums\1_My Albums

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\trash_images\trash_images

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Ahead\PSD Image Database\cache\trash_images\trash_images

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\CyberLink\PowerCinema\PowerCinema

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}\{7C387DCB-5D68-4357-944B-BF3C2D93B29D}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D3GBXAWK\D3GBXAWK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\D3GBXAWK\D3GBXAWK

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Snapfish\Snapfish

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Snapfish\Snapfish

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Updater5\Updater5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Updater5\Updater5

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\5DNSFV0R\5DNSFV0R

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\5DNSFV0R\5DNSFV0R

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\7DDYE1MZ\7DDYE1MZ

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\7DDYE1MZ\7DDYE1MZ

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\G1D4JYUI\G1D4JYUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\G1D4JYUI\G1D4JYUI

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SY18FVAF\SY18FVAF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SY18FVAF\SY18FVAF

Found mount point : C:\WINDOWS\system32\config\systemprofile\WLANProfiles\WLANProfiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\WLANProfiles\WLANProfiles

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\GUM9.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM9.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SDDLLS\SDDLLS

Found mount point : C:\WINDOWS\Temp\tismsi\aucache\aucache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\tismsi\aucache\aucache

Found mount point : C:\WINDOWS\Temp\tismsi\iaudata\_aucache\_aucache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\tismsi\iaudata\_aucache\_aucache

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#7 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 06 September 2009 - 12:01 PM

Ok and here is combofix.txt from C:
Please let me know what is next

ComboFix 09-09-06.01 - Yuriy 09/06/2009 11:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.441 [GMT -5:00]
Running from: c:\documents and settings\Yuriy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-220523388-1677128483-839522115-500
c:\recycler\S-1-5-21-2256562177-4207961620-2080283332-500
c:\recycler\S-1-5-21-505444085-300160745-2268890306-500
C:\reg.reg
c:\windows\Installer\13eedd0.msp
c:\windows\Installer\166026.msp
c:\windows\Installer\1ed96f2.msp
c:\windows\Installer\26414.msp
c:\windows\Installer\2b3353.msp
c:\windows\Installer\2f6e3.msp
c:\windows\Installer\30192b.msp
c:\windows\Installer\3b84b1.msp
c:\windows\Installer\4e7d57b.msp
c:\windows\Installer\4e7d57c.msp
c:\windows\Installer\4e7d57d.msp
c:\windows\Installer\4e7d57e.msp
c:\windows\Installer\4e7d57f.msp
c:\windows\Installer\4e7d580.msp
c:\windows\Installer\4e7d581.msp
c:\windows\Installer\4e7d582.msp
c:\windows\Installer\4e7d583.msp
c:\windows\Installer\519f8.msp
c:\windows\Installer\51a5b.msp
c:\windows\Installer\51abe.msp
c:\windows\Installer\6959ed1.msi
c:\windows\system32\0394.dll
c:\windows\Tasks\woxrnfyr.job
c:\windows\wiaserviv.log
c:\windows\wpd99.drv

