Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mbr rootkit. antivirus pro, police pro


  • This topic is locked This topic is locked
17 replies to this topic

#1 thirdtime

thirdtime

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 September 2009 - 06:39 PM

At login I see these pop-ups:
Corrupt File:
C:\WINDOWS\system32\config\systemprofile\Local settings\Temporary Internet Files\Content.IE5\49URGPQN
is corrupt and unreadable. Please run the ckdsk utility.

Same for A86DHLYE, UN5MRUG3, WLYNOPE3.

Mcaffee, spybot, malware all unable to run, they die at the first try, insufficient priviledges there after.
Ran dds - it reported a mbr rootkit before it died. Ran mbr -f, it died, log looks like a failure. Ran rootrepeal, it also reported a mbr before it died.
No logs for anything, they all die long before a log is available.

I have a duplicate request under the 'am I infected' forum, but it is being ignored, maybe I did something wrong ?

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 14 September 2009 - 06:16 AM

Hi thirdtime,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Looks like a challenge. You can't practically do anything, even reinstall of Windows as long as the mbr rootkit is there.


#3 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 14 September 2009 - 07:27 PM

No luck on chkdsk - the volume is mounted so "schedule for next boot", never happens.

win32kdiag runs, very cool.

Running from: C:\Documents and Settings\add\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\add\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB908531\KB908531

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB919007\KB919007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920685\KB920685

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920872\KB920872

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922819\KB922819

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924191\KB924191

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925486\KB925486

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\05c415ef6d072eb49a51ae487bfc11a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\154fcf8f21f4137d09271267cc1c5727\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\187d2ab765f3595de795d17271e0496c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1c57749e6715414b7025f8d316d91db9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2a8c07aaf8ec0a2dbcb5ab11c4e40d88\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3112269c39ef5d624522fb876634b1d2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b15b843ee2a6cbca76875f1244f36866\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf66607446e145f5d8c8bf3f55214656\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dc632b620dc2d521266be7bce2a259fd\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e7683b17d4278f291be6f6084d0416e7\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd021e0d3be9e9d32612eef4c870a5b4\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-1060284298-1343024091-1003\S-1-5-21-1214440339-1060284298-1343024091-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\XTPEE36Q\XTPEE36Q

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\admin.brightcove.com\admin.brightcove.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\i2.current.com\i2.current.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

[1] 2009-06-17 18:44:57 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2004-02-24 05:46:42 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2004-02-24 05:48:36 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2004-02-24 05:46:43 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2006-01-20 11:20:26 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2009-09-08 06:15:49 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2006-01-20 19:56:35 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2006-01-20 19:56:10 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2006-01-20 19:57:38 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2006-01-20 19:57:38 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2006-01-20 19:57:38 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2008-03-31 12:54:03 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\drivers\UACorcnvppkos.sys

[1] 2009-09-08 06:15:53 50176 C:\WINDOWS\system32\drivers\UACorcnvppkos.sys ()



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2002-08-29 04:41:22 9216 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:50 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:50 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2002-08-29 04:40:52 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 01:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\prtprocs\w32x86\w32x86

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\UACibeecbloti.dll

[1] 2009-09-08 06:15:53 24064 C:\WINDOWS\system32\UACibeecbloti.dll ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\mca37.tmp\mca37.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\mca38.tmp\mca38.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TEMP\nsc5.tmp\nsc5.tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\TEMP\UACdf5e.tmp

[1] 2009-09-08 06:15:53 343040 C:\WINDOWS\TEMP\UACdf5e.tmp ()



Found mount point : C:\WINDOWS\TEMP\UPD3A.tmp\UPD3A.tmp

Mount point destination : \Device\__max++>\^



Finished!

I'm shuttling between computers with a usb stick, praying that I don't vector myself.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 15 September 2009 - 03:00 AM

I'm shuttling between computers with a usb stick, praying that I don't vector myself.

