Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request for Assistance - Rootkit/AntiSpyProtector/


  • This topic is locked This topic is locked
34 replies to this topic

#1 barkingcrab

barkingcrab

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 17 September 2009 - 09:07 PM

Boopme advised me to post the following log to this forum. I believe I have a rootkit, and this is the first attempt to determine the cause that's worked...

The background/history...

---------------------------------------------
I'd like to respectfully ask for some help with a problem that I believe is AntiSpy Protector 2009 and a rootkit. Window XP is the OS. I get the symptoms described in this thread:

http://www.bleepingcomputer.com/forums/t/249117/antispy-protector-2009-rootkit-big-trouble/

I'm also seeing a ballon message in the taskbar "Click here to protect your computer from Spyware" and I get a message on the screen with a dialog box called "Advanced Virus Remover"

Additionally, I can't run mbam, hijack this, or any other malware removal tools, even in safe mode. I've tried renaming these files to see if I can trick them into executing, and all I get is a message that indicates "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item"

The most recent behavior is a message on startup "Error Loading pihuwali.dll"

I was able to run trend micro from safe mode (after multiple attempts), and saw multiple messages about "Skynet" which the AV seemed to indicate was removed, but there's still obviously things wrong with the computer. The AntiSpy messages stillcome up

I'm embarassed to have to ask, but I'm over my head here, and this device is just not functional. I've "inherited" this device and was asked to get it working, but i'm out of my league at this point...
---------------------------------------------


The log that Boopme asked me to post...

Running from: C:\Documents and Settings\hughesc\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\hughesc\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890047\KB890047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\INF\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01cd5ce76aab2e96c5bc0130d8dde39a\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\398f0c45cd46f045925de8cfce3ac8c4\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\7460f39e630456f3a3b7075ade7a3d72\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\94076d2dfaa176bbb2083a92af29814c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e255a894a26bb0cc45b21ddb5c1c5e28\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e85f60fa51e40d03873c40d08cf4725c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\97E9B04DCFB56E9C\97E9B04DCFB56E9C

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\D9DDNQCH\D9DDNQCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\bin.clearspring.com\bin.clearspring.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\video.flashtalking.com\video.flashtalking.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\#bin.clearspring.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\#crackle.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 07:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\log\log

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav18\3DGrooveXtrav18

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TWAIN_32\marscam\marscam

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!




Thanks in advance for your assistance!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 19 September 2009 - 10:05 PM

Hello barkingcrab,

Yes, you have a very nasty rootkit on this computer. :(

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r

into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 20 September 2009 - 01:59 PM

Hello SifuMike:

Thanks for your assistance.

Some new and exciting behavior from the PC in question. Upon "normal" startup, I get the message "The System is shutting down...System process c:\windows\system32\services.exe terminated unexpectedly with a status code of -107374182" and then a timer for 60 seconds. The machine shuts down, tries to reboot, and stays in this loop.

I had to boot in safe mode to get this log. Please advise what I might do next



---------------------------------------------Running from: Win32kDiag.exe

Log file at : C:\Documents and Settings\hughesc\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890047\KB890047

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB890047\KB890047

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ADDINS\ADDINS

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\INF\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\INF\IEM\0409\0409

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MUI\MUI

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\01cd5ce76aab2e96c5bc0130d8dde39a\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\01cd5ce76aab2e96c5bc0130d8dde39a\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\398f0c45cd46f045925de8cfce3ac8c4\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\398f0c45cd46f045925de8cfce3ac8c4\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\7460f39e630456f3a3b7075ade7a3d72\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\7460f39e630456f3a3b7075ade7a3d72\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\94076d2dfaa176bbb2083a92af29814c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\94076d2dfaa176bbb2083a92af29814c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e255a894a26bb0cc45b21ddb5c1c5e28\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e255a894a26bb0cc45b21ddb5c1c5e28\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e85f60fa51e40d03873c40d08cf4725c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e85f60fa51e40d03873c40d08cf4725c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1025\1025

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1028\1028

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1031\1031

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1037\1037

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1041\1041

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1042\1042

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1054\1054

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\2052\2052

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3076\3076

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Found mount point : C:\WINDOWS\SYSTEM32\97E9B04DCFB56E9C\97E9B04DCFB56E9C

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\97E9B04DCFB56E9C\97E9B04DCFB56E9C

