Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New and tricky rootkit, closes DDS and Malwarebytes instantly


  • This topic is locked This topic is locked
9 replies to this topic

#1 Klagger

Klagger

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 11 September 2009 - 05:14 PM

Greetings!

I originally posted in the Am I Infected forum and was instructed to come post here because I had a newer and tricky rootkit that required more powerful tools then they recommend in that forum.

Here is the original thread in the Am I Infected forum.

http://www.bleepingcomputer.com/forums/t/256794/am-i-infected-trojan-horse-sheur2azuw-and-crypthcq/



Windows XP Service Pack 3


My issue


The only indication I had that there was a problem, is that when first booting up my computer, I noticed some of the icons in the lower right corner (near the clock) for programs that normally load - were not loading. Programs like AVG Virus Scanner, or Nostromo Key Pad weren't loading. Also, when first starting my computer it seems to hang up where it says "welcome" for a few minutes. Pretty much all programs such as Firefox, e-mail (AOL) and video games are able to run normally and my system is NOT running slow.

What I've done so far


When I realized I might have had a problem, I went to run my trusty Malwarebytes Anti-Malware scanner to be sure. Well, it runs for 2 seconds - and shuts down immediately by itself! When trying to open it back up, it tells me I don't have permission (?). I removed it via the add/remove programs in the control panel and re-downloaded it and renamed the install file to random.com and also renamed the mbam.exe file to random.com. Just like before, it runs for 2 seconds and immediately closes down and can't be reopened. Tried this same procedure in safe mode with the exact same results.

Next, I updated and ran my AVG anti-virus software, and came up with some issues - but it could not remove any of them. At that point, I posted my results in the "Am I Infected" forum and was instructed to come here and post a DDS log and RootRepeal log.

I successfully downloaded the DDS.scr program, but when I run it - it just closes down immediately just like the Malwarebytes scanner. RootRepeal also will not run, as soon as it starts the scan - it "stops responding". It doesn't close down, but sits there forever, frozen.

So at this point, I can't seem to be able to generate any logs.
**EDIT**
I saw in another thread and downloaded Win32kDiag and it was able to scan. I pasted the log at the end of this post.

I am not sure what to do next, so I stopped and came here. Here is a screen shot of my AVG results so you can see the infection names.

Please let me know if there is any other information or anything else I can provide to help.

Thanks in advance for any possible assistance!
:(

Posted Image

Log file is located at: C:\Documents and Settings\Dave\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\aolshare\aolshare

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP768.tmp\ZAP768.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP879.tmp\ZAP879.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\4301AEBD288588A40833184CFEC0AF92\4.0.0\4.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1067466673-1808277501-3255830615-1006\S-1-5-21-1067466673-1808277501-3255830615-1006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\RJKJBT8L\RJKJBT8L

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Creative\Calibrator\Calibrator

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{4E3254D7-522A-412A-9296-3F4767B3A2CB}\{4E3254D7-522A-412A-9296-3F4767B3A2CB}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D2E0723D-6FEA-4F85-AE84-7931D4E7DCE8}\{D2E0723D-6FEA-4F85-AE84-7931D4E7DCE8}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1067466673-1808277501-3255830615-500\S-1-5-21-1067466673-1808277501-3255830615-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1067466673-1808277501-3255830615-500\S-1-5-21-1067466673-1808277501-3255830615-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3377630b3514\3377630b3514

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1067466673-1808277501-3255830615-500\S-1-5-21-1067466673-1808277501-3255830615-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-343818398-1004336348-839522115-500\S-1-5-21-343818398-1004336348-839522115-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\Active

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\Last Active

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 07:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006c\MCE0006c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006d\MCE0006d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006e\MCE0006e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006f\MCE0006f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00070\MCE00070

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00071\MCE00071

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00072\MCE00072

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00073\MCE00073

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00074\MCE00074

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00075\MCE00075

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00076\MCE00076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00077\MCE00077

