Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for help removing issue with "uacinit.dll" (Trogen.Agent)


  • This topic is locked This topic is locked
22 replies to this topic

#1 JayStation3

JayStation3

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 07 September 2009 - 10:45 PM

Referred from here: http://www.bleepingcomputer.com/forums/t/254617/windows-antivirus-pro-removal/ ~ OB

here is the DDS & ROOT logs and attachment as requested.... thanks for you help in advance


DDS (Ver_09-07-30.01) - NTFSx86
Run by Mrs. Clark at 20:53:56.61 on Mon 09/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.81 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Mrs. Clark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [SpywareBlaster] c:\program files\spywareblaster\spywareblaster.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli icrtasrt.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-2 130936]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-23 11608]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-8-29 394952]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-23 55656]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-19 1174152]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-3-24 62762]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-2 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-2 1097096]

=============== Created Last 30 ================

2009-09-05 23:05 --d----- c:\program files\Lavasoft
2009-09-05 22:54 --d----- c:\program files\uTorrent
2009-09-05 22:54 --d----- c:\docume~1\mrs~1.cla\applic~1\uTorrent
2009-09-05 19:08 --d----- c:\docume~1\mrs~1.cla\applic~1\Malwarebytes
2009-09-05 13:34 --d----- c:\program files\ToniArts
2009-09-05 13:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 13:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-05 13:09 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 13:09 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-05 12:05 120 a------- c:\windows\Kbelologiwa.dat
2009-09-04 21:54 0 a------- C:\r
2009-09-04 15:33 33,280 a------- c:\windows\system32\rundll32.exe
2009-09-04 15:33 33,280 a------- c:\windows\system32\dllcache\rundll32.exe
2009-09-02 10:53 --d----- C:\_OTM
2009-09-02 00:25 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 00:24 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 00:24 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 00:24 --d----- c:\program files\common files\PC Tools
2009-09-02 00:24 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 00:24 --d----- c:\program files\Spyware Doctor
2009-09-02 00:24 --d----- c:\docume~1\mrs~1.cla\applic~1\PC Tools
2009-09-02 00:24 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-01 01:49 a-d----- c:\windows\system32\images
2009-08-29 12:37 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-08-29 12:36 1,086,952 a------- c:\windows\system32\zpeng24.dll
2009-08-29 12:36 --d----- c:\windows\system32\ZoneLabs
2009-08-29 12:36 --d----- c:\program files\Zone Labs
2009-08-29 12:36 352,185 a------- c:\windows\system32\vsconfig.xml
2009-08-29 12:35 --d----- c:\windows\Internet Logs
2009-08-29 12:21 28,416 a------- c:\windows\system32\uxtuneup.dll
2009-08-29 12:21 307,968 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-29 12:21 --d----- c:\docume~1\mrs~1.cla\applic~1\TuneUp Software
2009-08-29 12:20 --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-08-29 12:20 --d----- c:\program files\TuneUp Utilities 2008
2009-08-29 12:18 --d----- c:\program files\common files\Wise Installation Wizard
2009-08-29 11:49 --d----- c:\program files\SpywareBlaster
2009-08-28 19:35 --d----- c:\docume~1\mrs~1.cla\applic~1\comcasttb
2009-08-27 12:47 --d----- c:\docume~1\mrs~1.cla\applic~1\Logs
2009-08-22 16:49 664 a------- c:\windows\system32\d3d9caps.dat
2009-08-17 13:01 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-17 12:49 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-16 11:04 --d----- c:\docume~1\mrs~1.cla\applic~1\CallingID
2009-08-16 11:04 --d----- c:\program files\common files\scanner
2009-08-16 11:04 --d----- c:\program files\CA
2009-08-16 09:50 --d----- c:\program files\common files\SupportSoft

==================== Find3M ====================

2009-08-06 09:47 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-04 21:25 81,972 a---h--- c:\windows\system32\mlfcache.dat
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 07:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 07:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 01:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2008-02-07 03:24 784 a------- c:\docume~1\mrs~1.cla\applic~1\wklnhst.dat
2008-09-27 22:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092720080928\index.dat

