Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro Win32KDiag.txt


  • Please log in to reply
29 replies to this topic

#1 rickmonrickmon

rickmonrickmon

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 10:51 AM

Log from Win32Diag.txt is as follows:

Log file is located at: C:\Documents and Settings\rodell\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP192.tmp\ZAP192.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP272.tmp\ZAP272.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP306.tmp\ZAP306.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4.tmp\ZAPE4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Trusted Drive Manager\Trusted Drive Manager

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\ad713548c157daa0192d5e7dc6eb74bc\ad713548c157daa0192d5e7dc6eb74bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2272774862-2063310020-3765273394-1157\S-1-5-21-2272774862-2063310020-3765273394-1157

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\ZGFSMKV7\ZGFSMKV7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2961317803-1702227471-1658398811-500\S-1-5-21-2961317803-1702227471-1658398811-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2961317803-1702227471-1658398811-500\S-1-5-21-2961317803-1702227471-1658398811-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\6b4540db4da0\6b4540db4da0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2961317803-1702227471-1658398811-500\S-1-5-21-2961317803-1702227471-1658398811-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Outlook\Outlook

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:41:54 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 06:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 05:00:00 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 06:42:42 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-14 06:42:42 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

[1] 2004-08-04 05:00:00 218112 C:\i386\wmiprvse.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\VBE\VBE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 12:35 PM

This log came from this former forum area thread:

http://www.bleepingcomputer.com/forums/ind...p;#entry1420368

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 12:43 PM

Make sure you save Win32kDiag on your Desktop BEFORE doing below fix..

Go to Start >> Run >> copy/paste below >> Enter. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 01:40 PM

I don't think this is good...

Log file is located at: C:\Documents and Settings\rodell\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 05:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:41:54 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\eventlog.dll (Microsoft Corporation)

[1] 2008-04-14 06:41:54 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-14 06:41:54 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 05:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)





Finished!

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 01:49 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#6 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 02:38 PM

So ComboFix (i.e., Combo-Fix) seems to have gone through all of its process... but it did a second reboot and it seems to be hanging on a blue screen with the cursor showing, but no apparent movement of it or the hard drive. Should I leave it or do something?

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 02:48 PM

Just let it scan till finish.. If after like one hour still hanging, quit ComboFix and tell me about it..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 03:02 PM

It went through numerous scans. One of the first ones told me to write down the following:
C:\WINDOWS\system32\drivers\rotscxiqnlbyxp.sys
C:\WINDOWS\system32\rotscxhgntismq.dll
C:\WINDOWS\system32\rotscxitidribv.dat
C:\WINDOWS\system32\rotscxwqwhpfth.dll
C:\WINDOWS\system32\rotscxqltqlvek.dat
C:\WINDOWS\system32\rotscxdcxmxvbr.dll
C:\WINDOWS\system32\drivers\UACwwupotvtft.sys
C:\WINDOWS\system32\UAClfaimoyxte.dll
C:\WINDOWS\system32\UACfqsalrwabl.dll
C:\WINDOWS\system32\UACtoakavdijk.dat
C:\WINDOWS\system32\UACywyscbabbp.dll

It asked me to let it add System Restore (which I said yes) and then rebooted. Then it appeared to delete several files. Next, it wanted to reboot... I told it ok, and after it went into that process, it stopped on the blue screen as described above. It's been about 45 minutes.

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 03:09 PM

Ok, quit ComboFix and do below..


Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.


NEXT


Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 03:12 PM

OK will do. Should I reboot into normal XP mode, Safe Mode with networking or Safe Mode only?

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 03:13 PM

Normal Mode please :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 03:23 PM

When I rebooted in Normal Mode, Combofix popped back up and said NOT to run any programs until it is finished. It also says it's preparing a log report. A balloon popped up saying "Your Computer might be at risk. No firewall is turned on. Click this balloon to fix this problem." I won't touch it, of course.

Then a dialogue box popped up that said, "Windows Defender. Application failed to initialize: 0x800106ba. A problem caused this program's service to stop. To start the service, restart your computer or search Help and Support for how to start a service manually". Should I click OK, X it out or ignore it?

Another dialogue box popped up that said, "RUNDLL. Error loading C:\WINDOWS\system32\serinoho.dll. Access is denied." Should I click OK, X it out or ignore it?

While I was typing this reply into this forum, Combofix continued to run. It apears that is has created a log file in notepad. Want me to upload that to here?

Still want me to proceed as per your last directions re: Sysprot and MBR.EXE?

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 03:32 PM

When ComboFix is running, you should go have some Coffee.. Don't use the computer at all.. If after one hour the ComboFix still stuck, then tell me about it..

And yes, I still want SysProt and mbr.exe, but only after ComboFix step

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 rickmonrickmon

rickmonrickmon
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Fort Smith, AR
  • Local time:12:39 PM

Posted 11 September 2009 - 03:37 PM

I guess I wasn't clear. Combofix appears to be done. The other dialogue boxes, etc. are still shown. Please tell me what to do on them.