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00078\MCE00078

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00079\MCE00079

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007a\MCE0007a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007b\MCE0007b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007c\MCE0007c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007d\MCE0007d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007e\MCE0007e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007f\MCE0007f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00080\MCE00080

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00081\MCE00081

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00082\MCE00082

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00083\MCE00083

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00084\MCE00084

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00085\MCE00085

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00086\MCE00086

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00087\MCE00087

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00088\MCE00088

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00089\MCE00089

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008a\MCE0008a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008b\MCE0008b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008c\MCE0008c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008d\MCE0008d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008e\MCE0008e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008f\MCE0008f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00090\MCE00090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00091\MCE00091

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00092\MCE00092

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00093\MCE00093

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00094\MCE00094

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00095\MCE00095

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00096\MCE00096

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00097\MCE00097

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00098\MCE00098

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00099\MCE00099

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009a\MCE0009a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009b\MCE0009b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009c\MCE0009c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009d\MCE0009d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009e\MCE0009e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009f\MCE0009f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a0\MCE000a0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a1\MCE000a1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a2\MCE000a2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a3\MCE000a3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a4\MCE000a4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a5\MCE000a5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a6\MCE000a6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a7\MCE000a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a8\MCE000a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a9\MCE000a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000aa\MCE000aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ab\MCE000ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ac\MCE000ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ad\MCE000ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ae\MCE000ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000af\MCE000af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b0\MCE000b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b1\MCE000b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b2\MCE000b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b3\MCE000b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b4\MCE000b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b5\MCE000b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b6\MCE000b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b7\MCE000b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b8\MCE000b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b9\MCE000b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ba\MCE000ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bb\MCE000bb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bc\MCE000bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bd\MCE000bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000be\MCE000be

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bf\MCE000bf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c0\MCE000c0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c1\MCE000c1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c2\MCE000c2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c3\MCE000c3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c4\MCE000c4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c5\MCE000c5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c6\MCE000c6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c7\MCE000c7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c8\MCE000c8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c9\MCE000c9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ca\MCE000ca

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000cb\MCE000cb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000cc\MCE000cc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000cd\MCE000cd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ce\MCE000ce

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000cf\MCE000cf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d0\MCE000d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d1\MCE000d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d2\MCE000d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d3\MCE000d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d4\MCE000d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d5\MCE000d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d6\MCE000d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d7\MCE000d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d8\MCE000d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000d9\MCE000d9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000da\MCE000da

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000db\MCE000db

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000dc\MCE000dc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000dd\MCE000dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000de\MCE000de

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000df\MCE000df

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e0\MCE000e0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e1\MCE000e1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e2\MCE000e2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e3\MCE000e3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e4\MCE000e4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e5\MCE000e5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e6\MCE000e6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e7\MCE000e7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e8\MCE000e8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000e9\MCE000e9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ea\MCE000ea

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000eb\MCE000eb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ec\MCE000ec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ed\MCE000ed

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ee\MCE000ee

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ef\MCE000ef

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f0\MCE000f0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f1\MCE000f1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f2\MCE000f2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f3\MCE000f3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f4\MCE000f4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f5\MCE000f5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f6\MCE000f6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f7\MCE000f7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f8\MCE000f8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000f9\MCE000f9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000fa\MCE000fa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000fb\MCE000fb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000fc\MCE000fc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000fd\MCE000fd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000fe\MCE000fe

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ff\MCE000ff

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00100\MCE00100

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00101\MCE00101

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00102\MCE00102

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00103\MCE00103

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00104\MCE00104

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00105\MCE00105

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00106\MCE00106

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00107\MCE00107

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00108\MCE00108

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00109\MCE00109

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010a\MCE0010a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010b\MCE0010b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010c\MCE0010c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010d\MCE0010d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010e\MCE0010e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0010f\MCE0010f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00110\MCE00110

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00111\MCE00111

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00112\MCE00112

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00113\MCE00113

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00114\MCE00114

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00115\MCE00115

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00116\MCE00116

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00117\MCE00117

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00118\MCE00118

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00119\MCE00119

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011a\MCE0011a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011b\MCE0011b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011c\MCE0011c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011d\MCE0011d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011e\MCE0011e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0011f\MCE0011f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00120\MCE00120