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\D9DDNQCH\D9DDNQCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\D9DDNQCH\D9DDNQCH

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\bin.clearspring.com\bin.clearspring.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\bin.clearspring.com\bin.clearspring.com

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\video.flashtalking.com\video.flashtalking.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\3WG87ZDZ\video.flashtalking.com\video.flashtalking.com

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\#bin.clearspring.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\#bin.clearspring.com

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\#crackle.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#crackle.com\#crackle.com

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#video.flashtalking.com\#video.flashtalking.com

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\MMC\MMC

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\WINDOWS\system\system

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 07:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\INETSRV\INETSRV

Found mount point : C:\WINDOWS\SYSTEM32\log\log

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\log\log

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\DswMedia\DswMedia

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav18\3DGrooveXtrav18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav18\3DGrooveXtrav18

Found mount point : C:\WINDOWS\SYSTEM32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Macromed\update\update

Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Found mount point : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\WMFA\WMFA

Found mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\~offfilt\~offfilt

Found mount point : C:\WINDOWS\TWAIN_32\marscam\marscam

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TWAIN_32\marscam\marscam

Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WBEM\WBEM

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 20 September 2009 - 02:12 PM

Hi barkingcrab,

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========


:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

Edited by SifuMike, 20 September 2009 - 02:13 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 20 September 2009 - 07:24 PM

Hello....log below.

Note that I was unable to get the system tc come back up normally. THe machine booted, and there were several spyware banners displayed, but the desktop never appeared, nor was I ever able to see the taskbar or get the task manager to come up. After about 20 minutes of waiting for something to happened, I hard stopped the machine and rebooted in safe mode to get this log.

-----------------------------------------
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\Windows\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 20 September 2009 - 07:29 PM

Hi barkingcrab,

You still have the rootkit on your computer. This a nasty one. :(


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 21 September 2009 - 08:18 AM

Understood.

Point of clarification...if this machine has problems booting, and I have to do this from safe mode, is that OK?

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 21 September 2009 - 09:37 AM

barkingcrab,

Try to run ComboFix in the Normal Mode. If you cant run it in Noraml Mode, then use Safe Mode.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 21 September 2009 - 01:02 PM

SifuMike:

It ran in normal mode...took forever, but here's the log.

