Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected computer, unable to run malwarebytes.


  • This topic is locked This topic is locked
28 replies to this topic

#1 Kimber28

Kimber28

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 07 September 2009 - 10:54 AM

Computer is acting up and unable to run malwarbytes and regicure. When I tried to run these the program has shut down. Says I don't have permission to run. I tried to uninstall and reinstall malwarbytes and same thing happens. Unable to do so.
I am now getting all kinds of pop-ups for advertisements. Tried to restart computer. Only way to start up without looping is to F8 with "last known good configuration". When start up I get "Error Loading C:WINDOWSsystem32ritowene.dll the specific module could not be found". I am currently still able to currently access windows explorer but am fearful this will be affected too. Any suggestions will be MUCH appreciated!!

Sorry - Longtime observer and first time poster error! I realized I posted to the wrong forum - don't have a log yet!

{Mod edit : please do not Delete or move yet see.. http://www.bleepingcomputer.com/forums/top...16397~~~boopme}


I am attaching the following logs per boopme's request. I really appreciate the help I have been given to this point.

previous posts - http://www.bleepingcomputer.com/forums/t/255857/unable-to-run-malwarbytes/


This is the rsit log that I found under C:rst
- when I ran this earlier (as requested by boopme) it quit part way through and this is what I posted in another area -- Thank you for helping boopme! I did as you asked and downloaded RSIT to my desktop, hit run and it conneceted to the scan but then shortly aborted. It was saying "listing recently downloaded.." then it stopped. I tried clicking on the desktop icon to retry and I received this message box: C:Documents and SettingsKimDesktopRSIT.exe (under this) "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access this time. "

I also am attaching the Win32kDiag.txt

Hopefully these make sense to you!

Thank you again for taking time to look this over and advise. Will be standing by -

** while standy by waiting for assistance, I began a search for dds.scr or rootrepeal log that I tried to run earlier and was unsuccessful. I did come across another .txt file that may be helpful -- it makes no sense to me but I have an odd feeling it isnt right. There is another one as well. One is under C:Windows called setupapi is 595KB done at 129pm today. The other is in C:WindowsSystem32/CatRoot2 called dberr 68KB also at 129pm today. I have not tried to change anything to my computer other than the steps 6 and 7 in the Preparation guide and what boopme suggested. Maybe this is nothing.

Merged topics then posts. ~ OB

Attached Files


Edited by Orange Blossom, 07 September 2009 - 10:51 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 08 September 2009 - 02:48 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 08 September 2009 - 05:37 PM

Hi Sam !!

Thank you for helping me!!
I got your request soon after you posted it. Followed your advise and disabled my McAffee security center. Downloaded ComboFix from Link one and saved to desktop. It did download Microsoft Recovery Console and stated it was successfully installed. Clicked yes to continue scanning for malware. The box then showed Autoscan ... scanning, said it would take about 10min but could be double the time.
There was a blinking yellow curser. I let it go for over 2hrs and nothing happened. Just the blinking.

I closed this out and tried to re-run it from the desktop believing it was maybe hung up. (please don't growl -- I am a novice at this and I think I may have messed up.) When I double clicked the ComboFix icon it disappeared. I then tried to get back on the internet through Explorer and was unable to. Starting to panic, I enabled my McAffee Security Center again, unplugged my modem for a minute and tried again. I was able to get to my homepage (comcast) but I could not get to www.bleepingcomputer.com. I then was able to through a link in my email from bleeping computer.

So....here I am without a ComboFix log to give you. Please give me further advise...will be waiting and not touching any programs!!

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 09 September 2009 - 12:48 PM

No, you didn't mess up at all. This particular rootkit infection is very difficult to deal with and it tries to disable the programs that we use to remove it. So you did everything right and we're just going to have to work around it.


Please follow these steps first:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop everything and come back and tell me first. Executing The Avenger script (step #2) won't work if the file copy was not successful.
  • Exit the Command Prompt window.

===============================
Next set of steps...