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00121\MCE00121

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00122\MCE00122

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00123\MCE00123

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00124\MCE00124

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00125\MCE00125

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00126\MCE00126

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00127\MCE00127

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00128\MCE00128

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00129\MCE00129

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012a\MCE0012a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012b\MCE0012b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012c\MCE0012c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012d\MCE0012d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012e\MCE0012e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0012f\MCE0012f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00130\MCE00130

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00131\MCE00131

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00132\MCE00132

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00133\MCE00133

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00134\MCE00134

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00135\MCE00135

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00136\MCE00136

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00137\MCE00137

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00138\MCE00138

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00139\MCE00139

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013a\MCE0013a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013b\MCE0013b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013c\MCE0013c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013d\MCE0013d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013e\MCE0013e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0013f\MCE0013f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00140\MCE00140

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00141\MCE00141

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00142\MCE00142

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00143\MCE00143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00144\MCE00144

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00145\MCE00145

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00146\MCE00146

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00147\MCE00147

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00148\MCE00148

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00149\MCE00149

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014a\MCE0014a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014b\MCE0014b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014c\MCE0014c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014d\MCE0014d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014e\MCE0014e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0014f\MCE0014f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00150\MCE00150

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00151\MCE00151

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00152\MCE00152

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00153\MCE00153

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00154\MCE00154

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00155\MCE00155

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00156\MCE00156

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00157\MCE00157

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00158\MCE00158

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00159\MCE00159

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015a\MCE0015a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015b\MCE0015b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015c\MCE0015c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015d\MCE0015d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015e\MCE0015e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0015f\MCE0015f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00160\MCE00160

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00161\MCE00161

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00162\MCE00162

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00163\MCE00163

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00164\MCE00164

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00165\MCE00165

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00166\MCE00166

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00167\MCE00167

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00168\MCE00168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00169\MCE00169

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016a\MCE0016a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016b\MCE0016b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016c\MCE0016c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016d\MCE0016d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016e\MCE0016e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0016f\MCE0016f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00170\MCE00170

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00171\MCE00171

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00172\MCE00172

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00173\MCE00173

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00174\MCE00174

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00175\MCE00175

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00176\MCE00176

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00177\MCE00177

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00178\MCE00178

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00179\MCE00179

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017a\MCE0017a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017b\MCE0017b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017c\MCE0017c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017d\MCE0017d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017e\MCE0017e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0017f\MCE0017f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00180\MCE00180

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00181\MCE00181

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00182\MCE00182

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00183\MCE00183

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00184\MCE00184

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00185\MCE00185

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00186\MCE00186

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00187\MCE00187

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00188\MCE00188

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00189\MCE00189

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0018a\MCE0018a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0018b\MCE0018b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0018c\MCE0018c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!




EDIT: spelling

Edited by Klagger, 11 September 2009 - 05:53 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:44 PM

Posted 11 September 2009 - 09:05 PM

Hi, Klagger :(

Welcome.

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\
Exit


Step 2

Make sure win32kdiag.exe is on the desktop. Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this file to your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Step 4
  • Launch Malwarebytes' Anti-Malware.
  • Update its definitions.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Step 5

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Klagger

Klagger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 September 2009 - 12:34 AM

First, thank you for the extremely fast response and your help.

All steps seemed to work fine, however I feel I should mention that when it came to the Combofix run, I thought I had my AVG disabled, but Combofix said it was still enabled. I tried again to disable it, but I did not fully disable it and Combofix gave me a second warning that said the AVG was still enabled. BEFORE I clicked okay, I did successfully manage to turn off AVG fully - and even got the warning in the lower right corner that my computer was no longer protected. I then proceeded with the combofix scan. So it was disabled prior to running the combo fix.

I have attached the Win32kDiag.txt log as requested.

I have copied and pasted the content of c:\avenger.txt into this post as requested.