Before I do the SysProt and MBR steps, here is the log from Combofix. Please tell me to proceed with the SysProt/MBR steps after you review. Thanks so much!

ComboFix 09-09-10.03 - rodell 09/11/2009 14:15.1.2 - NTFSx86
Running from: c:\documents and settings\rodell\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12895154
c:\documents and settings\All Users\Application Data\12895154\12895154
c:\documents and settings\All Users\Application Data\12895154\12895154.exe
c:\documents and settings\All Users\Application Data\12895154\pc12895154ins
C:\lriaxaso.exe
c:\program files\Protection System
c:\program files\Protection System\core.cga
c:\program files\Protection System\coreext.dll
c:\program files\Protection System\firewall.dll
c:\program files\Protection System\help.ico
c:\program files\Protection System\psystem.exe
c:\program files\Protection System\uninstall.exe
c:\windows\system32\41.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\drivers\rotscxiqnlbyxp.sys
c:\windows\system32\drivers\UACwwupotvtft.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\roloropo.dll
c:\windows\system32\rotscxdcxmxvbr.dll
c:\windows\system32\rotscxhgntismq.dll
c:\windows\system32\rotscxitidribv.dat
c:\windows\system32\rotscxqltqlvek.dat
c:\windows\system32\rotscxwqwhpfth.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\taJF83ikdmf.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\UACfqsalrwabl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClfaimoyxte.dll
c:\windows\system32\UACppklvmpxgi.dll
c:\windows\system32\UACtoakavdijk.dat
c:\windows\system32\UACydwrtnpfjw.dll
c:\windows\system32\UACywyscbabbp.dll
c:\windows\system32\wingenocx.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wscsvc32.exe
c:\windows\Temp\2831780948.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rotscxmxtrqjxv
-------\Legacy_rotscxmxtrqjxv
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 15:20 . 2009-09-11 15:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-11 14:27 . 2009-09-11 14:27 -------- d--h--w- c:\windows\PIF
2009-09-11 14:24 . 2009-09-11 14:24 -------- d-----w- c:\documents and settings\rodell\Application Data\Malwarebytes
2009-09-11 13:52 . 2009-09-11 13:52 -------- d-sh--w- c:\documents and settings\rodell\IETldCache
2009-09-10 19:23 . 2009-09-10 21:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-09 21:02 . 2009-09-09 21:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-09 21:01 . 2009-09-10 13:05 0 ----a-w- c:\windows\system32\drivers\54e66ab6.sys
2009-09-09 20:28 . 2009-09-09 20:28 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\Malwarebytes
2009-09-09 20:28 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-09 20:28 . 2009-09-11 15:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-09 20:28 . 2009-09-09 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-09 20:28 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 22:03 . 2009-08-30 22:03 -------- d-----w- c:\program files\YouTube Downloader
2009-08-26 17:35 . 2009-08-26 17:35 -------- d-----w- c:\program files\PowerPoint Viewer
2009-08-25 19:06 . 2009-08-25 19:06 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-25 18:44 . 2009-08-25 18:44 -------- d-sh--w- c:\documents and settings\rodell.WESTARKCC\IECompatCache
2009-08-19 20:55 . 2009-08-26 18:55 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Local Settings\Application Data\Temp
2009-08-19 20:38 . 2009-08-19 20:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-17 21:35 . 2009-08-17 21:35 -------- d-----w- C:\hidownload
2009-08-17 21:34 . 2009-08-17 21:34 -------- d-----w- c:\program files\StreamingStar
2009-08-17 21:30 . 2009-08-17 21:33 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\Eltima Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 21:19 . 2009-01-13 17:15 -------- d-----w- c:\program files\Trillian
2009-09-11 20:18 . 2009-01-01 00:50 0 ----a-w- c:\documents and settings\rodell.WESTARKCC\Local Settings\Application Data\WavXMapDrive.bat
2009-09-11 19:01 . 2004-08-11 22:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-11 18:55 . 2008-06-28 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-11 17:51 . 2008-06-25 23:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp
2009-09-11 13:36 . 2009-02-16 20:18 -------- d-----w- c:\program files\DNA
2009-09-11 13:36 . 2009-02-16 20:18 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\DNA
2009-09-10 19:09 . 2008-06-19 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-09-10 15:33 . 2009-06-10 15:33 44970 --sha-w- c:\windows\system32\hubewapo.exe
2009-09-10 15:33 . 2009-06-10 15:33 1064484 --sha-w- c:\windows\system32\rijilutu.exe
2009-09-10 15:33 . 2009-06-10 15:33 89088 --sha-w- c:\windows\system32\kalerazo.dll
2009-09-10 13:40 . 2009-05-02 01:59 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-09-10 13:39 . 2009-05-02 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-09-10 13:30 . 2008-06-19 03:08 -------- d-----w- c:\program files\Google
2009-08-29 00:46 . 2009-01-22 16:45 256 ----a-w- c:\windows\system32\pool.bin
2009-08-28 13:51 . 2009-02-16 20:18 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\BitTorrent
2009-08-25 19:06 . 2008-06-28 01:38 -------- d-----w- c:\program files\MSECache
2009-08-20 20:55 . 2008-06-19 03:07 -------- d-----w- c:\program files\Roxio
2009-08-18 14:29 . 2008-06-28 01:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 14:29 . 2008-06-28 01:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 14:29 . 2008-06-28 01:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 17:32 . 2009-01-01 00:50 108360 ----a-w- c:\documents and settings\rodell.WESTARKCC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 08:21 . 2008-06-19 03:00 108360 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 08:20 . 2009-03-20 14:41 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 08:08 . 2009-08-10 08:08 -------- d-----w- c:\program files\MSBuild
2009-08-10 08:07 . 2009-08-10 08:07 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-22 22:47 . 2009-07-22 22:44 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-07-22 22:47 . 2009-07-22 22:44 -------- d-----w- c:\program files\AVS4YOU
2009-07-22 22:46 . 2009-07-22 22:46 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\AVS4YOU
2009-07-22 22:46 . 2009-07-22 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-07-22 22:25 . 2009-07-22 22:25 -------- d-----w- c:\program files\freestar
2009-07-22 16:35 . 2009-07-22 16:35 -------- d-----w- c:\documents and settings\rodell.WESTARKCC\Application Data\Moyea
2009-07-22 16:08 . 2009-07-22 16:08 -------- d-----w- c:\program files\iTunes
2009-07-22 16:08 . 2009-07-22 16:08 -------- d-----w- c:\program files\iPod
2009-07-22 16:08 . 2008-12-30 18:55 -------- d-----w- c:\program files\Common Files\Apple
2009-07-20 20:00 . 2008-06-19 03:07 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-07-20 19:59 . 2009-01-22 16:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-07-20 19:59 . 2008-06-19 03:07 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-07-20 19:42 . 2009-01-22 16:31 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-11 22:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-08 19:58 . 2009-07-08 19:58 311840 ----a-w- c:\windows\eFaxView.exe
2009-07-03 17:09 . 2004-08-11 22:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-02-18 20:38 . 2009-02-18 20:38 2788800 ----a-w- c:\program files\FLV PlayerFCSetup.exe
2009-06-09 21:01 . 2009-06-09 21:01 49152 --sha-w- c:\windows\system32\devoresi.dll
2009-06-09 21:01 . 2009-06-09 21:01 49152 --sha-w- c:\windows\system32\serinoho.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-02-16 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-10 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-10 137752]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-18 2007832]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-05-07 2037088]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-07-02 623960]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"darasibewu"="c:\windows\system32\serinoho.dll" [2009-06-09 49152]
"ramilijas"="c:\windows\system32\kalerazo.dll" [2009-09-10 89088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-09-14 405504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{4666406f-c389-4a14-9d4f-907f76a238cd}"= "c:\windows\system32\kalerazo.dll" [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vutitabes"= {4666406f-c389-4a14-9d4f-907f76a238cd} - c:\windows\system32\kalerazo.dll [2009-09-10 89088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 14:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 54e66ab6;54e66ab6;c:\windows\System32\drivers\54e66ab6.sys [2009-09-10 0]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-08-18 908056]
R2 gupdate1ca210de59ebb0;Google Update Service (gupdate1ca210de59ebb0);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 133104]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-18 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-11 108552]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-18 297752]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2008-04-14 5120]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-02 97536]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 20:38]