============= FINISH: 20:55:05.58 ===============


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 21:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDF10000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B1C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6C83000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF72C9000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\UACbnypxvcdji.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChtkljggdbk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAClviscvxryv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACnhyrjmpwlc.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrvvcbkqnpj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACycyykorfqw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACea8b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf500.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACnxlvpimrnh.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\mrs. clark\local settings\temp\~df7ef0.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\mrs. clark\local settings\temp\~dfde49.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Mrs. Clark\Local Settings\Temp\UAC3fba.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\mrs. clark\local settings\temp\~df328c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Mrs. Clark\Local Settings\Temp\nsm1D.tmp\UAC.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Mrs. Clark\Local Settings\Temp\nsw1A.tmp\UAC.dat
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Mrs. Clark\Local Settings\Application Data\Microsoft\Messenger\tyrrell_clark@hotmail.com\SharingMetadata\roseboy2@hotmail.com\DFSR\Staging\CS{614CF3C2-B43C-A137-F2EE-6D9D050A549E}\13\15-{D27AA268-E779-4285-AF56-F1D14C5E15AC}-v13-{D27AA268-E779-4285-AF56-F1D14C5E15AC}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: D:\AUTOEXEC.BAT
Status: Invisible to the Windows API!

Path: D:\Autorun.inf
Status: Invisible to the Windows API!

Path: D:\BOOT.INI
Status: Invisible to the Windows API!

Path: D:\cmdcons
Status: Invisible to the Windows API!

Path: D:\CMLDR
Status: Invisible to the Windows API!

Path: D:\CONFIG.SYS
Status: Invisible to the Windows API!

Path: D:\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\Folder.htt
Status: Invisible to the Windows API!

Path: D:\GRAPH
Status: Invisible to the Windows API!

Path: D:\GRAPH16
Status: Invisible to the Windows API!

Path: D:\Info.exe
Status: Invisible to the Windows API!

Path: D:\IO.SYS
Status: Invisible to the Windows API!

Path: D:\MiniNT
Status: Invisible to the Windows API!

Path: D:\MSDOS.SYS
Status: Invisible to the Windows API!

Path: D:\NTDETECT.COM
Status: Invisible to the Windows API!

Path: D:\NTFS
Status: Invisible to the Windows API!

Path: D:\NTLDR
Status: Invisible to the Windows API!

Path: D:\protect.ed
Status: Invisible to the Windows API!

Path: D:\SAVEFILE.DIR
Status: Invisible to the Windows API!

Path: D:\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\I386
Status: Invisible to the Windows API!

Path: D:\WIN51
Status: Invisible to the Windows API!

Path: D:\WIN51IA
Status: Invisible to the Windows API!

Path: D:\WIN51IA.SP1
Status: Invisible to the Windows API!

Path: D:\WINBOM.INI
Status: Invisible to the Windows API!

Path: D:\XGA
Status: Invisible to the Windows API!

Path: D:\BLOCK.RIN
Status: Invisible to the Windows API!

Path: D:\MASTER.LOG
Status: Invisible to the Windows API!

Path: D:\USER
Status: Invisible to the Windows API!

Path: D:\RECOVERY
Status: Invisible to the Windows API!

Path: D:\PRELOAD
Status: Invisible to the Windows API!

Path: D:\System Volume Information
Status: Invisible to the Windows API!

Path: D:\Recycled
Status: Invisible to the Windows API!

Path: D:\cmdcons\1394bus.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\acpi.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\acpiec.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\adpu160m.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\adpu320.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\afcnt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\aic78u2.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\aic78xx.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\aliide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\amdide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\arc.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\atapi.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\autochk.exe
Status: Invisible to the Windows API!

Path: D:\cmdcons\autofmt.exe
Status: Invisible to the Windows API!

Path: D:\cmdcons\biosinfo.inf
Status: Invisible to the Windows API!

Path: D:\cmdcons\BOOTSECT.DAO
Status: Invisible to the Windows API!

Path: D:\cmdcons\BOOTSECT.DAT
Status: Invisible to the Windows API!

Path: D:\cmdcons\bootvid.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cbidf2k.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cd20xrnt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cdfs.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cdrom.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\classpnp.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cmdide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cpqarray.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cpqarry2.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cpqcissm.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\cpqfcalm.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\c_1252.nl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\c_437.nl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dac2w2k.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dac960nt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dellcerc.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\cmdcons\disk.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\disk101
Status: Invisible to the Windows API!