-----------------------------------------------------------------


ComboFix 09-09-20.01 - hughesc 09/21/2009 10:57.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.476 [GMT -4:00]
Running from: c:\documents and settings\hughesc\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\documents and settings\All Users\Application Data\12815934
c:\documents and settings\All Users\Application Data\12815934\12815934
c:\documents and settings\All Users\Application Data\12815934\12815934.exe
c:\documents and settings\All Users\Application Data\12815934\pc12815934ins
c:\documents and settings\All Users\Application Data\ginogida.reg
c:\documents and settings\hughesc\Application Data\cucetu.reg
c:\documents and settings\hughesc\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\hughesc\Cookies\uvygi.db
c:\documents and settings\hughesc\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\hughesc\Local Settings\Application Data\huhyzevi.reg
c:\documents and settings\hughesc\Local Settings\Application Data\onidomudy.reg
c:\documents and settings\hughesc\Local Settings\Application Data\suzor.inf
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\deduqy.pif
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\fixyzivosu.com
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\hughesc\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Common Files\hatyr.bat
c:\program files\Common Files\ybariba.reg
c:\program files\INSTALL.LOG
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\windows Police Pro.exe
C:\uskwdhpq.exe
c:\windows\ahehuf.dll
c:\windows\dibydune.vbs
c:\windows\dojinaboki.inf
c:\windows\Installer\51573.msp
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\qetibuwo.vbs
c:\windows\svchast.exe
c:\windows\system32\_003618_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003628_.tmp.dll
c:\windows\system32\_003629_.tmp.dll
c:\windows\system32\_003630_.tmp.dll
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003637_.tmp.dll
c:\windows\system32\_003639_.tmp.dll
c:\windows\system32\_003640_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003652_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003656_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003659_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003662_.tmp.dll
c:\windows\system32\_003665_.tmp.dll
c:\windows\system32\_003666_.tmp.dll
c:\windows\system32\_003667_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003669_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003676_.tmp.dll
c:\windows\system32\_005764_.tmp.dll
c:\windows\system32\_005765_.tmp.dll
c:\windows\system32\_005766_.tmp.dll
c:\windows\system32\_005767_.tmp.dll
c:\windows\system32\_005774_.tmp.dll
c:\windows\system32\_005775_.tmp.dll
c:\windows\system32\_005776_.tmp.dll
c:\windows\system32\_005777_.tmp.dll
c:\windows\system32\_005779_.tmp.dll
c:\windows\system32\_005780_.tmp.dll
c:\windows\system32\_005783_.tmp.dll
c:\windows\system32\_005784_.tmp.dll
c:\windows\system32\_005786_.tmp.dll
c:\windows\system32\_005787_.tmp.dll
c:\windows\system32\_005788_.tmp.dll
c:\windows\system32\_005790_.tmp.dll
c:\windows\system32\_005793_.tmp.dll
c:\windows\system32\_005794_.tmp.dll
c:\windows\system32\_005798_.tmp.dll
c:\windows\system32\_005799_.tmp.dll
c:\windows\system32\_005801_.tmp.dll
c:\windows\system32\_005803_.tmp.dll
c:\windows\system32\_005804_.tmp.dll
c:\windows\system32\_005806_.tmp.dll
c:\windows\system32\_005807_.tmp.dll
c:\windows\system32\_005808_.tmp.dll
c:\windows\system32\_005809_.tmp.dll
c:\windows\system32\_005810_.tmp.dll
c:\windows\system32\_005813_.tmp.dll
c:\windows\system32\_005814_.tmp.dll
c:\windows\system32\_005815_.tmp.dll
c:\windows\system32\_005816_.tmp.dll
c:\windows\system32\_005817_.tmp.dll
c:\windows\system32\_005822_.tmp.dll
c:\windows\system32\_005824_.tmp.dll
c:\windows\system32\12069.exe
c:\windows\system32\16566.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\begajetu.dll
c:\windows\system32\bennuar.old
c:\windows\system32\ddDEsot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\gasfkyewxlyfrx.sys
c:\windows\system32\drivers\SKYNETmdyspqxn.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\UAColidmwqbne.sys
c:\windows\system32\dutudari.dll
c:\windows\system32\gajukilu.dll
c:\windows\system32\gasfkyfoulkxcp.dll
c:\windows\system32\gasfkyfrqobwec.dat
c:\windows\system32\gasfkypxtchxir.dat
c:\windows\system32\gasfkyswywcvkg.dll
c:\windows\system32\gasfkyvwbuyowy.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\lefegosi.exe
c:\windows\system32\lejivaya.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETfolidwfp.dll
c:\windows\system32\SKYNETpdpmmlvm.dat
c:\windows\system32\SKYNETrfiyqxtk.dll
c:\windows\system32\SKYNETspwibabw.dll
c:\windows\system32\SKYNETwowbbylk.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sorujome.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\UACbgqxyyrvkp.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmntflwmurq.dll
c:\windows\system32\UACmputhxdpbo.dat
c:\windows\system32\UACvpxufrqfta.dll
c:\windows\system32\UACwlboaflqev.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wispex.html
c:\windows\Temp\scsE.tmp

-- Previous Run --

c:\windows\system32\eventlog.dll . . . is infected!!

--------

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyqppprlot
-------\Legacy_gasfkyqppprlot
-------\Service_SKYNETebcbnmpx
-------\Legacy_SKYNETebcbnmpx
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_