Please disable your antivirus program.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 September 2009 - 09:46 PM

Thanks for getting back to me Sam! Sorry for the delay..busy day. I was able to run The Avenger and got a log on reboot. When I rebooted, I have to force it to do so by -- Last known good configuration (most recent settings that worked). I have had to do this for awhile on all reboots.

Don't know if this matters - When I log in I am getting a RUNDLL box with a red circle and white X that says "Error loading C:\WINDOWS\system32\ritowne.dll The specific module could not be found". I X out of this and can continue on. Later.. was still logged in with just desktop on - nothing opened and I return to computer. There is a small Windows Internet Explorer box with a Yellow triangle and an ! in the middle. Beside it it says "Thank for cooperation." Doesn't seem right. I X out. Also, while looking up directions on mapquest, suddenly there is an audio with a Betty Crocker advertisment, this is really odd - then other audio random ads. I X'd off browser (IE) it was still playing. When I logged off it stopped. Has not happened this evening.

Below is the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 09 September 2009 - 10:41 PM

Update on what my system is doing. Just had McAffee pop up with : Potentially Unwanted Program Detected. Name:Generic PUP.x!bk
Location: C:\kfuiw.exe
I am planning to click to Remove this program.

Thank you for taking the time to help me with my system problems. Do you still want to know this stuff? I am not sure if it is important to you in helping me to figure this out. Thanks again ... standing (sitting!) by.. K

I decided to do nothing with the above. Maybe it is associated with something I have been asked to run and I don't want to mess it up anymore than it is! HA Is is okay that I turned back on my antivirus after I posted the log? I am not sure when you will be able to help me again and not sure if I should be without protection!

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 10 September 2009 - 09:40 AM

You're doing great! :(
Keep sharing with me what's going on. It does help.

It should get better after this next set of steps.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



========================



Now delete any copy of combofix.exe that you have if you downloaded it previously.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 September 2009 - 01:33 PM

Hello there Sam ! FYI - Bleeping computer must be really busy...it is taking very long for each page to load for me on this site.

Here is the Win32kDiag.txt :

Log file is located at: C:\Documents and Settings\Kim\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMCommon\BCMCommon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMCommon\BCMCommon

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMRes\BCMRes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BCMRes\BCMRes

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BusinessLayer\BusinessLayer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BusinessLayer\BusinessLayer

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.Mapi.MessageStore\Iris.Mapi.MessageStore

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Iris.Mapi.MessageStore\Iris.Mapi.MessageStore

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn\Microsoft.BusinessSolutions.eCRM.OutlookAddIn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn\Microsoft.BusinessSolutions.eCRM.OutlookAddIn

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils\Microsoft.BusinessSolutions.eCRM.OutlookAddIn.CSUtils

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.Office\Microsoft.eCRM.Office

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.eCRM.Office\Microsoft.eCRM.Office

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.Outlook\Microsoft.Interop.eCRM.Outlook

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.eCRM.Outlook\Microsoft.Interop.eCRM.Outlook

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Impl\Microsoft.Interop.Mapi.Impl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Impl\Microsoft.Interop.Mapi.Impl

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Interfaces\Microsoft.Interop.Mapi.Interfaces

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.Interop.Mapi.Interfaces\Microsoft.Interop.Mapi.Interfaces

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22D6.tmp\ZAP22D6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP22D6.tmp\ZAP22D6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2490.tmp\ZAP2490.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2490.tmp\ZAP2490.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F1.tmp\ZAP5F1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F1.tmp\ZAP5F1.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cursors\Cursors

Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\Setup\Backup\Backup

Found mount point : C:\WINDOWS\ehome\CreateDisc\Sfxplugins\Sfxplugins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\Sfxplugins\Sfxplugins

Found mount point : C:\WINDOWS\ehome\CreateDisc\SonicResources\SonicResources

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\SonicResources\SonicResources

Found mount point : C:\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Cache\CacheDataFiles\CacheDataFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Cache\CacheDataFiles\CacheDataFiles

Found mount point : C:\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony

Found mount point : C:\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Cache\CacheDataFiles\CacheDataFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Cache\CacheDataFiles\CacheDataFiles