Path: D:\cmdcons\disk102
Status: Invisible to the Windows API!

Path: D:\cmdcons\disk103
Status: Invisible to the Windows API!

Path: D:\cmdcons\disk104
Status: Invisible to the Windows API!

Path: D:\cmdcons\dmboot.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dmio.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dmload.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\dpti2o.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\drvmain.sdb
Status: Invisible to the Windows API!

Path: D:\cmdcons\fastfat.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\fdc.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\flpydisk.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ftdisk.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hal.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\halaacpi.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\halacpi.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\halapic.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hidclass.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hidparse.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hidusb.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hpcisss.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hpn.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\hpt3xx.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\i2omgmt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\i2omp.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\i8042prt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\iirsp.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\intelide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ipsraidn.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\isapnp.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDAL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDBE.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDBLR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDBR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDBU.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDCA.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\kbdclass.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDCR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDCZ.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDCZ1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDDA.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDDV.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDES.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDEST.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDFC.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDFI.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDFR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDGKL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDGR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDGR1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHE.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHE220.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHE319.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHELA2.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHELA3.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\kbdhid.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHU.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDHU1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDIC.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDIR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDIT.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDIT142.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDLA.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDLT.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDLV.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDLV1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDNE.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDNO.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDPL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDPL1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDPO.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDRO.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDRU.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDRU1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSF.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSG.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSL1.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSP.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDSW.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDTUF.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDTUQ.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDUK.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDUR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\kbdus.dll
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDUSL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDUSR.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDUSX.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDYCC.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\KBDYCL.DLL
Status: Invisible to the Windows API!

Path: D:\cmdcons\kd1394.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\kdcom.dl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ksecdd.sys
Status: Invisible to the Windows API!

Path: D:\cmdcons\lp6nds35.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\l_intl.nl_
Status: Invisible to the Windows API!

Path: D:\cmdcons\migrate.inf
Status: Invisible to the Windows API!

Path: D:\cmdcons\mountmgr.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\mraid35x.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\nfrd960.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ntdetect.com
Status: Invisible to the Windows API!

Path: D:\cmdcons\ntfs.sys
Status: Invisible to the Windows API!

Path: D:\cmdcons\ntkrnlmp.ex_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ohci1394.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\oprghdlr.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\partmgr.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\pci.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\pciide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\pciidex.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\pcmcia.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\perc2.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\perc2hib.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql1080.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql10wnt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql12160.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql1240.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql1280.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql2100.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql2200.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ql2300.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\ramdisk.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\sbp2port.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\scsiport.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\serenum.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\serial.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\setupdd.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\setupldr.bin
Status: Invisible to the Windows API!

Path: D:\cmdcons\setupreg.hiv
Status: Invisible to the Windows API!

Path: D:\cmdcons\sfloppy.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\spcmdcon.sys
Status: Invisible to the Windows API!

Path: D:\cmdcons\spddlang.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\storport.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\symc810.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\symc8xx.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\symmpi.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\sym_hi.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\sym_u3.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\system32
Status: Invisible to the Windows API!

Path: D:\cmdcons\tffsport.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\toside.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\txtsetup.sif
Status: Invisible to the Windows API!

Path: D:\cmdcons\ultra.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbccgp.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbd.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbehci.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbhub.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbohci.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbport.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbstor.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\usbuhci.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\vga.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\vgaoem.fo_
Status: Invisible to the Windows API!

Path: D:\cmdcons\viaide.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\videoprt.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\volsnap.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\cmdcons\watchdog.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\wd.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\winnt.sif
Status: Invisible to the Windows API!

Path: D:\cmdcons\wmilib.sy_
Status: Invisible to the Windows API!

Path: D:\cmdcons\Folder.htt
Status: Invisible to the Windows API!

Path: D:\cmdcons\Protect.ed
Status: Invisible to the Windows API!

Path: D:\MiniNT\biosinfo.inf
Status: Invisible to the Windows API!

Path: D:\MiniNT\bootfix.bin
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts
Status: Invisible to the Windows API!

Path: D:\MiniNT\inf
Status: Invisible to the Windows API!

Path: D:\MiniNT\ntdetect.com
Status: Invisible to the Windows API!