((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-21 00:09 . 2009-09-21 00:09 574 ----a-w- C:\cleanup.bat
2009-09-21 00:09 . 2009-09-21 00:09 135168 ----a-w- C:\zip.exe
2009-09-16 00:38 . 2009-09-16 00:38 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2009-09-15 23:02 . 2009-09-15 23:02 -------- d-----w- C:\Autoruns
2009-09-13 19:34 . 2009-09-13 19:34 -------- d-----w- c:\documents and settings\hughesc\Application Data\SUPERAntiSpyware.com
2009-09-13 19:33 . 2009-09-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 19:04 . 2009-09-13 19:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:49 . 2009-09-21 14:14 -------- d-----w- C:\ComboFix
2009-09-12 16:58 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-12 16:58 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-12 14:16 . 2009-09-12 14:16 73728 ----a-w- C:\khwx.exe
2009-09-12 14:16 . 2009-09-12 14:16 49664 ----a-w- C:\lriaxaso.exe
2009-09-12 14:16 . 2009-09-12 14:16 19967 ----a-w- C:\qcmqsqna.exe
2009-09-10 22:29 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 21:35 . 2009-09-07 21:35 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-04 13:32 . 2009-09-04 13:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:07 . 2009-09-13 15:07 84992 ----a-w- c:\windows\system32\drivers\OLD1C2.tmp
2009-09-13 15:04 . 2009-06-23 16:03 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-13 15:04 . 2009-09-13 15:04 84992 ----a-w- c:\windows\system32\drivers\OLD1B5.tmp
2009-09-13 15:04 . 2009-09-13 15:04 84992 ----a-w- c:\windows\system32\drivers\OLD1B3.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1B1.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AF.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AD.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AB.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A9.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A7.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A5.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A3.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A1.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD19F.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD19D.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD19B.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD199.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD197.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD195.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD193.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD191.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18F.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18D.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18B.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD189.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD187.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD185.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD183.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD181.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17F.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17D.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17B.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD179.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD177.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD175.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD173.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD171.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16F.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16D.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16B.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD169.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD167.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD165.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD163.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD161.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD15F.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD15D.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD15B.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD159.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD157.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD155.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD153.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD151.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14F.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14D.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14B.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD149.tmp
2009-09-13 14:58 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD147.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD145.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD143.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD141.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13F.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13D.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13B.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD139.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD137.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD135.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD133.tmp
2009-09-13 14:57 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD131.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12F.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12D.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12B.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD129.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD127.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD125.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD123.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD121.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD11F.tmp
2009-09-13 14:56 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD11D.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD11B.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD119.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD117.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD115.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD113.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD111.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10F.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10D.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10B.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD109.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD107.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD105.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD103.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD101.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFF.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFD.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFB.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF9.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF7.tmp
2009-09-13 14:54 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF5.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDF3.tmp
2008-12-26 01:19 . 2007-07-09 19:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 01:19 . 2007-07-09 19:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 01:19 . 2007-07-09 19:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 01:19 . 2007-07-09 19:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 01:19 . 2007-07-09 19:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-20 23:02 . 2009-01-20 23:02 5799 --sha-w- c:\windows\SYSTEM32\jakejoki.dll
2009-06-23 00:14 . 2009-03-23 00:14 5835 --sha-w- c:\windows\SYSTEM32\kuwibipa.dll
2009-04-20 23:02 . 2009-01-20 23:02 5515 --sha-w- c:\windows\SYSTEM32\veyopiho.exe
2009-04-20 23:02 . 2009-01-20 23:02 5799 --sha-w- c:\windows\SYSTEM32\wubefivu.exe
.

------- Sigcheck -------

[7] 2002-08-29 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DLLCACHE\beep.sys
[-] 2002-08-29 11:00 . AA056BA75BB5F4BBE4949B8A05190EF8 . 4224 . . [------] . . c:\windows\SYSTEM32\DRIVERS\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-04-29 684032]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\hughesc\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-10-27 225280]
PowerReg Scheduler.exe [2005-1-8 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-20 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfNavi.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\WINDOWS\\SYSTEM32\\DSentry.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmPfw.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [4/21/2008 11:22 AM 52624]
R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2/15/2008 11:39 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2/15/2008 11:39 PM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [4/21/2008 11:22 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/21/2008 11:22 AM 648456]
S1 sasdifsv;SASDIFSV;\??\g:\superantispyware\SASDIFSV.SYS --> g:\superantispyware\SASDIFSV.SYS [?]
S1 saskutil;SASKUTIL;\??\g:\superantispyware\SASKUTIL.sys --> g:\superantispyware\SASKUTIL.sys [?]
S2 97E9B04DCFB56E9C;97E9B04DCFB56E9C;\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C --> c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C [?]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\SYSTEM32\DRIVERS\mr97310v.sys [7/18/2006 2:40 PM 99840]
S3 sasenum;SASENUM;\??\g:\superantispyware\SASENUM.SYS --> g:\superantispyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-19 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:04]

2009-06-19 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: csc.com\csc100.nwk.amer
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\hughesc\Application Data\Mozilla\Firefox\Profiles\o5kl5rvc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{fa83d077-1d65-4273-b5c3-0ba94f1a5f37} - yetujigi.dll
HKCU-Run-SUPERAntiSpyware - g:\superantispyware\SUPERAntiSpyware.exe
HKLM-Run-12815934 - c:\documents and settings\All Users\Application Data\12815934\12815934.exe
HKLM-Run-begagiwudi - pihuwali.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 13:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\97E9B04DCFB56E9C]
"ImagePath"="\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-21 13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 17:35