2009-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-19 20:38]

2009-09-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://today.ask.com/frostwire?o=101676&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
IE: Download All Files by HiDownload - c:\program files\StreamingStar\HiDownload\HDGetAll.htm
IE: Download by HiDownload - c:\program files\StreamingStar\HiDownload\HDGet.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\rodell\Application Data\Mozilla\Firefox\Profiles\xkkg2h7j.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - (no file)
HKLM-Run-12895154 - c:\documents and settings\All Users\Application Data\12895154\12895154.exe
SafeBoot-Wdf01000.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 15:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(3904)
c:\windows\system32\WININET.dll
c:\windows\system32\kalerazo.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\stacsv.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-11 15:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 20:21

Pre-Run: 85,110,816,768 bytes free
Post-Run: 88,383,922,176 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
308 --- E O F --- 2009-09-07 21:52

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 11 September 2009 - 03:49 PM

Ok, skip SysProt, but run mbr.exe.. After that, do below..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
54e66ab6

File::
c:\windows\system32\drivers\54e66ab6.sys
c:\windows\system32\hubewapo.exe
c:\windows\system32\rijilutu.exe
c:\windows\system32\kalerazo.dll
c:\windows\system32\devoresi.dll
c:\windows\system32\serinoho.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"darasibewu"=-
"ramilijas"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{4666406f-c389-4a14-9d4f-907f76a238cd}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vutitabes"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • mbr.exe report.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users