Path: D:\MiniNT\setupldr.bin
Status: Invisible to the Windows API!

Path: D:\MiniNT\setupldr.exe
Status: Invisible to the Windows API!

Path: D:\MiniNT\spcmdcon.sys
Status: Invisible to the Windows API!

Path: D:\MiniNT\startrom.com
Status: Invisible to the Windows API!

Path: D:\MiniNT\system32
Status: Invisible to the Windows API!

Path: D:\MiniNT\txtsetup.sif
Status: Invisible to the Windows API!

Path: D:\MiniNT\winbom.ini
Status: Invisible to the Windows API!

Path: D:\MiniNT\WinSxS
Status: Invisible to the Windows API!

Path: D:\MiniNT\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\MiniNT\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\MiniNT\SETUPAPI.LOG
Status: Invisible to the Windows API!

Path: D:\MiniNT\Folder.htt
Status: Invisible to the Windows API!

Path: D:\MiniNT\Protect.ed
Status: Invisible to the Windows API!

Path: D:\I386\APPS
Status: Invisible to the Windows API!

Path: D:\I386\DRV
Status: Invisible to the Windows API!

Path: D:\I386\BOOT.IMG
Status: Invisible to the Windows API!

Path: D:\I386\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\I386\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\I386\Folder.htt
Status: Invisible to the Windows API!

Path: D:\I386\Protect.ed
Status: Invisible to the Windows API!

Path: D:\RECOVERY\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\RECOVERY\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\RECOVERY\Protect.ed
Status: Invisible to the Windows API!

Path: D:\RECOVERY\Folder.htt
Status: Invisible to the Windows API!

Path: D:\PRELOAD\ALL.ITR
Status: Invisible to the Windows API!

Path: D:\PRELOAD\WINDOWS.ITR
Status: Invisible to the Windows API!

Path: D:\PRELOAD\WINDOWS.DAT
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE.DAT
Status: Invisible to the Windows API!

Path: D:\PRELOAD\ALL.CRC
Status: Invisible to the Windows API!

Path: D:\PRELOAD\WINDOWS.CRC
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_01.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_02.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_03.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_04.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_05.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_06.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_07.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_08.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_09.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_10.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_11.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_12.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_13.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_14.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_15.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_16.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\BASE_17.INP
Status: Invisible to the Windows API!

Path: D:\PRELOAD\WINDOWS.W32
Status: Invisible to the Windows API!

Path: D:\PRELOAD\ALL.W32
Status: Invisible to the Windows API!

Path: D:\PRELOAD\Folder.htt
Status: Invisible to the Windows API!

Path: D:\PRELOAD\Protect.ed
Status: Invisible to the Windows API!

Path: D:\PRELOAD\Desktop.ini
Status: Invisible to the Windows API!

Path: D:\PRELOAD\Warning.bmp
Status: Invisible to the Windows API!

Path: D:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}
Status: Invisible to the Windows API!

Path: D:\Recycled\INFO2
Status: Invisible to the Windows API!

Path: D:\Recycled\DESKTOP.INI
Status: Invisible to the Windows API!

Path: D:\cmdcons\system32\ntdll.dll
Status: Invisible to the Windows API!

Path: D:\cmdcons\system32\smss.exe
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514fix.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514fixe.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514fixg.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514fixr.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514fixt.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514oem.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514oeme.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514oemg.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514oemr.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514oemt.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514sys.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514syse.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514sysg.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514sysr.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\8514syst.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85855.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85f1255.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85f1256.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85f874.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85s1255.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85s1256.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\85s874.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ahronbd.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\andlso.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSA.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAU.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAUB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAUI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAUZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ANGSAZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app850.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app852.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app855.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app857.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app866.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app932.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app936.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app949.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\app950.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\arial.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\arialbd.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\arialbi.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ariali.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\ariblk.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\artrbdo.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\artro.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\batang.ttc
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWA.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAU.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAUB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAUI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAUZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\BROWAZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\c8514fix.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\c8514oem.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\c8514sys.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40737.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40850.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40852.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40857.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40866.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40869.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga40woa.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80737.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80850.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80852.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80857.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80866.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80869.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cga80woa.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\comic.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\comicbd.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIA.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAU.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAUB.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAUI.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAUZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\CORDIAZ.TTF
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\coue1255.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\coue1256.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\couf1255.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\couf1256.fon
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\cour.ttf
Status: Invisible to the Windows API!