Pre-Run: 1,289,977,856 bytes free
Post-Run: 2,098,397,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

472 --- E O F --- 2009-09-11 19:57

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 21 September 2009 - 03:03 PM

Hi barkingcrab,

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the each of the following file paths into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\eventlog.dll
      c:\windows\DCEBoot.exe
      c:\windows\SYSTEM32\DRIVERS\beep.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
  • If Copy to Clipbard does not work, then just copy and paste the output in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Edited by SifuMike, 21 September 2009 - 03:04 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 21 September 2009 - 04:48 PM

SifuMike:

Results enclosed. I had to use VirusTotal as the other site was non-functional.

-BC

File eventlog.dll received on 2009.09.21 21:41:46 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.21 -
AhnLab-V3 5.0.0.2 2009.09.21 -
AntiVir 7.9.1.23 2009.09.21 -
Antiy-AVL 2.0.3.7 2009.09.21 -
Authentium 5.1.2.4 2009.09.21 -
Avast 4.8.1351.0 2009.09.21 -
AVG 8.5.0.412 2009.09.21 -
BitDefender 7.2 2009.09.21 -
CAT-QuickHeal 10.00 2009.09.21 -
ClamAV 0.94.1 2009.09.21 -
Comodo 2395 2009.09.21 -
DrWeb 5.0.0.12182 2009.09.21 -
eSafe 7.0.17.0 2009.09.21 -
eTrust-Vet 31.6.6750 2009.09.21 -
F-Prot 4.5.1.85 2009.09.21 -
F-Secure 8.0.14470.0 2009.09.21 -
Fortinet 3.120.0.0 2009.09.21 -
GData 19 2009.09.21 -
Ikarus T3.1.1.72.0 2009.09.21 -
Jiangmin 11.0.800 2009.09.21 -
K7AntiVirus 7.10.850 2009.09.21 -
Kaspersky 7.0.0.125 2009.09.21 -
McAfee 5748 2009.09.21 -
McAfee+Artemis 5748 2009.09.21 -
McAfee-GW-Edition 6.8.5 2009.09.21 -
Microsoft 1.5005 2009.09.21 -
NOD32 4445 2009.09.21 -
Norman 6.01.09 2009.09.21 -
nProtect 2009.1.8.0 2009.09.21 -
Panda 10.0.2.2 2009.09.21 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.21 -
Rising 21.48.04.00 2009.09.21 -
Sophos 4.45.0 2009.09.21 -
Sunbelt 3.2.1858.2 2009.09.21 -
Symantec 1.4.4.12 2009.09.21 -
TheHacker 6.5.0.2.014 2009.09.21 -
TrendMicro 8.950.0.1094 2009.09.21 -
VBA32 3.12.10.10 2009.09.21 -
ViRobot 2009.9.21.1945 2009.09.21 -
VirusBuster 4.6.5.0 2009.09.21 -
Additional information
File size: 56320 bytes
MD5...: 6d4feb43ee538fc5428cc7f0565aa656
SHA1..: 20df622631e9e0a3212ae79e6b2289316fd6c12e
SHA256: 4091d82537198562f0ca1d032b2d4bec75101342b7bca7778fda2d515300bc36
ssdeep: 1536:5HR5vjbM7s2sUtAcx9vZVoQ1BE7vzzxA:5rvjgA9a1rZVHMrzx
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2637
timedatestamp.....: 0x4802a0ba (Mon Apr 14 00:09:30 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc309 0xc400 6.49 30b4564463dc53fe690fef3f90909cfe
.data 0xe000 0x3a0 0x400 1.34 f51974f7b5fe926fc7833c337729e7ba
.rsrc 0xf000 0x558 0x600 3.08 0eebbcb11d856770bc6ea513edecf8bf
.reloc 0x10000 0x9d0 0xa00 6.66 93d41c53d5b8160080e1c77ff9af280b