Found mount point : C:\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\LastGood\INF\INF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\LastGood\INF\INF

Found mount point : C:\WINDOWS\LastGood\system32\DRIVERS\DRIVERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\LastGood\system32\DRIVERS\DRIVERS

Found mount point : C:\WINDOWS\LastGood\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\LastGood\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\LastGood\system32\spool\DRIVERS\W32X86\amyuni_amyunidocumentconverter300\amyuni_amyunidocumentconverter300

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\LastGood\system32\spool\DRIVERS\W32X86\amyuni_amyunidocumentconverter300\amyuni_amyunidocumentconverter300

Found mount point : C:\WINDOWS\LastGood.Tmp\INF\INF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\LastGood.Tmp\INF\INF

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Cannot access: C:\WINDOWS\PEV.exe

Attempting to restore permissions of : C:\WINDOWS\PEV.exe

[1] 2009-09-03 22:25:22 230912 C:\WINDOWS\PEV.exe ()



Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\Resources\1033\1033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\1033\1033

Found mount point : C:\WINDOWS\Resources\Themes\Aquarium\Aquarium

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Themes\Aquarium\Aquarium

Found mount point : C:\WINDOWS\Resources\Themes\DaVinci\DaVinci

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Themes\DaVinci\DaVinci

Found mount point : C:\WINDOWS\Resources\Themes\Nature\Nature

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Themes\Nature\Nature

Found mount point : C:\WINDOWS\Resources\Themes\Space\Space

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Themes\Space\Space

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1650721825-2014680754-4161334018-1007\S-1-5-21-1650721825-2014680754-4161334018-1007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1650721825-2014680754-4161334018-1007\S-1-5-21-1650721825-2014680754-4161334018-1007

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1650721825-2014680754-4161334018-1008\S-1-5-21-1650721825-2014680754-4161334018-1008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1650721825-2014680754-4161334018-1008\S-1-5-21-1650721825-2014680754-4161334018-1008

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\{B32D48CA-91FC-4570-8853-6AD2EA99D834}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{B32D48CA-91FC-4570-8853-6AD2EA99D834}\{B32D48CA-91FC-4570-8853-6AD2EA99D834}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Jasc Software Inc\Paint Shop Pro Studio\Paint Shop Pro Studio

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1637723038-725345543-500\S-1-5-21-343818398-1637723038-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1637723038-725345543-500\S-1-5-21-343818398-1637723038-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1650721825-2014680754-4161334018-500\S-1-5-21-1650721825-2014680754-4161334018-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1637723038-725345543-500\S-1-5-21-343818398-1637723038-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1637723038-725345543-500\S-1-5-21-343818398-1637723038-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005101920051020\MSHist012005101920051020

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005101920051020\MSHist012005101920051020

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\MSHist012008091020080911

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\MSHist012008091020080911

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122520081226\MSHist012008122520081226

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122520081226\MSHist012008122520081226

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\Data\Data

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

Sam, I need advise on how to delete the ComboFix that you asked me to do earlier. The icon is no longer on my desktop. I went to my Control Panel and local Disk C: - Found the ComboFix and tried to delete to recycle bin. I receive a Error Deleting File or Folder box with cannot delete ATTRIB.cffxe: Access is denied. Make sure disk is not full or write-protected and that the file is not currently in use. Please advise... Thank you !! You are a huge help for this one who knows the basics!! Will be waiting....K

#9 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 September 2009 - 04:14 PM