I have copied and pasted the entire report of Malwarebytes' Anti-Malware's scan into this post as requested.

I have also posted the "C:\Combo-Fix.txt" as requested.




Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.





-





Malwarebytes' Anti-Malware 1.41
Database version: 2782
Windows 5.1.2600 Service Pack 3

9/12/2009 12:36:48 AM
mbam-log-2009-09-12 (00-36-48).txt

Scan type: Quick Scan
Objects scanned: 111820
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antispyware service (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\chevau0r1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\cpv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nogfyultfk.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.





-




ComboFix 09-09-11.01 - Dave 09/12/2009 0:56.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1578 [GMT -4:00]
Running from: c:\documents and settings\Dave\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security
c:\windows\system32\config\systemprofile\Start Menu\Programs\System Security\System Security
c:\windows\system32\drivers\SKYNETkcdjaxnm.sys
c:\windows\system32\SKYNETcpkowxnr.dll
c:\windows\system32\SKYNETpxrmpybi.dat
c:\windows\system32\SKYNETswrqrdll.dat
c:\windows\system32\SKYNETtavbuyip.dll
c:\windows\system32\SKYNETupfvamtc.dll
c:\windows\Temp\2202161342.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETrrntyqqj
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_SKYNETrrntyqqj


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-11 12:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 12:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-11 01:36 . 2009-09-11 01:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-11 01:29 . 2009-09-11 01:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 01:01 . 2009-09-11 01:01 -------- d-----w- c:\documents and settings\Dave\Application Data\AVG8
2009-09-11 01:00 . 2009-09-11 01:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-11 00:43 . 2009-09-11 04:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-09 00:12 . 2009-09-09 00:12 -------- d-----w- c:\documents and settings\Dave\Application Data\InstallShield
2009-09-08 23:54 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 03:23 . 2007-06-06 02:03 -------- d-----w- c:\program files\Warcraft III
2009-09-11 01:15 . 2009-03-14 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-09 00:19 . 2007-09-06 03:51 -------- d-----w- c:\documents and settings\Dave\Application Data\GetRightToGo
2009-09-09 00:15 . 2009-02-28 03:54 -------- d-----w- c:\program files\NCSoft
2009-09-09 00:15 . 2007-01-18 21:29 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-09 00:09 . 2008-08-11 04:02 -------- d-----w- c:\documents and settings\Dave\Application Data\uTorrent
2009-09-05 15:35 . 2009-05-16 15:42 -------- d-----w- c:\program files\XoftSpySE
2009-08-29 01:32 . 2009-03-14 23:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 01:32 . 2009-03-14 23:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-29 01:32 . 2009-03-14 23:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 02:17 . 2007-06-06 02:06 79645 ----a-w- c:\windows\War3Unin.dat
2009-08-08 04:29 . 2009-08-08 04:29 -------- d-----w- c:\program files\Replay Converter 3
2009-08-08 04:16 . 2009-08-08 04:16 -------- d-----w- c:\program files\Free Audio Pack
2009-08-07 05:15 . 2009-08-07 05:14 -------- d-----w- c:\program files\Common Files\Real
2009-08-07 05:14 . 2009-08-07 05:14 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-07 05:14 . 2009-08-07 05:14 -------- d-----w- c:\program files\Real
2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:09 . 2009-08-05 03:09 -------- d-----w- c:\documents and settings\Dave\Application Data\Malwarebytes
2009-08-05 03:09 . 2009-08-05 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 05:49 . 2009-08-03 05:49 -------- d-----w- c:\documents and settings\Dave\Application Data\Xilisoft Corporation
2009-07-24 11:59 . 2009-08-03 05:35 3768 ----a-w- c:\windows\system32\MusCVideo.sys
2009-07-24 11:59 . 2009-08-03 05:35 10936 ----a-w- c:\windows\system32\MusCVideo.dll
2009-07-24 11:58 . 2009-08-03 05:35 23096 ----a-w- c:\windows\system32\MusCAudio.sys
2009-07-24 11:58 . 2009-08-03 05:35 23096 ----a-w- c:\windows\system32\drivers\MusCAudio.sys
2009-07-22 22:57 . 2009-08-03 05:35 245760 ----a-w- c:\windows\system32\snmvtsvc.exe
2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-23 00:09 . 2009-06-22 01:23 152 ----a-w- c:\documents and settings\Dave\Application Data\wklnhst.dat
2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HostManager"="c:\program files\Common Files\AOL\1180588835\ee\AOLSoftware.exe" [2008-06-24 41824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-07 198160]
"Malwarebytes Anti-Malware (reboot)"="c:\documents and settings\Dave\Desktop\iiju\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-24 442368]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 01:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1180588835\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Warcraft III battle.net