( 8 imports )
> ADVAPI32.dll: SetServiceStatus, GetTokenInformation, OpenProcessToken, LookupAccountSidW, GetLengthSid, CopySid, IsValidSid, OpenThreadToken, CheckTokenMembership, IsWellKnownSid, RegisterServiceCtrlHandlerW, RegOpenKeyExW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, RegSetValueExW, RegFlushKey, RegCloseKey
> KERNEL32.dll: GetTimeFormatW, GetDateFormatW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, DisableThreadLibraryCalls, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, GetCurrentProcess, SetFileAttributesW, WaitForSingleObject, AddAtomA, LocalFree, InterlockedExchange, OpenProcess, GetWindowsDirectoryW, lstrcatW, lstrcmpiW, InterlockedIncrement, InterlockedDecrement, CreateThread, GetCurrentThread, LoadLibraryW, Sleep, lstrcpyW, WaitForMultipleObjects, TerminateThread, CloseHandle, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, GetModuleHandleW, GetProcAddress, GetLastError, CreateEventW, InitAtomTable, DeleteAtom, LoadLibraryExW, FormatMessageW, FreeLibrary, GetComputerNameW, GetVersionExW, GetSystemTime, SystemTimeToTzSpecificLocalTime, FindAtomA
> msvcrt.dll: _wcsicmp, wcscpy, wcslen, _ltow, memmove, wcscmp, wcsncpy, wcsncat, _except_handler3, _wtoi, swprintf, _local_unwind2, _wcsnicmp, _vsnwprintf, mbstowcs, wcstombs, wcscat
> ntdll.dll: NtOpenProcess, NtDuplicateObject, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlReleaseResource, RtlFreeUnicodeString, NtQueryInformationFile, NtCreateFile, NtReadFile, NtWriteFile, RtlEnterCriticalSection, RtlLeaveCriticalSection, NtCreateEvent, RtlQueueWorkItem, RtlExpandEnvironmentStrings_U, RtlDosPathNameToNtPathName_U, RtlAreAllAccessesGranted, NtNotifyChangeKey, RtlNtStatusToDosError, RtlAllocateAndInitializeSid, NtOpenKey, RtlCopyUnicodeString, RtlDeleteResource, NtQueryValueKey, RtlDeregisterWait, RtlRegisterWait, NtEnumerateKey, RtlInitUnicodeString, RtlUnicodeStringToAnsiString, RtlFreeAnsiString, NtSetValueKey, NtOpenThreadToken, NtClose, RtlLengthSid, RtlTimeToSecondsSince1970, NtQuerySystemTime, RtlAnsiStringToUnicodeString, RtlDeleteSecurityObject, NtCreatePort, RtlRaiseStatus, NtCompleteConnectPort, NtAcceptConnectPort, NtReplyWaitReceivePort, RtlCreateUserSecurityObject, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenObjectAuditAlarm, NtAccessCheck, NtCloseObjectAuditAlarm, RtlInitializeCriticalSection, RtlInitializeResource, RtlDeleteCriticalSection, NtOpenFile, NlsMbCodePageTag, RtlxUnicodeStringToAnsiSize, NtSetInformationFile, NtExtendSection, RtlAllocateHeap, RtlCreateHeap, NtQueryAttributesFile, NtCreateSection, NtMapViewOfSection, RtlCompareMemory, NtUnmapViewOfSection, NtFlushVirtualMemory, RtlFreeHeap, NtPulseEvent
> PSAPI.DLL: GetModuleFileNameExW
> RPCRT4.dll: I_RpcBindingIsClientLocal, I_RpcMapWin32Status, RpcRevertToSelf, RpcImpersonateClient, RpcStringFreeW, RpcStringBindingParseW, RpcBindingServerFromClient, RpcBindingFree, NdrServerCall2, I_RpcBindingInqLocalClientPID, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcBindingToStringBindingW
> USER32.dll: MessageBoxW
> WS2_32.dll: -, -, -, -

( 1 exports )
SvcEntry_Eventlog
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: © Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Event Logging Service
original name: Eventlog.DLL
internal name: Eventlog.DLL
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned