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-05 16:58 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 16:58 . 2009-09-05 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 16:58 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 04:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-03 20:05 . 2009-09-05 17:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-03 19:37 . 2009-09-03 19:37 -------- d-----w- c:\documents and settings\Yuriy\Application Data\Office Genuine Advantage
2009-09-03 19:35 . 2009-09-03 19:35 -------- d-sh--w- c:\documents and settings\Yuriy\PrivacIE
2009-09-03 19:34 . 2009-09-03 19:34 -------- d-sh--w- c:\documents and settings\Yuriy\IETldCache
2009-09-03 19:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-03 19:10 . 2009-09-03 19:10 -------- d-----w- c:\windows\ie8updates
2009-09-03 19:10 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-03 19:10 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-03 19:10 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-03 19:10 . 2009-07-19 23:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-03 19:10 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-03 19:10 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-03 19:08 . 2009-09-03 19:10 -------- dc-h--w- c:\windows\ie8
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\program files\MSBuild
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\program files\Reference Assemblies
2009-09-03 19:01 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-03 19:01 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-03 19:01 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-03 19:01 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-03 19:01 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-03 19:01 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-03 19:01 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-03 19:01 . 2009-09-03 19:01 -------- d-----w- C:\c9d2afbc1529709c68f9
2009-09-03 17:25 . 2009-09-05 18:16 -------- d-----w- c:\program files\Free Window Registry Repair
2009-09-03 14:46 . 2009-09-03 14:46 -------- d-----w- c:\program files\Sophos
2009-09-02 22:51 . 2009-09-02 22:51 185824 ----a-w- c:\windows\system32\0394.sys
2009-09-02 22:30 . 2009-09-02 22:42 102800 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-02 18:55 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-02 18:03 . 2009-09-02 18:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-02 17:53 . 2009-09-02 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-02 17:21 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-02 17:21 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-02 17:21 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-02 17:21 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-02 17:21 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-02 17:21 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-02 17:19 . 2001-08-17 17:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2009-09-02 17:18 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-02 17:17 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2009-09-02 17:16 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2009-09-02 17:15 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-09-02 17:14 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-09-02 17:13 . 2001-08-17 17:12 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2009-09-02 17:12 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-09-02 17:11 . 2001-08-17 19:56 182272 -c--a-w- c:\windows\system32\dllcache\s3mt3d.dll
2009-09-02 17:10 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-02 17:09 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-09-02 17:08 . 2001-08-17 17:12 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2009-09-02 17:07 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-09-02 17:06 . 2001-08-17 17:50 13664 -c--a-w- c:\windows\system32\dllcache\n9i128.sys
2009-09-02 17:05 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-09-02 17:04 . 2001-08-17 18:53 4992 -c--a-w- c:\windows\system32\dllcache\loop.sys
2009-09-02 17:03 . 2001-08-17 18:50 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2009-09-02 17:02 . 2001-08-17 19:56 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-09-02 17:01 . 2001-08-18 03:36 31232 -c--a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2009-09-02 17:00 . 2001-08-17 17:14 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys
2009-09-02 16:59 . 2001-08-17 17:19 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2009-09-02 16:58 . 2001-08-17 17:12 28062 -c--a-w- c:\windows\system32\dllcache\dp83820.sys
2009-09-02 16:57 . 2004-08-04 03:32 48640 -c--a-w- c:\windows\system32\dllcache\cwrwdm.sys
2009-09-02 16:56 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-09-02 16:55 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-09-02 14:31 . 2009-09-02 14:31 -------- d-----w- c:\program files\Alwil Software
2009-09-01 20:43 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-01 20:22 . 2009-09-01 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 20:22 . 2009-09-01 20:22 -------- d-----w- c:\documents and settings\Yuriy\Application Data\SUPERAntiSpyware.com
2009-08-26 20:52 . 2009-09-01 13:55 256 ----a-w- c:\windows\system32\pool.bin
2009-08-26 20:33 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-08-26 20:31 . 2009-09-02 18:36 -------- d-----w- c:\program files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 05:15 . 2009-05-12 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-03 19:37 . 2007-01-16 16:35 66512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 18:53 . 2009-05-12 20:24 -------- d-----w- c:\program files\Microsoft Works
2009-09-03 17:36 . 2007-01-16 16:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 17:35 . 2009-07-13 17:50 -------- d-----w- c:\program files\CafeScribe
2009-09-03 17:35 . 2009-01-16 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 22:21 . 2007-04-26 12:41 -------- d-----w- c:\program files\Rockwell Software
2009-09-02 22:21 . 2007-04-26 12:40 -------- d-----w- c:\program files\Common Files\Rockwell
2009-09-02 22:17 . 2008-08-20 17:59 -------- d-----w- c:\program files\Google
2009-08-14 11:58 . 2009-09-03 16:14 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-06 13:50 . 2007-08-14 00:27 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2007-01-16 16:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:49 . 2009-07-13 17:51 -------- d-----w- c:\documents and settings\Yuriy\Application Data\MyScribe
2009-08-04 13:48 . 2009-07-27 12:49 -------- d-----w- c:\program files\Graboid
2009-08-04 13:47 . 2009-07-27 12:51 -------- d-----w- c:\program files\VideoLAN
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-29 13:47 . 2009-07-27 12:53 -------- d-----w- c:\documents and settings\Yuriy\Application Data\vlc
2009-07-29 04:37 . 2007-01-16 16:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2007-01-16 16:20 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 12:52 . 2009-07-27 12:52 -------- d-----w- c:\documents and settings\Yuriy\Application Data\MozillaControl
2009-07-27 12:52 . 2009-07-27 12:52 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-07-25 10:23 . 2009-03-30 16:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2007-01-16 16:20 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2007-01-16 16:21 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-01-16 16:21 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 17:59 . 2009-06-28 17:59 56 --sh--r- c:\windows\system32\096B002AD2.sys
2009-06-28 17:59 . 2009-06-28 17:59 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-25 08:25 . 2007-01-16 16:20 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2007-01-16 16:20 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2007-01-16 16:20 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2007-01-16 16:20 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2007-01-16 16:20 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2007-01-16 16:20 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2007-01-16 16:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2007-01-16 16:20 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2007-01-16 16:20 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2007-01-16 17:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2007-01-16 16:20 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2007-01-16 16:21 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