I couldn't quite understand why you do that.I read all your post, still don't get it.
Please make sure you are connected to internet when running Combo-Fix as it needs internet connection to download the Recovery Console.

This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console. But first do the step 1.
  • We need to run the tool with the following command to fix some malware related changes.

    Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:

    "C:\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

    Double click on Combo-Fix.exe & follow the prompts. If ComboFix needed to reboot please allow it.When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Edited by farbar, 15 September 2009 - 03:02 AM.


#5 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 15 September 2009 - 02:09 PM

I unplug the net and use safe mode in the vain hope that I can limit the damage. As it turns out, with a root kit, safe mode isn't helping much. Even so, if I keep it off the net, don't I prevent further damage, such as it updating itself ? Or sending data out ?

I had to move win32kdiag to C:\ to use the command, it was on the desktop. I couldn't get it to use the path to the desktop, prob should have tried qoutes.

Do I need to reboot before I run combofix ? Will it screw things up if I do ( to enable the network ? ).

Running from: c:\Win32kDiag.exe

Log file at : C:\Documents and Settings\add\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB908531\KB908531

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB908531\KB908531

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB919007\KB919007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB919007\KB919007

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB920685\KB920685

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920685\KB920685

Found mount point : C:\WINDOWS\$hf_mig$\KB920872\KB920872

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920872\KB920872

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB922819\KB922819

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922819\KB922819

Found mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414

Found mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980

Found mount point : C:\WINDOWS\$hf_mig$\KB924191\KB924191

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924191\KB924191

Found mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB925486\KB925486

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925486\KB925486

Found mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\05c415ef6d072eb49a51ae487bfc11a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\05c415ef6d072eb49a51ae487bfc11a6\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\154fcf8f21f4137d09271267cc1c5727\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\154fcf8f21f4137d09271267cc1c5727\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\187d2ab765f3595de795d17271e0496c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\187d2ab765f3595de795d17271e0496c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1c57749e6715414b7025f8d316d91db9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\1c57749e6715414b7025f8d316d91db9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2a8c07aaf8ec0a2dbcb5ab11c4e40d88\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2a8c07aaf8ec0a2dbcb5ab11c4e40d88\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\3112269c39ef5d624522fb876634b1d2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\3112269c39ef5d624522fb876634b1d2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b15b843ee2a6cbca76875f1244f36866\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b15b843ee2a6cbca76875f1244f36866\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cf66607446e145f5d8c8bf3f55214656\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cf66607446e145f5d8c8bf3f55214656\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dc632b620dc2d521266be7bce2a259fd\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dc632b620dc2d521266be7bce2a259fd\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e533f2b7494d7e198f7fd652beea5687\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e7683b17d4278f291be6f6084d0416e7\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e7683b17d4278f291be6f6084d0416e7\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fd021e0d3be9e9d32612eef4c870a5b4\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fd021e0d3be9e9d32612eef4c870a5b4\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fde4a5af73d5aee9b5faba71cbff1d6c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-1060284298-1343024091-1003\S-1-5-21-1214440339-1060284298-1343024091-1003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1214440339-1060284298-1343024091-1003\S-1-5-21-1214440339-1060284298-1343024091-1003

Found mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\XTPEE36Q\XTPEE36Q

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\XTPEE36Q\XTPEE36Q

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\admin.brightcove.com\admin.brightcove.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\admin.brightcove.com\admin.brightcove.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\i2.current.com\i2.current.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\CAZRVHC6\i2.current.com\i2.current.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Cannot access: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

Attempting to restore permissions of : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

[1] 2009-06-17 18:44:57 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2004-02-24 05:46:42 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2004-02-24 05:48:36 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2004-02-24 05:46:43 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2006-01-20 11:20:26 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2009-09-08 06:15:49 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2006-01-20 19:56:35 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2006-01-20 19:56:10 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2006-01-20 19:57:38 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2006-01-20 19:57:38 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2006-01-20 19:57:38 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