-------------------------------------------------------------------

File DCEBoot.exe received on 2009.09.21 21:43:20 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.21 -
AhnLab-V3 5.0.0.2 2009.09.21 -
AntiVir 7.9.1.23 2009.09.21 -
Antiy-AVL 2.0.3.7 2009.09.21 -
Authentium 5.1.2.4 2009.09.21 -
Avast 4.8.1351.0 2009.09.21 -
AVG 8.5.0.412 2009.09.21 -
BitDefender 7.2 2009.09.21 -
CAT-QuickHeal 10.00 2009.09.21 -
ClamAV 0.94.1 2009.09.21 -
Comodo 2395 2009.09.21 -
DrWeb 5.0.0.12182 2009.09.21 -
eSafe 7.0.17.0 2009.09.21 -
eTrust-Vet 31.6.6750 2009.09.21 -
F-Prot 4.5.1.85 2009.09.21 -
F-Secure 8.0.14470.0 2009.09.21 -
Fortinet 3.120.0.0 2009.09.21 -
GData 19 2009.09.21 -
Ikarus T3.1.1.72.0 2009.09.21 -
Jiangmin 11.0.800 2009.09.21 -
K7AntiVirus 7.10.850 2009.09.21 -
Kaspersky 7.0.0.125 2009.09.21 -
McAfee 5748 2009.09.21 -
McAfee+Artemis 5748 2009.09.21 -
McAfee-GW-Edition 6.8.5 2009.09.21 -
Microsoft 1.5005 2009.09.21 -
NOD32 4445 2009.09.21 -
Norman 6.01.09 2009.09.21 -
nProtect 2009.1.8.0 2009.09.21 -
Panda 10.0.2.2 2009.09.21 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.21 -
Rising 21.48.04.00 2009.09.21 -
Sophos 4.45.0 2009.09.21 -
Sunbelt 3.2.1858.2 2009.09.21 -
Symantec 1.4.4.12 2009.09.21 -
TheHacker 6.5.0.2.014 2009.09.21 -
TrendMicro 8.950.0.1094 2009.09.21 -
VBA32 3.12.10.10 2009.09.21 -
ViRobot 2009.9.21.1945 2009.09.21 -
VirusBuster 4.6.5.0 2009.09.21 -
Additional information
File size: 10752 bytes
MD5...: 086e69ac3cac881a07942ae7e07c45d0
SHA1..: 141b26e5b77d3fbccd7515d8511d2108a48d1304
SHA256: d874d4c9c9096009d7423e65b3cdabb857d6abcb676e6c314011978951961cbe
ssdeep: 192:cojU/eCH5T3h47EBJWaogAKmqf5g60Lh84wdwHV8+:ca+nJB5ei4qwHu+
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x28b9
timedatestamp.....: 0x49cc9d64 (Fri Mar 27 09:33:24 2009)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1c48 0x1e00 5.60 b767f98450015850e802b7c0801f3e3f
.data 0x3000 0x519 0x600 7.11 d09c70e16152458497a14fa274af6478
.reloc 0x4000 0xde 0x200 2.55 09024594ec83cf23e2b203815eb5f210

( 1 imports )
> ntdll.dll: NtReadFile, NtCreateFile, NtQueryInformationFile, NtSetInformationFile, NtClose, ZwSetInformationFile, NtDeleteFile, NtOpenKey, NtQueryValueKey, NtSetValueKey, RtlInitUnicodeString, RtlCreateHeap, wcsncpy, memset, RtlDestroyHeap, RtlFreeHeap, RtlDosPathNameToNtPathName_U, RtlAllocateHeap, RtlAdjustPrivilege, memmove, NtTerminateProcess, _chkstk

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=086e69ac3cac881a07942ae7e07c45d0' target='_blank'>http://www.threatexpert.com/report.aspx?md5=086e69ac3cac881a07942ae7e07c45d0</a>
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