------- Sigcheck -------

[7] DA1F27D85E0D1525F6621372E7B685E9 [5.1.2600.0 (XPClient.010817-1148)] c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Media Office"="c:\program files\Compal Electronics" [X]
"CASS"="c:\program files\Compal Electronics" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-08 7405568]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2006-03-28 512000]
"tsnp2std"="c:\windows\system32\tsnp2std.exe" [2006-06-15 331776]
"snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-04-19 2084864]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-02-23 1165288]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2007-02-23 1945904]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-23 149024]
"openvpn-gui"="c:\program files\CIVision OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-08 1519616]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2009-2-9 300328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-04-19 18:08 49152 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-03-03 22:48 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\TightVNC-unstable\\vncviewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Elantech\\Ktp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Port 135 TCP

R1 CPEb;CPEb;c:\windows\system32\drivers\CPEb.sys [1/16/2007 12:13 PM 8192]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [4/22/2008 12:22 PM 6016]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [1/16/2007 11:27 AM 27904]
R3 mtxgige;MtxGigE;c:\windows\system32\drivers\mtxgige.sys [4/22/2008 12:12 PM 219648]
R3 MtxGigEFilter;Matrox GigE Filter;c:\windows\system32\drivers\mtxgigefilter.sys [4/22/2008 12:12 PM 22016]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [6/24/2004 4:54 AM 23552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S3 0394;0394;c:\windows\system32\0394.sys [9/2/2009 5:51 PM 185824]
S3 el656cd5;3Com Megahertz Global 10/100 LAN + 56K Modem CardBus PC Card;c:\windows\system32\drivers\el656CD5.sys [1/16/2007 4:29 AM 69194]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/16/2007 11:48 AM 36352]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 o1394bul;o1394bul;\??\c:\docume~1\Yuriy\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\Yuriy\LOCALS~1\Temp\o1394bul.sys [?]
S3 PyNwFlt;Pylon GigE Vision Streaming Filter Service;c:\windows\system32\DRIVERS\pynwflt.sys --> c:\windows\system32\DRIVERS\pynwflt.sys [?]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [4/22/2008 12:26 PM 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1684)
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(1740)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(948)
c:\windows\system32\WININET.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\program files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
c:\program files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-06 11:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 16:53

Pre-Run: 90,955,014,144 bytes free
Post-Run: 90,983,399,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (Memory: NT=999 MB, MIL=16.0 MB)" /MAXMEM=999 /noexecute=optin /fastdetect

324 --- E O F --- 2009-09-06 03:23

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:49 PM

Posted 07 September 2009 - 11:35 AM

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\0394.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 07 September 2009 - 01:32 PM

Please find below results of the scann, please let me know what my next steps are, Thank you.

Filename: 0394.sys
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 7 Sep 2009 20:29:54 (CET) Permalink

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:49 PM

Posted 07 September 2009 - 05:25 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\system32\drivers\beep.sys

Driver::
MEMSWEEP2
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



======================


Now let's see if Malwarebytes will run.