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/14/2009 7:24 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/14/2009 7:24 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/14/2009 7:24 PM 297752]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [8/3/2009 1:35 AM 23096]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [7/23/2003 3:16 PM 22821]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [8/3/2009 1:35 AM 245760]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-12 c:\windows\Tasks\User_Feed_Synchronization-{2A78ADB6-4B31-4EB5-89B3-B6186CC1FC95}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

2009-09-12 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-05-13 17:16]

2009-09-08 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2009-05-13 17:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\qg8hz9q7.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 01:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1932)
c:\windows\system32\WININET.dll
c:\program files\Belkin\Nostromo\nost_FSH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\CTXFISPI.EXE
c:\windows\system32\rundll32.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-09-12 1:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 05:07

Pre-Run: 127,932,203,008 bytes free
Post-Run: 128,174,694,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

258 --- E O F --- 2009-09-09 07:01

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:44 PM

Posted 12 September 2009 - 08:54 AM

Hi, Klagger :(

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 16.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u16-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Klagger

Klagger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 September 2009 - 03:03 PM

Hello again, and thank you for the extremely fast responses! Your assistance is greatly appreciated!


All steps went as planned.

I first removed my old Java (JRE 5 Update 6) and replaced it with the newest JRE 6 Update 16.

Next I disabled my AVG 8.5 and scanned with Kaspersky Online Scanner as requested.

I have posted the log in this reply as requested.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, September 12, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, September 12, 2009 20:03:32
Records in database: 2785091
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 122256
Threats found: 4
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 01:21:13


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETkcdjaxnm.sys.vir Infected: Rootkit.Win32.TDSS.q 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETcpkowxnr.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETtavbuyip.dll.vir Infected: Trojan.Win32.Small.bzc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\SKYNETupfvamtc.dll.vir Infected: Trojan.Win32.Monder.cpxu 1

Selected area has been scanned.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:44 PM

Posted 12 September 2009 - 04:01 PM

Hi, Klagger

Detections are quarantined. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Klagger

Klagger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 September 2009 - 04:09 PM

Computer seems to be back to normal. Thank you so much for all your assistance! If this was a pay service, it would be well worth it. I have made a donation for your time and efforts.

Thanks again!

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:44 PM

Posted 12 September 2009 - 07:13 PM

Hi, Klagger :(

Thank you and congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy and paste "c:\documents and settings\Dave\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.
Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.

Create a Restore point
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
The following is a list of free tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - A useful tool which can search and annhilate bad files that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills bad files that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep bad files from installing on your system.
  • ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those bad files that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
  • Recovery Console - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat. For more information and steps to install the Recovery Console see This Article. Should you need assistance in installing the Recovery Console, please do not hesitate to ask.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

Edited by JSntgRvr, 13 September 2009 - 10:24 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Klagger

Klagger
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 12 September 2009 - 11:47 PM

Hello again and thanks for yet another fast response.

I turned off System Restore and rebooted and turned it back on.

I deleted ComboFix.

I saved and ran OTC.exe.

I downloaded and installed Spybot Search and Destroy, and ATF! and ERUNT. The Recovery Console was installed when I ran ComboFix earlier.

I will read the article by Miekiemoes after I post this.

Thanks again for all your help!!
:(

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:44 PM

Posted 20 September 2009 - 08:10 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users