Well Sam... update. I searched my system and did not find combofix.exe . So I followed your advise and downloaded it to desk top with the - . I ran it and it ran fine - worked this time. It then said it needed to reboot after it finished. Well..... it has been trying to reboot since about 410pm today. My earlier post had said I have had trouble rebooting and had to do so using F1 / F8 with last known good configuration option. Well seems this is preventing my system from booting now as well.
While trying to reboot it goes through these screens: Dell w/ F2 F12 in upper right, then a screen that shows the system info (I think) last line is - Keyboard failure, then a flash, another quick flash (looks like operating system), Next the Windows XP loading screen, then windows is starting up,....then a click and it begins all over again. After the 10th time I did try the F1/F8 keys and they are useless.
I have had to go to a neighbors computer to report back to you. I have noooo idea what to do now. Should I disconnect my modem so the internet is not accessible until I can get it back up? Will I ever be able to get it started again?? I am just about to ....cry, scream, pull my hair out, & get a stiff drink! haha!
I am so thankful you all are here. Hopefully Sam, you or someone else knows how to get this looping stopped so I can get to that &*@#* log!
Hopefully you will get back soon. I will need to check my udates on another computer (not mine) in the meantime.
Thanks again for hanging with me!!!! Please tell me what to do to make the looping stop. Do I just keep letting it loop? Afraid to turn it off.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 10 September 2009 - 07:01 PM

If you haven't already, just turn your computer off completely. Leave it off for five minutes or so. Then turn it back on. Listen carefully to the beep tones you hear as your computer boots up. Normal is usually just one short beep. Let me know if you hear anything different than that.

Assuming you hear just one short beep, go ahead and start tapping the F8 key on your keyboard and see if you can get to the boot menu. If so, try booting into safe mode. It will look funny, but you should be able to find the log.

Do you recall when Combofix first started running, did it prompt you to install the Recovery Console? And if so, did it install successfully?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 September 2009 - 08:30 PM

Sam, I am soooo glad to here from you!!! Thanks for not giving up on me! I got the Log !! Hope it helps you figure this out.
After I saw your reply, I turned my computer off for 5 minutes 'ish. Turned back on, had the one beep - F8 - tried Safe Mode, next screen choice MS Windows recovery console or Window XP Media Center Edition, chose the Window XP M.C.E. , then a screen filled with Multi(0)disk(0)rdisk(0)partition(2),windowssystem32\ then various items here . So I then crossed my fingers and F8 did the "last known good configuration one. It worked!!

When I logged in there was a box with the combofix icon in upper left corner and titled FIND3M followed by Preparing Log Report
Do not run any programs until ComboFix has finished. Tada !! The log follows. Thank you!!!