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 07 September 2009 - 07:20 PM

Ok, here is the new combofix log. I will run malware bytes next and post the log. as a side note I was able to run malwarebytes after the first step (autofix i beleive)

ComboFix 09-09-07.02 - Yuriy 09/07/2009 19:05.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.999.492 [GMT -5:00]
Running from: c:\documents and settings\Yuriy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yuriy\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\231a9a5.msp

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\system32\drivers\beep.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 00:05 . 2006-02-28 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 00:05 . 2006-02-28 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-05 16:58 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 16:58 . 2009-09-05 16:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 16:58 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 04:13 . 2008-10-16 19:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-03 20:05 . 2009-09-05 17:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-03 19:37 . 2009-09-03 19:37 -------- d-----w- c:\documents and settings\Yuriy\Application Data\Office Genuine Advantage
2009-09-03 19:35 . 2009-09-03 19:35 -------- d-sh--w- c:\documents and settings\Yuriy\PrivacIE
2009-09-03 19:34 . 2009-09-03 19:34 -------- d-sh--w- c:\documents and settings\Yuriy\IETldCache
2009-09-03 19:10 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-09-03 19:10 . 2009-09-03 19:10 -------- d-----w- c:\windows\ie8updates
2009-09-03 19:10 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-03 19:10 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-03 19:10 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-03 19:10 . 2009-07-19 23:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-09-03 19:10 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-09-03 19:10 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-03 19:08 . 2009-09-03 19:10 -------- dc-h--w- c:\windows\ie8
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\program files\MSBuild
2009-09-03 19:02 . 2009-09-03 19:02 -------- d-----w- c:\program files\Reference Assemblies
2009-09-03 19:01 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-03 19:01 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-03 19:01 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-03 19:01 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-03 19:01 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-03 19:01 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-03 19:01 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-03 19:01 . 2009-09-03 19:01 -------- d-----w- C:\c9d2afbc1529709c68f9
2009-09-03 17:25 . 2009-09-05 18:16 -------- d-----w- c:\program files\Free Window Registry Repair
2009-09-03 14:46 . 2009-09-03 14:46 -------- d-----w- c:\program files\Sophos
2009-09-02 22:51 . 2009-09-02 22:51 185824 ----a-w- c:\windows\system32\0394.sys
2009-09-02 22:30 . 2009-09-02 22:42 102800 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-02 18:55 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-02 18:03 . 2009-09-02 18:03 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-02 17:53 . 2009-09-02 17:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-02 17:21 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-09-02 17:21 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-09-02 17:21 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-02 17:21 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-09-02 17:21 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-09-02 17:21 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-09-02 17:19 . 2001-08-17 17:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2009-09-02 17:18 . 2008-04-13 18:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-02 17:17 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2009-09-02 17:16 . 2001-08-17 19:56 81408 -c--a-w- c:\windows\system32\dllcache\tgiul50.dll
2009-09-02 17:15 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-09-02 17:14 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-09-02 17:13 . 2001-08-17 17:12 94698 -c--a-w- c:\windows\system32\dllcache\sk98xwin.sys
2009-09-02 17:12 . 2001-08-17 18:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-09-02 17:11 . 2001-08-17 19:56 182272 -c--a-w- c:\windows\system32\dllcache\s3mt3d.dll
2009-09-02 17:10 . 2001-08-17 18:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-09-02 17:09 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-09-02 17:08 . 2001-08-17 17:12 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2009-09-02 17:07 . 2001-08-18 03:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-09-02 17:06 . 2001-08-17 17:50 13664 -c--a-w- c:\windows\system32\dllcache\n9i128.sys
2009-09-02 17:05 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-09-02 17:04 . 2001-08-17 18:53 4992 -c--a-w- c:\windows\system32\dllcache\loop.sys
2009-09-02 17:03 . 2001-08-17 18:50 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2009-09-02 17:02 . 2001-08-17 19:56 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-09-02 17:01 . 2001-08-18 03:36 31232 -c--a-w- c:\windows\system32\dllcache\hpgt42tk.dll
2009-09-02 17:00 . 2001-08-17 17:14 441728 -c--a-w- c:\windows\system32\dllcache\fpcmbase.sys
2009-09-02 16:59 . 2001-08-17 17:19 174464 -c--a-w- c:\windows\system32\dllcache\es198x.sys
2009-09-02 16:58 . 2001-08-17 17:12 28062 -c--a-w- c:\windows\system32\dllcache\dp83820.sys
2009-09-02 16:57 . 2004-08-04 03:32 48640 -c--a-w- c:\windows\system32\dllcache\cwrwdm.sys
2009-09-02 16:56 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-09-02 16:55 . 2001-08-17 19:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2009-09-02 14:31 . 2009-09-02 14:31 -------- d-----w- c:\program files\Alwil Software