[1] 2008-03-31 12:54:03 113 C:\WINDOWS\TEMP\History\History.IE5\desktop.ini ()



Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\drivers\UACorcnvppkos.sys

Attempting to restore permissions of : C:\WINDOWS\system32\drivers\UACorcnvppkos.sys

[1] 2009-09-08 06:15:53 50176 C:\WINDOWS\system32\drivers\UACorcnvppkos.sys ()



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2002-08-29 04:40:52 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 01:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 01:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Found mount point : C:\WINDOWS\system32\spool\prtprocs\w32x86\w32x86

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\prtprocs\w32x86\w32x86

Cannot access: C:\WINDOWS\system32\UACibeecbloti.dll

Attempting to restore permissions of : C:\WINDOWS\system32\UACibeecbloti.dll

[1] 2009-09-08 06:15:53 24064 C:\WINDOWS\system32\UACibeecbloti.dll ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\TEMP\mca37.tmp\mca37.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\mca37.tmp\mca37.tmp

Found mount point : C:\WINDOWS\TEMP\mca38.tmp\mca38.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\mca38.tmp\mca38.tmp

Found mount point : C:\WINDOWS\TEMP\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00000\MCE00000

Found mount point : C:\WINDOWS\TEMP\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00001\MCE00001

Found mount point : C:\WINDOWS\TEMP\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00002\MCE00002

Found mount point : C:\WINDOWS\TEMP\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00003\MCE00003

Found mount point : C:\WINDOWS\TEMP\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00004\MCE00004

Found mount point : C:\WINDOWS\TEMP\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00005\MCE00005

Found mount point : C:\WINDOWS\TEMP\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00006\MCE00006

Found mount point : C:\WINDOWS\TEMP\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00007\MCE00007

Found mount point : C:\WINDOWS\TEMP\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00008\MCE00008

Found mount point : C:\WINDOWS\TEMP\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00009\MCE00009

Found mount point : C:\WINDOWS\TEMP\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000a\MCE0000a

Found mount point : C:\WINDOWS\TEMP\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000b\MCE0000b

Found mount point : C:\WINDOWS\TEMP\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000c\MCE0000c

Found mount point : C:\WINDOWS\TEMP\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000d\MCE0000d

Found mount point : C:\WINDOWS\TEMP\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000e\MCE0000e

Found mount point : C:\WINDOWS\TEMP\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0000f\MCE0000f

Found mount point : C:\WINDOWS\TEMP\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00010\MCE00010

Found mount point : C:\WINDOWS\TEMP\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00011\MCE00011

Found mount point : C:\WINDOWS\TEMP\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00012\MCE00012

Found mount point : C:\WINDOWS\TEMP\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00013\MCE00013

Found mount point : C:\WINDOWS\TEMP\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00014\MCE00014

Found mount point : C:\WINDOWS\TEMP\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00015\MCE00015

Found mount point : C:\WINDOWS\TEMP\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00016\MCE00016

Found mount point : C:\WINDOWS\TEMP\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00017\MCE00017

Found mount point : C:\WINDOWS\TEMP\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00018\MCE00018

Found mount point : C:\WINDOWS\TEMP\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00019\MCE00019

Found mount point : C:\WINDOWS\TEMP\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001a\MCE0001a

Found mount point : C:\WINDOWS\TEMP\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001b\MCE0001b

Found mount point : C:\WINDOWS\TEMP\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001c\MCE0001c

Found mount point : C:\WINDOWS\TEMP\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001d\MCE0001d

Found mount point : C:\WINDOWS\TEMP\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001e\MCE0001e

Found mount point : C:\WINDOWS\TEMP\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0001f\MCE0001f

Found mount point : C:\WINDOWS\TEMP\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00020\MCE00020

Found mount point : C:\WINDOWS\TEMP\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00021\MCE00021

Found mount point : C:\WINDOWS\TEMP\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00022\MCE00022