Path: D:\MiniNT\Fonts\courbd.ttf
Status: InvisibleStealth Objects
-------------------
Object: Hidden Module [Name: UACycyykorfqw.dll]
Process: svchost.exe (PID: 1128) Address: 0x00730000 Size: 77824

Object: Hidden Module [Name: UACrvvcbkqnpj.dll]
Process: svchost.exe (PID: 1128) Address: 0x00af0000 Size: 73728

Object: Hidden Module [Name: UACf500.tmpjggdbk.dll]
Process: svchost.exe (PID: 1128) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UACycyykorfqw.dll]
Process: Explorer.EXE (PID: 1892) Address: 0x10000000 Size: 77824

Object: Hidden Module [Name: UAChtkljggdbk.dll]
Process: iexplore.exe (PID: 1412) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChtkljggdbk.dll]
Process: iexplore.exe (PID: 2532) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChtkljggdbk.dll]
Process: Iexplore.exe (PID: 284) Address: 0x10000000 Size: 217088

Object: Hidden Module [Name: UAChtkljggdbk.dll]
Process: Iexplore.exe (PID: 3460) Address: 0x10000000 Size: 217088

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACnxlvpimrnh.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee0e2250

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee0e22e0

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee0e2360

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee0e2520

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xee0deb00

==EOF==

Attached Files


Edited by Orange Blossom, 07 September 2009 - 11:32 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 10 September 2009 - 12:20 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 10 September 2009 - 05:27 PM

Ok - I did what you said - disabled all the stuff you said and what not - I ran CF - it installed the Recovery Consol thing and then ran through about 50 plus stages then restarted - during the first restart - the anti virus was running at the same time CF was deleting files and what not (i dunno if that matters or not during that step but it automatically started up with the reboot) - CF finished deleting and it then rebooted windows again. But this time on the second reboot - after completeing a disk scan (Blue screen) in the beginning of the reboot - the computer wouldn't even boot up the icons or the tray at the bottom (basically Windows explorer - i guess is whats it called - didnt come up) well I let it sit - I left for about two hours and when I came back it was still in the same state as it was when I left it. So I restarted it again...now it started fine but I dont have a CF log - it didn't save any thing and I don't know what you want me to do - should I run CF again? is there some thing else I should do - please let me know -

I know that CF had deleted about 20 - 30 files and I also logged about 7 files right before the first reboot cause it said to write them down incase we needed them later.

I dunno if I should have restarted it after it froze or not - but like I said - it was froze for 2 hours and it wasn't even flashing the "working" light in the front of the laptop like it does when its busy reading the disk...

thanks in advance

Jay

Also when i reboot - i keep getting this window that says Exception handler error or some thing to that effect - it asks me to send crash report - when i click no it wont boot up - when i click yes - it reboots slowly but surely... if you think this is important to what we are trying to fix let me know and i will get you a screen shot
Posted Image

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 10 September 2009 - 11:41 PM

i will get you a screen shot


Please do

Can you find the log at C:\combofix.txt? if yes, please post it here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 11 September 2009 - 10:49 PM

Okay - I rebooted the computer to see if the Crash Report would pop up and it did - I Have attached two files, one is the screen shot of what it looks like and the second is all the text that was contained in it.

I looked in the C:\ folder and also the C:\Combo-Fix folder and I found this log (it was actually located at C:\Combo-Fix\Combofix.txt):

ComboFix 09-09-09.09 - Mrs. Clark 09/10/2009 15:40:58.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.10 [GMT -5:00]
Running from: C:\Documents and Settings\Mrs. Clark\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.



That was all that was in "comboFix.txt". Should I run it again? If I remeber correctly - there should be a whole lot more text in the log....but not sure - its been a few years since I had used the program... let me know if I should run it again or what I need to do - thanks

J

Attached Files


Edited by JayStation3, 11 September 2009 - 10:56 PM.