2009-09-01 20:22 . 2009-09-01 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 20:22 . 2009-09-01 20:22 -------- d-----w- c:\documents and settings\Yuriy\Application Data\SUPERAntiSpyware.com
2009-08-26 20:52 . 2009-09-01 13:55 256 ----a-w- c:\windows\system32\pool.bin
2009-08-26 20:33 . 2009-01-09 21:18 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-08-26 20:31 . 2009-09-02 18:36 -------- d-----w- c:\program files\Research In Motion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 05:15 . 2009-05-12 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-03 19:37 . 2007-01-16 16:35 66512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-03 18:53 . 2009-05-12 20:24 -------- d-----w- c:\program files\Microsoft Works
2009-09-03 17:36 . 2007-01-16 16:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 17:35 . 2009-07-13 17:50 -------- d-----w- c:\program files\CafeScribe
2009-09-03 17:35 . 2009-01-16 16:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-02 22:21 . 2007-04-26 12:41 -------- d-----w- c:\program files\Rockwell Software
2009-09-02 22:21 . 2007-04-26 12:40 -------- d-----w- c:\program files\Common Files\Rockwell
2009-09-02 22:17 . 2008-08-20 17:59 -------- d-----w- c:\program files\Google
2009-08-14 11:58 . 2009-09-03 16:14 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-06 13:50 . 2007-08-14 00:27 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2007-01-16 16:20 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:49 . 2009-07-13 17:51 -------- d-----w- c:\documents and settings\Yuriy\Application Data\MyScribe
2009-08-04 13:48 . 2009-07-27 12:49 -------- d-----w- c:\program files\Graboid
2009-08-04 13:47 . 2009-07-27 12:51 -------- d-----w- c:\program files\VideoLAN
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-29 13:47 . 2009-07-27 12:53 -------- d-----w- c:\documents and settings\Yuriy\Application Data\vlc
2009-07-29 04:37 . 2007-01-16 16:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2007-01-16 16:20 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 12:52 . 2009-07-27 12:52 -------- d-----w- c:\documents and settings\Yuriy\Application Data\MozillaControl
2009-07-27 12:52 . 2009-07-27 12:52 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-07-25 10:23 . 2009-03-30 16:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2007-01-16 16:20 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 17:21 . 2007-01-16 16:21 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-01-16 16:21 915456 ------w- c:\windows\system32\wininet.dll
2009-06-28 17:59 . 2009-06-28 17:59 56 --sh--r- c:\windows\system32\096B002AD2.sys
2009-06-28 17:59 . 2009-06-28 17:59 2098 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-25 08:25 . 2007-01-16 16:20 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2007-01-16 16:20 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2007-01-16 16:20 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2007-01-16 16:20 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2007-01-16 16:20 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2007-01-16 16:20 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2007-01-16 16:20 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2007-01-16 16:20 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2007-01-16 16:20 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:19 . 2007-01-16 17:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2007-01-16 16:20 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2007-01-16 16:21 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_16.50.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 00:12 . 2009-09-08 00:12 16384 c:\windows\temp\Perflib_Perfdata_700.dat
+ 2007-01-16 17:35 . 2009-09-08 00:12 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-16 17:35 . 2009-09-06 16:49 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-01-16 17:35 . 2009-09-08 00:12 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-01-16 17:35 . 2009-09-06 16:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-01-16 17:35 . 2009-09-08 00:12 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-01-16 17:35 . 2009-09-06 16:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Media Office"="c:\program files\Compal Electronics" [X]
"CASS"="c:\program files\Compal Electronics" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-02-08 7405568]
"KTPWare"="c:\program files\Elantech\ktp.exe" [2006-03-28 512000]
"tsnp2std"="c:\windows\system32\tsnp2std.exe" [2006-06-15 331776]
"snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]
"OmniPass"="c:\program files\Softex\OmniPass\scureapp.exe" [2006-04-19 2084864]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"PRONoMgr.exe"="c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-02-05 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2007-02-23 1165288]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImage\TimounterMonitor.exe" [2007-02-23 1945904]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-23 149024]
"openvpn-gui"="c:\program files\CIVision OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-02-08 1519616]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88204]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-12 984352]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2009-2-9 300328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
2006-04-19 18:08 49152 ----a-w- c:\program files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-03-03 22:48 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\TightVNC-unstable\\vncviewer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Enterprise Solutions 8.0\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Elantech\\Ktp.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:Port 135 TCP