Found mount point : C:\WINDOWS\TEMP\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00023\MCE00023

Found mount point : C:\WINDOWS\TEMP\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00024\MCE00024

Found mount point : C:\WINDOWS\TEMP\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00025\MCE00025

Found mount point : C:\WINDOWS\TEMP\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00026\MCE00026

Found mount point : C:\WINDOWS\TEMP\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00027\MCE00027

Found mount point : C:\WINDOWS\TEMP\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00028\MCE00028

Found mount point : C:\WINDOWS\TEMP\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00029\MCE00029

Found mount point : C:\WINDOWS\TEMP\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002a\MCE0002a

Found mount point : C:\WINDOWS\TEMP\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002b\MCE0002b

Found mount point : C:\WINDOWS\TEMP\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002c\MCE0002c

Found mount point : C:\WINDOWS\TEMP\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002d\MCE0002d

Found mount point : C:\WINDOWS\TEMP\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002e\MCE0002e

Found mount point : C:\WINDOWS\TEMP\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0002f\MCE0002f

Found mount point : C:\WINDOWS\TEMP\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00030\MCE00030

Found mount point : C:\WINDOWS\TEMP\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00031\MCE00031

Found mount point : C:\WINDOWS\TEMP\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00032\MCE00032

Found mount point : C:\WINDOWS\TEMP\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00033\MCE00033

Found mount point : C:\WINDOWS\TEMP\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00034\MCE00034

Found mount point : C:\WINDOWS\TEMP\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00035\MCE00035

Found mount point : C:\WINDOWS\TEMP\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00036\MCE00036

Found mount point : C:\WINDOWS\TEMP\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00037\MCE00037

Found mount point : C:\WINDOWS\TEMP\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00038\MCE00038

Found mount point : C:\WINDOWS\TEMP\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00039\MCE00039

Found mount point : C:\WINDOWS\TEMP\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003a\MCE0003a

Found mount point : C:\WINDOWS\TEMP\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003b\MCE0003b

Found mount point : C:\WINDOWS\TEMP\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003c\MCE0003c

Found mount point : C:\WINDOWS\TEMP\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003d\MCE0003d

Found mount point : C:\WINDOWS\TEMP\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003e\MCE0003e

Found mount point : C:\WINDOWS\TEMP\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE0003f\MCE0003f

Found mount point : C:\WINDOWS\TEMP\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00040\MCE00040

Found mount point : C:\WINDOWS\TEMP\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00041\MCE00041

Found mount point : C:\WINDOWS\TEMP\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00042\MCE00042

Found mount point : C:\WINDOWS\TEMP\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00043\MCE00043

Found mount point : C:\WINDOWS\TEMP\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00044\MCE00044

Found mount point : C:\WINDOWS\TEMP\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00045\MCE00045

Found mount point : C:\WINDOWS\TEMP\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00046\MCE00046

Found mount point : C:\WINDOWS\TEMP\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\MCE00047\MCE00047

Found mount point : C:\WINDOWS\TEMP\nsc5.tmp\nsc5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\nsc5.tmp\nsc5.tmp

Cannot access: C:\WINDOWS\TEMP\UACdf5e.tmp

Attempting to restore permissions of : C:\WINDOWS\TEMP\UACdf5e.tmp

[1] 2009-09-08 06:15:53 343040 C:\WINDOWS\TEMP\UACdf5e.tmp ()



Found mount point : C:\WINDOWS\TEMP\UPD3A.tmp\UPD3A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TEMP\UPD3A.tmp\UPD3A.tmp



Finished!

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 15 September 2009 - 03:23 PM

I unplug the net and use safe mode in the vain hope that I can limit the damage. As it turns out, with a root kit, safe mode isn't helping much. Even so, if I keep it off the net, don't I prevent further damage, such as it updating itself ? Or sending data out ?