Posted Image

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 11 September 2009 - 10:58 PM

Yup.. Please run ComboFix again :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 11 September 2009 - 11:47 PM

Okay a quick update- I found out what that log was - it had to do with the copy of ad-aware 2007 he had installed on the machine. I went ahead and uninstalled it - apparently it was a cracked version and was probably black listed or some thing. I ran CF like you requested... here is the log...

ComboFix 09-09-11.01 - Mrs. Clark 09/11/2009 23:23.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.143 [GMT -5:00]
Running from: c:\documents and settings\Mrs. Clark\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\atisucefu.dll
c:\windows\Installer\665563.msp
c:\windows\Installer\6eb5b.msp
c:\windows\Installer\b83b1.msp
c:\windows\kb913800.exe
c:\windows\system32\drivers\UACnxlvpimrnh.sys
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\UACbnypxvcdji.dat
c:\windows\system32\UAChtkljggdbk.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClviscvxryv.dll
c:\windows\system32\UACnhyrjmpwlc.db
c:\windows\system32\UACrvvcbkqnpj.dll
c:\windows\system32\UACycyykorfqw.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-12 03:36 . 2009-09-12 03:36 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\FastStone
2009-09-12 03:16 . 2009-09-12 03:16 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\Avant Profiles
2009-09-12 03:16 . 2009-09-12 03:16 -------- d-----w- c:\program files\Avant Browser
2009-09-10 20:15 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 04:05 . 2009-09-12 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-06 03:54 . 2009-09-06 03:54 -------- d-----w- c:\program files\uTorrent
2009-09-06 03:54 . 2009-09-11 17:25 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\uTorrent
2009-09-06 03:13 . 2009-09-06 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-06 00:08 . 2009-09-06 00:08 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\Malwarebytes
2009-09-05 18:34 . 2009-09-05 18:34 -------- d-----w- c:\program files\ToniArts
2009-09-05 18:09 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 18:09 . 2009-09-06 02:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 18:09 . 2009-09-05 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-05 18:09 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 17:05 . 2009-09-05 17:05 120 ----a-w- c:\windows\Kbelologiwa.dat
2009-09-05 16:56 . 2009-09-05 16:56 -------- d-----w- c:\documents and settings\Mrs. Clark\Local Settings\Application Data\{CF4A7B6C-7054-441C-B89C-7BDB88A9CCE2}
2009-09-04 20:33 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-09-04 20:33 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2009-09-02 15:53 . 2009-09-02 15:53 -------- d-----w- C:\_OTM
2009-09-02 05:25 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-02 05:24 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-02 05:24 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-02 05:24 . 2009-09-02 05:24 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-02 05:24 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-02 05:24 . 2009-09-02 16:15 -------- d-----w- c:\program files\Spyware Doctor
2009-09-02 05:24 . 2009-09-02 05:24 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\PC Tools
2009-09-02 05:24 . 2009-09-02 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-29 19:01 . 2009-09-06 02:12 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\Lavasoft
2009-08-29 17:37 . 2009-09-10 19:31 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-08-29 17:37 . 2007-11-14 21:04 83432 ----a-w- c:\windows\system32\zlcomm.dll
2009-08-29 17:37 . 2007-11-14 21:04 71144 ----a-w- c:\windows\system32\zlcommdb.dll
2009-08-29 17:36 . 2009-09-12 03:26 -------- d-----w- c:\windows\system32\ZoneLabs
2009-08-29 17:36 . 2009-08-29 17:36 -------- d-----w- c:\program files\Zone Labs
2009-08-29 17:36 . 2007-11-14 21:05 1086952 ----a-w- c:\windows\system32\zpeng24.dll
2009-08-29 17:35 . 2009-09-12 04:18 -------- d-----w- c:\windows\Internet Logs
2009-08-29 17:21 . 2008-02-27 18:15 28416 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-29 17:21 . 2009-08-29 17:21 307968 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-29 17:21 . 2009-08-29 17:21 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\TuneUp Software
2009-08-29 17:20 . 2009-08-29 17:20 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-29 17:20 . 2009-08-29 17:21 -------- d-----w- c:\program files\TuneUp Utilities 2008