R1 CPEb;CPEb;c:\windows\system32\drivers\CPEb.sys [1/16/2007 12:13 PM 8192]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [4/22/2008 12:22 PM 6016]
R3 Ktp;Elantech Touchpad;c:\windows\system32\drivers\Ktp.sys [1/16/2007 11:27 AM 27904]
R3 mtxgige;MtxGigE;c:\windows\system32\drivers\mtxgige.sys [4/22/2008 12:12 PM 219648]
R3 MtxGigEFilter;Matrox GigE Filter;c:\windows\system32\drivers\mtxgigefilter.sys [4/22/2008 12:12 PM 22016]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [6/24/2004 4:54 AM 23552]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]
S3 0394;0394;c:\windows\system32\0394.sys [9/2/2009 5:51 PM 185824]
S3 el656cd5;3Com Megahertz Global 10/100 LAN + 56K Modem CardBus PC Card;c:\windows\system32\drivers\el656CD5.sys [1/16/2007 4:29 AM 69194]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/16/2007 11:48 AM 36352]
S3 o1394bul;o1394bul;\??\c:\docume~1\Yuriy\LOCALS~1\Temp\o1394bul.sys --> c:\docume~1\Yuriy\LOCALS~1\Temp\o1394bul.sys [?]
S3 PyNwFlt;Pylon GigE Vision Streaming Filter Service;c:\windows\system32\DRIVERS\pynwflt.sys --> c:\windows\system32\DRIVERS\pynwflt.sys [?]
S3 Wibukey2;Wibukey2;c:\windows\system32\drivers\Wibukey2.sys [4/22/2008 12:26 PM 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks Enterprise Solutions 8.0\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 19:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1684)
c:\program files\Softex\OmniPass\opxpgina.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'lsass.exe'(1740)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\WININET.dll
c:\program files\Softex\OmniPass\SCUREDLL.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\S24EvMon.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Softex\OmniPass\OmniServ.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\RegSrvc.exe
c:\program files\Softex\OmniPass\OPXPApp.exe
c:\windows\system32\ZCfgSvc.exe
c:\windows\system32\1XConfig.exe
c:\program files\Compal Electronics, INC\MediaOffice\MediaOffice.exe
c:\program files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-08 19:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 00:17
ComboFix2.txt 2009-09-06 16:53

Pre-Run: 90,785,374,208 bytes free
Post-Run: 90,744,172,544 bytes free

296 --- E O F --- 2009-09-07 18:36

#12 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 07 September 2009 - 08:40 PM

Here is Malware bytes log, please advice on the next step

Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3

9/7/2009 8:39:09 PM
mbam-log-2009-09-07 (20-39-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166809
Time elapsed: 37 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:49 PM

Posted 08 September 2009 - 10:21 AM

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 08 September 2009 - 03:26 PM

Sam please find below log of the junction program. Machine is operating fine with excception on fthe framework error during the start up that I mentioned in one of the previouse posts. Any idea on how I can correct that? Thanks.

#15 ABTOP

ABTOP
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 08 September 2009 - 07:13 PM

SAM I am an idiot I forgat to paste the log in my reply please tell me where I can find it so I can past it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users