This rootkit comes with a rogue software forcing the users to pay for nothing. We need internet connection to run ComboFix and later on other tools.
You may limit internet connection to disinfection. We will remove this from your computer. Running ComboFix is now the key to it.

I had to move win32kdiag to C:\ to use the command, it was on the desktop. I couldn't get it to use the path to the desktop, prob should have tried qoutes.

If you had followed the instruction given in my previous post on saving win32kdiag on C drive, it was already there. :(

Do I need to reboot before I run combofix ? Will it screw things up if I do ( to enable the network ? ).

Why do you need to reboot before running ComboFix? You certainly need to let ComboFix reboot after running it. You should let it reboot to normal mode.

#7 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 September 2009 - 12:26 AM

ok ... still getting corrupt file messages - most are in the logs.
One message looked interesting, from CF10018.exe, corrupt file, windows\temp\UACdf5e.tmp

logs ...
ComboFix 09-09-14.02 - add 09/16/2009 22:56.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1125 [GMT -7:00]
Running from: c:\documents and settings\add\Desktop\dillybob.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\RcvSystem
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\bennuar.old
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\desote.exe
c:\windows\system32\drivers\geyekrwrublxsm.sys
c:\windows\system32\geyekrbibdviww.dll
c:\windows\system32\geyekrmebcxovm.dll
c:\windows\system32\geyekrpfuyrjlq.dat
c:\windows\system32\geyekrxibniexm.dat
c:\windows\system32\onhelp.htm
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\drivers\UACorcnvppkos.sys . . . . failed to delete
c:\windows\system32\UACibeecbloti.dll . . . . failed to delete

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrexnospws
-------\Legacy_geyekrexnospws
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-16 19:55 . 2009-09-15 00:08 47616 ----a-w- C:\Win32kDiag.exe
2009-09-13 20:53 . 2009-09-12 19:44 71680 ----a-w- C:\mbr.exe
2009-09-08 13:15 . 2009-09-08 13:15 50176 ----a-w- c:\windows\system32\drivers\UACorcnvppkos.sys
2009-09-08 13:15 . 2009-09-08 13:15 24064 ----a-w- c:\windows\system32\UACibeecbloti.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 05:28 . 2008-03-29 22:51 -------- d-----w- c:\program files\McAfee
2009-08-05 03:18 . 2009-08-05 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 02:33 . 2006-12-29 20:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 02:32 . 2006-12-29 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 02:03 . 2009-08-05 02:03 -------- d-----w- c:\documents and settings\add\Application Data\Malwarebytes
2009-08-05 02:03 . 2009-08-05 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 20:36 . 2009-08-05 02:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-08-05 02:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2006-06-30 06:06 . 2006-04-01 23:30 88 --sh--r- c:\windows\system32\1F1CAC62FD.sys
2007-07-24 05:35 . 2007-07-24 05:35 8 --sh--r- c:\windows\system32\5A1A6C07D3.sys
2008-01-07 10:13 . 2006-04-01 23:30 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ptx83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59550:TCP"= 59550:TCP:*:Disabled:PORT_59550
"19327:TCP"= 19327:TCP:*:Disabled:PORT_19327
"24267:TCP"= 24267:TCP:*:Disabled:PORT_24267
"50539:TCP"= 50539:TCP:*:Disabled:PORT_50539
"41522:TCP"= 41522:TCP:*:Disabled:PORT_41522
"7779:TCP"= 7779:TCP:*:Disabled:PORT_7779
"48853:TCP"= 48853:TCP:*:Disabled:PORT_48853

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/13/2007 12:36 AM 24652]
S0 Ptx83;Ptx83;c:\windows\system32\Drivers\Ptx83.sys --> c:\windows\system32\Drivers\Ptx83.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-29 20:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-29 20:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\add\Application Data\Mozilla\Firefox\Profiles\n4y5hh1m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 23:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4028)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-09-17 23:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-17 06:12
ComboFix2.txt 2008-03-29 19:51