2009-08-29 17:18 . 2009-09-12 04:14 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-29 16:49 . 2009-09-12 03:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-29 16:49 . 2009-09-11 17:26 -------- d-----w- c:\program files\SpywareBlaster
2009-08-29 00:35 . 2009-08-29 00:35 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\comcasttb
2009-08-28 19:38 . 2009-08-28 19:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-27 17:47 . 2009-08-27 17:47 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\Logs
2009-08-22 21:49 . 2009-08-23 15:22 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-18 03:19 . 2009-08-18 03:19 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\GTek
2009-08-17 17:49 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-16 16:05 . 2009-08-16 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-08-16 16:04 . 2009-08-20 01:28 -------- d-----w- c:\documents and settings\Mrs. Clark\Application Data\CallingID
2009-08-16 16:04 . 2009-08-16 16:04 -------- d-----w- c:\program files\Common Files\scanner
2009-08-16 16:04 . 2009-08-16 16:04 -------- d-----w- c:\program files\CA
2009-08-16 16:01 . 2009-08-29 00:35 -------- d-----w- c:\documents and settings\Mrs. Clark\Local Settings\Application Data\SupportSoft
2009-08-16 14:50 . 2009-08-29 00:49 -------- d-----w- c:\program files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 08:04 . 2007-10-11 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-06 03:13 . 2009-03-29 00:09 -------- d-----w- c:\program files\Yahoo!
2009-09-06 02:13 . 2006-06-19 08:07 -------- d-----w- c:\program files\Java
2009-09-05 18:34 . 2006-06-19 08:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 14:47 . 2009-07-23 15:14 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2004-08-10 15:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 14:01 . 2009-07-26 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-30 14:01 . 2009-07-26 15:24 -------- d-----w- c:\program files\NOS
2009-07-25 05:18 . 2009-07-24 14:35 -------- d-----w- c:\program files\AskBarDis
2009-07-24 14:27 . 2009-03-29 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-23 16:39 . 2008-12-27 20:22 -------- d-----w- c:\program files\Kids Cam Show and Share Creativity Center
2009-07-23 15:14 . 2009-07-23 15:14 -------- d-----w- c:\program files\Avira
2009-07-23 15:14 . 2009-07-23 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-22 21:33 . 2009-07-22 21:23 -------- d-----w- c:\program files\iPod
2009-07-22 21:33 . 2009-07-22 21:22 -------- d-----w- c:\program files\iTunes
2009-07-22 21:22 . 2009-07-22 12:53 -------- d-----w- c:\program files\iTunes(2)
2009-07-22 21:22 . 2008-09-26 06:15 -------- d-----w- c:\program files\Common Files\Apple
2009-07-22 21:22 . 2009-07-22 12:54 -------- d-----w- c:\program files\iPod(2)
2009-07-22 21:18 . 2009-07-04 17:46 -------- d-----w- c:\program files\Safari
2009-07-22 21:17 . 2009-07-22 15:02 -------- d-----w- c:\program files\CyberDefender
2009-07-17 19:01 . 2004-08-10 15:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 15:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-05 02:25 . 2009-07-05 02:25 81972 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-03 17:09 . 2004-08-10 15:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-10 15:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 15:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 15:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 15:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 15:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 15:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 15:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 15:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 15:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpywareBlaster"="c:\program files\SpywareBlaster\spywareblaster.exe" [2009-04-09 1340944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4739:UDP"= 4739:UDP:Windows Media Format SDK (iexplore.exe)
"4738:UDP"= 4738:UDP:Windows Media Format SDK (iexplore.exe)
"4777:UDP"= 4777:UDP:Windows Media Format SDK (iexplore.exe)
"4776:UDP"= 4776:UDP:Windows Media Format SDK (iexplore.exe)
"4820:UDP"= 4820:UDP:Windows Media Format SDK (iexplore.exe)
"4821:UDP"= 4821:UDP:Windows Media Format SDK (iexplore.exe)
"4865:UDP"= 4865:UDP:Windows Media Format SDK (iexplore.exe)
"4864:UDP"= 4864:UDP:Windows Media Format SDK (iexplore.exe)