ComboFix 09-09-09.09 - Kim 09/10/2009 15:57.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.513 [GMT -4:00]
Running from: c:\documents and settings\Kim\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2004517428
C:\awdym.exe
C:\bfcxn.exe
C:\dfvwhr.exe
c:\docume~1\Kim\LOCALS~1\Temp\csrss.exe
c:\docume~1\Kim\LOCALS~1\Temp\lsass.exe
c:\docume~1\Kim\LOCALS~1\Temp\services.exe
c:\docume~1\Kim\LOCALS~1\Temp\svchost.exe
c:\docume~1\Kim\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Kim\LOCALS~1\Temp\winlogon.exe
C:\kfuiw.exe
C:\lrcov.exe
C:\nehlceu.exe
C:\p2hhr.bat
C:\qhxok.exe
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\5cad26a.msp
c:\windows\Installer\ca58481.msp
c:\windows\kb913800.exe
c:\windows\patch.exe
c:\windows\system32\~.exe
c:\windows\system32\bszip.dll
c:\windows\system32\buvatolo.dll
c:\windows\system32\Drivers\bulqrsyv.sys
c:\windows\system32\Drivers\csbyhv.sys
c:\windows\system32\Drivers\dfutsqcy.sys
c:\windows\system32\Drivers\hvdtn.sys
c:\windows\system32\Drivers\iedwb.sys
c:\windows\system32\Drivers\napcoekt.sys
c:\windows\system32\Drivers\sjpxps.sys
c:\windows\system32\Drivers\zkvklrr.sys
c:\windows\system32\dunerepe.dll
c:\windows\system32\fovazepo.dll
c:\windows\system32\hebogofi.dll
c:\windows\system32\jofuvoyo.dll
c:\windows\system32\kodusagi.dll
c:\windows\system32\kosagiti.dll
c:\windows\system32\limumoki.dll
c:\windows\system32\lujisosa.dll
c:\windows\system32\memezori.dll
c:\windows\system32\nirulewe.dll
c:\windows\system32\open.ico
c:\windows\system32\perosaro.dll
c:\windows\system32\pinazilo.dll
c:\windows\system32\pivahalo.dll
c:\windows\system32\retulama.dll
c:\windows\system32\riketuti.dll
c:\windows\system32\ropofotu.dll
c:\windows\system32\savahusu.dll
c:\windows\system32\somipegu.dll
c:\windows\system32\vapewezu.dll
c:\windows\system32\vojifuje.dll
c:\windows\system32\votajajo.dll
c:\windows\system32\yedonuse.dll
c:\windows\system32\ziloyoya.dll
c:\windows\system32\zopirozu.dll
c:\windows\system32\zoyegetu.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-10 20:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-10 20:07 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-07 20:33 . 2009-09-07 20:33 0 ----a-w- c:\documents and settings\Kim\settings.dat
2009-09-07 19:59 . 2009-09-09 02:10 -------- d-----w- c:\program files\trend micro
2009-09-07 19:59 . 2009-09-07 19:59 -------- d-----w- C:\rsit
2009-09-07 17:29 . 2009-05-09 05:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-09-07 17:29 . 2009-05-09 05:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-09-07 17:29 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-09-06 13:37 . 2009-09-10 17:56 -------- d--h--w- c:\windows\PIF
2009-09-05 21:37 . 2009-09-05 21:37 51712 ----a-w- C:\alolb.exe
2009-09-05 21:37 . 2009-09-05 21:37 79360 ----a-w- C:\tlkskmc.exe
2009-08-31 00:48 . 2009-08-31 00:48 -------- d-----w- c:\program files\TournamentBuilder Pro
2009-08-30 22:38 . 2009-08-30 22:38 -------- d-----w- c:\windows\system32\vmm32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 02:15 . 2005-10-22 00:58 -------- d-----w- c:\program files\Dl_cats
2009-09-09 02:20 . 2008-10-11 00:58 -------- d-----w- c:\program files\Shockwave.com
2009-09-09 02:20 . 2004-08-19 21:20 -------- d-----w- c:\program files\RGB
2009-09-06 20:03 . 2009-01-09 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 13:38 . 2009-09-06 13:38 8 ----a-w- c:\program files\jajorf.txt
2009-08-08 23:26 . 2009-08-08 23:26 102 ----a-w- c:\program files\dmhi.txt
2009-08-08 19:50 . 2008-12-25 17:44 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-06 20:28 . 2009-08-06 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2009-08-06 20:28 . 2008-12-25 20:54 -------- d-----w- c:\program files\RegCure
2009-08-05 09:01 . 2004-08-19 20:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-19 20:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 15:34 . 2008-12-27 14:55 -------- d-----w- c:\documents and settings\Kim\Application Data\LimeWire
2009-07-14 03:43 . 2004-08-19 20:50 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-19 20:49 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-19 20:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-19 20:49 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-19 20:49 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-19 20:49 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-19 20:49 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-19 20:49 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-19 20:49 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-19 20:49 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-19 20:49 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-20 01:05 . 2004-08-19 20:49 622592 ----a-w- c:\windows\system32\netcfgx.dll
2009-06-16 14:36 . 2004-08-19 20:49 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-19 20:49 81920 ----a-w- c:\windows\system32\fontsub.dll
2006-08-10 01:38 . 2006-08-10 01:37 2125 ----a-w- c:\program files\DeIsL1.isu
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-03-30 21:45 . 2006-03-30 21:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2005-06-07 03:46 . 2005-06-07 03:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

2005-10-16 15:58 . 2005-08-06 02:05 344064 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2007-03-16 02:12 . 2007-03-16 02:12 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2005-10-16 15:59 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2005-10-16 15:59 . 2003-09-04 01:12 221184 c:\program files\Intel\Modem Event Monitor\bak\IntelMEM.exe

2007-06-01 20:51 . 2007-06-01 20:51 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2008-11-20 18:20 . 2008-11-20 18:20 290088 c:\program files\iTunes\iTunesHelper.exe