Pre-Run: 64,343,482,368 bytes free
Post-Run: 64,542,146,560 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

194

ran win32kdiag after combofix finished:
Running from: C:\Win32kDiag.exe

Log file at : C:\Documents and Settings\add\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

[1] 2009-06-17 18:44:57 227 C:\WINDOWS\assembly\Desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2004-02-24 05:46:42 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2004-02-24 05:48:36 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2004-02-24 05:46:43 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2006-01-20 11:20:26 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2006-01-20 19:56:35 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2009-09-08 06:15:49 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2006-01-20 19:56:35 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2006-01-20 19:56:10 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2006-01-20 11:20:25 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2006-01-20 19:57:38 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2006-01-20 19:57:38 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2006-01-20 19:57:38 206 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2006-01-20 19:57:38 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2001-08-23 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2001-08-23 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()



Cannot access: C:\WINDOWS\system32\drivers\UACorcnvppkos.sys

[1] 2009-09-08 06:15:53 50176 C:\WINDOWS\system32\drivers\UACorcnvppkos.sys ()



Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2002-08-29 04:41:22 9216 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:50 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2004-08-04 01:56:50 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\UACibeecbloti.dll

[1] 2009-09-08 06:15:53 24064 C:\WINDOWS\system32\UACibeecbloti.dll ()



Cannot access: C:\WINDOWS\TEMP\UACdf5e.tmp

[1] 2009-09-08 06:15:53 343040 C:\WINDOWS\TEMP\UACdf5e.tmp ()





Finished!

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 16 September 2009 - 12:58 AM

Well done. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  • Open notepad and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/257446/mbr-rootkit-antivirus-pro-police-pro/
    
    Collect::
    c:\windows\system32\drivers\UACorcnvppkos.sys
    c:\windows\system32\UACibeecbloti.dll
    C:\WINDOWS\TEMP\UACdf5e.tmp
    File::
    c:\windows\system32\5A1A6C07D3.sys
    c:\windows\system32\1F1CAC62FD.sys
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
    Registry::
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
    00,00
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ptx83.sys]

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Please copy and paste that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:

"C:\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


#9 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 September 2009 - 03:35 PM

deleted all viewpoint.
Yes my teenage daughter is downloading everything she can anyway she can and knows nothing about computers.
I've warned/asked/begged/pleaded for her to stop, cease and desist, but being her father, I am an idiot to be ignored.
Her music sucks too.

Anyway ...
ComboFix 09-09-14.02 - add 09/17/2009 14:12.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1168 [GMT -7:00]
Running from: c:\documents and settings\add\Desktop\dillybob.exe
Command switches used :: c:\documents and settings\add\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\1F1CAC62FD.sys"
"c:\windows\system32\5A1A6C07D3.sys"
"c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1F1CAC62FD.sys
c:\windows\system32\5A1A6C07D3.sys
c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-08-17 to 2009-09-17 )))))))))))))))))))))))))))))))
.

2009-09-17 21:03 . 2009-09-17 21:03 -------- d-----w- c:\windows\LastGood
2009-09-17 20:53 . 2009-09-17 20:53 -------- d-----w- C:\found.000
2009-09-16 19:55 . 2009-09-15 00:08 47616 ----a-w- C:\Win32kDiag.exe
2009-09-13 20:53 . 2009-09-12 19:44 71680 ----a-w- C:\mbr.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-17 21:04 . 2006-05-20 07:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-17 21:03 . 2008-03-29 22:51 -------- d-----w- c:\program files\McAfee
2009-08-05 03:18 . 2009-08-05 02:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 02:33 . 2006-12-29 20:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 02:32 . 2006-12-29 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-05 02:03 . 2009-08-05 02:03 -------- d-----w- c:\documents and settings\add\Application Data\Malwarebytes
2009-08-05 02:03 . 2009-08-05 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-03 20:36 . 2009-08-05 02:03 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-08-05 02:03 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2008-01-07 10:13 . 2006-04-01 23:30 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-17_06.10.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-01-21 03:01 . 2009-09-17 21:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-21 03:01 . 2009-09-17 05:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-17 21:02 . 2009-09-17 21:03 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59550:TCP"= 59550:TCP:*:Disabled:PORT_59550
"19327:TCP"= 19327:TCP:*:Disabled:PORT_19327
"24267:TCP"= 24267:TCP:*:Disabled:PORT_24267
"50539:TCP"= 50539:TCP:*:Disabled:PORT_50539
"41522:TCP"= 41522:TCP:*:Disabled:PORT_41522
"7779:TCP"= 7779:TCP:*:Disabled:PORT_7779
"48853:TCP"= 48853:TCP:*:Disabled:PORT_48853