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/2/2009 12:24 AM 130936]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/23/2009 10:14 AM 108289]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 4:06 AM 231424]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/2/2009 12:24 AM 348752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 19:24]

2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{B9C138E3-2E8C-4F41-A7E4-C472AEB7D4BE}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 23:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(368)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-12 23:44
ComboFix-quarantined-files.txt 2009-09-12 04:43

Pre-Run: 5,365,497,856 bytes free
Post-Run: 5,328,375,808 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
269 --- E O F --- 2009-09-11 08:07



Thanks
Posted Image

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 12 September 2009 - 12:02 AM

You have two firewall, uninstall one of them..

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}


Find this file and delete it manually.. c:\windows\Kbelologiwa.dat




Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 12 September 2009 - 07:23 PM

Okay - I could not find the Norton internet worm protection in order to uninstall it - I looked in add or remove programs and nothing with norton was listed... any advice on that? I prefere him to use Zone Alarm... i have used it for years and have never had any problems... I will continue to search and see if I can find a way to get it uninstalled...but any help on that issue would be appriciated.

Here are the logs you requested... The computer seems to be running faster... Deffinatly starts up faster and responds quicker...the internet scan results were empty -well nothing was found... here is that log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=802cadf3d9bcea4da9a296cb331e5808
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-12 08:39:34
# local_time=2009-09-12 03:39:34 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 629006726607
# scanned=90676
# found=0
# cleaned=0
# scan_time=3091


and here is the log from malware bytes. which found 13 infections

Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 3

9/12/2009 2:26:45 PM
mbam-log-2009-09-12 (14-26-45).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 197401
Time elapsed: 1 hour(s), 17 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Adware_ProNE (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adware Pro_is1 (Rogue.AdwarePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adware_pronet (Rogue.AntivirusDoktor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\AVP 2009 (Malware.Trace) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AdwarePro\Adware_Pro.exe (Rogue.AntivirusDoktor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mrs. Clark\Desktop\AdwarePro_Setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChtkljggdbk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClviscvxryv.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACrvvcbkqnpj.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACycyykorfqw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACnxlvpimrnh.sys.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP0\A0000001.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP0\A0000002.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP0\A0000003.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP0\A0000004.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BFAA719B-281F-45B6-9E39-9D4BB578C2A4}\RP0\A0000005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\AVP 2009\1.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Trojan.Agent) -> Delete on reboot.


Should i do any other scans or does every thing look clean??
Posted Image

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 13 September 2009 - 12:48 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 13 September 2009 - 10:15 PM

Hi - Thanks for all your help. Every thing seems to be running smoothly now. I ran my Avira, and it was clean - I also ran malwarebytes again and there were no detections on that end either.

The last thing I wanted to ask about - was how do I find that Norton Worm Protection program... If running two firewalls is not a good thing - I would like to remove that. Since I am running ZoneAlarm - should I disable the windows firewall as well?? Other than that - every thing seems fine....let me know - thanks again for all your help!!

J
Posted Image

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 14 September 2009 - 12:40 AM

Yes, disable your Windows Firewall.. Can you see the Norton/Symantec folder in the C:\Program Files?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 14 September 2009 - 01:34 AM

there is a folder located at C:\Program Files\Symantec But when I click it all that it has in it is another folder called LiveUpdate and in side that there are 47 items (.dll's, .exe's, .ini's - etc...) but looking through all the files there is nothing with the name "norton" included in them... could this be the folder with The Norton Internet Worm Protection?
Posted Image

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:35 PM

Posted 14 September 2009 - 01:49 AM

I think you already delete the Norton Worm Protection program before, but the Registry entries still remains.. I won't touch that one because its too hassle..

Well, that leaves your computer without any antivirus at all!! :(

Which antivirus do you plan to install? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 JayStation3

JayStation3
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Houston,Tx
  • Local time:03:35 AM

Posted 14 September 2009 - 02:12 AM

No - I didnt uninstall it...I think the owner of the PC might have... The computer we are working on is not mine, its one of my employees and I told him I would clean it for him, I had been working on it for about a week before I had started to seek out help - When I initially started - It had over 135 infections...the file that I had initially contacted you about was the last known infected file. After running the scans and what not you had requested - I had uncovered 13 more...prior to all that I had installed and am currently protected by Avira Antivirus Personal Edition, Spybot S&D, SpywareBlaster, Zone Alarm Pro, Ad-Aware 2008, Malware bytes, Spyware Dr and Crap Cleaner... oh and easy cleaner too - that one seemed to pick up some of the things that crap cleaner didnt...

Should I just leave the symantec folder there? any other advice...
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users