2007-08-01 12:27 . 2007-07-12 08:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2007-08-02 02:06 . 2007-08-04 06:33 582992 c:\program files\McAfee.com\Agent\bak\mcagent.exe
2009-06-20 00:50 . 2007-11-01 22:12 582992 c:\program files\McAfee.com\Agent\mcagent.exe

2004-08-19 21:01 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2008-09-07 00:49 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2005-11-06 20:23 . 2005-03-12 12:25 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe

2005-10-16 16:11 . 2005-03-12 12:25 110592 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe

2007-04-27 13:41 . 2007-04-27 13:41 282624 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2004-08-19 21:01 . 2005-08-05 18:56 64512 c:\windows\ehome\bak\ehtray.exe
2004-08-19 21:01 . 2005-08-05 18:56 64512 c:\windows\ehome\ehtray.exe

2004-08-19 20:50 . 2004-08-10 10:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-19 20:50 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-12-05 12:06 . 2005-05-31 10:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2006-11-07 50736]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-04 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"kerinodose"="c:\windows\system32\ritowene.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellMCM"="c:\program files\Dell Photo AIO Printer 942\memcard.exe" [2004-07-27 262144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"DLBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-10 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"kerinodose"="c:\windows\system32\memezori.dll" [N/A]
"mowifavaj"="c:\windows\system32\jofuvoyo.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9e.exe" [N/A]

c:\documents and settings\Jake\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\V CAST Music Manager\MEMonitor.exe [2007-10-20 947544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Online Backup Scheduler.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1725375756
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cognac
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSFox

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 adwarealert;adwarealert;c:\windows\system32\drivers\adwarealert.sys [10/7/2008 7:40 AM 22512]
S2 0213151202213243mcinstcleanup;McAfee Application Installer Cleanup (0213151202213243); [x]
S2 AdwareAlertSrv;AdwareAlert Scanning Engine; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MCPROXY
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 14:13]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 14:14]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 14:14]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-20 17:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-20 17:32]

2009-09-11 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-11 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-09-10 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-06-10 22:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{77d7eca9-21de-4e88-857c-c46afeea6045} - c:\windows\system32\ropofotu.dll
SharedTaskScheduler-{211df617-dc91-417d-b9a1-3df34e79f81a} - c:\windows\system32\jofuvoyo.dll
SSODL-yifugufus-{211df617-dc91-417d-b9a1-3df34e79f81a} - c:\windows\system32\jofuvoyo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-09-11 21:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 01:04

Pre-Run: 11,877,326,848 bytes free
Post-Run: 17,180,553,216 bytes free

Current=2 Default=2 Failed=5 LastKnownGood=4 Sets=2,3,4,5
303 --- E O F --- 2009-09-07 17:29

Thank you Sam - from a neighboring Hoosier !! Keep me posted. Very sincerely - K

#12 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 10 September 2009 - 08:35 PM

Oh - the first time I tried the Combofix it did prompt me to install the Recovery Console and I did. I believe it was successfully installed. It did not ask today.

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 11 September 2009 - 05:57 PM

Well done! :(
Combofix was able to remove a bunch of malware files for us. We just have a little more cleaning up to do.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\memezori.dll
c:\windows\system32\jofuvoyo.dll
c:\windows\system32\ritowene.dll
c:\program files\jajorf.txt
c:\program files\dmhi.txt
C:\alolb.exe
C:\tlkskmc.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1725375756]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kerinodose"=-
"mowifavaj"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kerinodose"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


========================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Kimber28

Kimber28
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 11 September 2009 - 06:43 PM

Hi there Sam!

I created the CFScript and saved it to desktop. Deactivated my antivirus, closed out my browser to place CFScript into Combofix on my desktop and the Combofix icon is no longer there. The CFScript is in the spot Combofix was. Where did it go??

Thank you !!

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:55 PM

Posted 13 September 2009 - 07:01 AM

Sorry for my delayed response here. I've been a bit under the weather.

That's odd that Combofix would completely disappear. If you need to download it again, here's the links.


Link 1
Link 2
Link 3
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users