S0 Ptx83;Ptx83;c:\windows\system32\Drivers\Ptx83.sys --> c:\windows\system32\Drivers\Ptx83.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-29 20:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-03-29 20:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\add\Application Data\Mozilla\Firefox\Profiles\n4y5hh1m.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.myspace.com
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 14:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-17 14:18
ComboFix-quarantined-files.txt 2009-09-17 21:17
ComboFix2.txt 2009-09-17 06:13
ComboFix3.txt 2008-03-29 19:51

Pre-Run: 64,577,191,936 bytes free
Post-Run: 64,569,847,808 bytes free

145

==============================

Running from: C:\win32kdiag.exe

Log file at : C:\Documents and Settings\add\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe



Finished!

=======================

Running from: C:\Documents and Settings\add\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\add\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!


looks like it's clean ? Any fileshare programs I should target for deletion ?
Thx for your help btw, I appreciate it. Next time you are in oregon I'll by you a beer.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 16 September 2009 - 04:26 PM

looks like it's clean ? Any fileshare programs I should target for deletion ?

You may uninstall them all.

Thx for your help btw, I appreciate it. Next time you are in oregon I'll by you a beer.

We are almost there.

We repaired the chkdisk too and you should be able to run it. But wait on it.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#11 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 September 2009 - 07:17 PM

it may be hung, not sure. I'll leave it for now.
Here is what it has spit out so far:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

..
Failed to open \\?\c:\\Documents and Settings\add\Desktop\RootRepeal.exe: Access is denied.



Failed to open \\?\c:\\Documents and Settings\add\Desktop\better\HijackThis.exe: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.


.

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


..

...

...

...

...

...

...

...

...

.No reparse points found.

As noted in the log, I can't run any of the tools - spybot, malwarebytes, etc. Mcaffe is not updating sucessfully.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 17 September 2009 - 01:12 AM

You should be able to run those programs after step 1.
  • We need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
    • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

      "%userprofile%\desktop\inherit" "c:\Documents and Settings\add\Desktop\RootRepeal.exe"
      "%userprofile%\desktop\inherit" "c:\Documents and Settings\add\Desktop\better\HijackThis.exe"
      "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
      "%userprofile%\desktop\inherit" "c:\Program Files\McAfee\VirusScan\mcods.exe"
      "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

    • If you get a security warning select Run.
    • You will get a "Finish" popup. Click OK.
    • Do the same for the rest of the lines until you have run all the above commands one by one.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#13 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 17 September 2009 - 02:32 PM

Malwarebytes' Anti-Malware 1.41
Database version: 2817
Windows 5.1.2600 Service Pack 2

9/17/2009 12:31:25 PM
mbam-log-2009-09-17 (12-31-25).txt

Scan type: Quick Scan
Objects scanned: 97164
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:07 PM

Posted 17 September 2009 - 03:07 PM

The computer should be running much smoother now.

Now we are going to check the MBR rootkit you mentioned in your first post.

Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
  • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
  • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.


#15 thirdtime

thirdtime
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 17 September 2009 - 08:14 PM

Looks much better. Malwarebytes, spybot, mcaffee all happy.
Also installed sp3.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users