---------------------------------------------------------------------
File beep.sys received on 2009.09.21 21:45:50 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.09.21 -
AhnLab-V3 5.0.0.2 2009.09.21 -
AntiVir 7.9.1.23 2009.09.21 -
Antiy-AVL 2.0.3.7 2009.09.21 -
Authentium 5.1.2.4 2009.09.21 -
Avast 4.8.1351.0 2009.09.21 -
AVG 8.5.0.412 2009.09.21 -
BitDefender 7.2 2009.09.21 -
CAT-QuickHeal 10.00 2009.09.21 -
ClamAV 0.94.1 2009.09.21 -
Comodo 2395 2009.09.21 -
DrWeb 5.0.0.12182 2009.09.21 -
eSafe 7.0.17.0 2009.09.21 -
eTrust-Vet 31.6.6750 2009.09.21 -
F-Prot 4.5.1.85 2009.09.21 -
F-Secure 8.0.14470.0 2009.09.21 -
Fortinet 3.120.0.0 2009.09.21 -
GData 19 2009.09.21 -
Ikarus T3.1.1.72.0 2009.09.21 -
Jiangmin 11.0.800 2009.09.21 -
K7AntiVirus 7.10.850 2009.09.21 -
Kaspersky 7.0.0.125 2009.09.21 -
McAfee 5748 2009.09.21 -
McAfee+Artemis 5748 2009.09.21 -
McAfee-GW-Edition 6.8.5 2009.09.21 -
Microsoft 1.5005 2009.09.21 -
NOD32 4445 2009.09.21 -
Norman 6.01.09 2009.09.21 -
nProtect 2009.1.8.0 2009.09.21 -
Panda 10.0.2.2 2009.09.21 -
PCTools 4.4.2.0 2009.09.20 -
Prevx 3.0 2009.09.21 -
Rising 21.48.04.00 2009.09.21 -
Sophos 4.45.0 2009.09.21 -
Sunbelt 3.2.1858.2 2009.09.21 -
Symantec 1.4.4.12 2009.09.21 -
TheHacker 6.5.0.2.014 2009.09.21 -
TrendMicro 8.950.0.1094 2009.09.21 -
VBA32 3.12.10.10 2009.09.21 -
ViRobot 2009.9.21.1945 2009.09.21 -
VirusBuster 4.6.5.0 2009.09.21 -
Additional information
File size: 4224 bytes
MD5...: aa056ba75bb5f4bbe4949b8a05190ef8
SHA1..: 692a022da782a46880ba589705c40abdfad63555
SHA256: 0d71643bfaa0cd6f10b638daa12819f01a0f6a53a07835eb11532b45ed90a244
ssdeep: 3::
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: OpenGL object (29.2%)
Lotus 123 Worksheet (generic) (14.6%)
HSC music composer song (9.2%)
Game Music Creator Music (8.2%)
MacBinary 1 header (7.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 21 September 2009 - 05:09 PM

Hi barkingcrab,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\khwx.exe
C:\lriaxaso.exe
C:\qcmqsqna.exe
c:\windows\system32\drivers\OLD1C2.tmp
c:\windows\system32\drivers\OLD1B5.tmp
c:\windows\system32\drivers\OLD1B3.tmp
c:\windows\system32\drivers\OLD1B1.tmp
c:\windows\system32\drivers\OLD1AF.tmp
c:\windows\system32\drivers\OLD1AD.tmp
c:\windows\system32\drivers\OLD1AB.tmp
c:\windows\system32\drivers\OLD1A9.tmp
c:\windows\system32\drivers\OLD1A7.tmp
c:\windows\system32\drivers\OLD1A5.tmp
c:\windows\system32\drivers\OLD1A3.tmp
c:\windows\system32\drivers\OLD1A1.tmp
c:\windows\system32\drivers\OLD19F.tmp
c:\windows\system32\drivers\OLD19D.tmp
c:\windows\system32\drivers\OLD19B.tmp
c:\windows\system32\drivers\OLD199.tmp
c:\windows\system32\drivers\OLD197.tmp
c:\windows\system32\drivers\OLD195.tmp
c:\windows\system32\drivers\OLD193.tmp
c:\windows\system32\drivers\OLD191.tmp
c:\windows\system32\drivers\OLD18F.tmp
c:\windows\system32\drivers\OLD18D.tmp
c:\windows\system32\drivers\OLD18B.tmp
c:\windows\system32\drivers\OLD189.tmp
c:\windows\system32\drivers\OLD187.tmp
c:\windows\system32\drivers\OLD185.tmp
c:\windows\system32\drivers\OLD183.tmp
c:\windows\system32\drivers\OLD181.tmp
c:\windows\system32\drivers\OLD17F.tmp
c:\windows\system32\drivers\OLD17D.tmp
c:\windows\system32\drivers\OLD17B.tmp
c:\windows\system32\drivers\OLD179.tmp
c:\windows\system32\drivers\OLD177.tmp
c:\windows\system32\drivers\OLD175.tmp
c:\windows\system32\drivers\OLD173.tmp
c:\windows\system32\drivers\OLD171.tmp
c:\windows\system32\drivers\OLD16F.tmp
c:\windows\system32\drivers\OLD16D.tmp
c:\windows\system32\drivers\OLD16B.tmp
c:\windows\system32\drivers\OLD169.tmp
c:\windows\system32\drivers\OLD167.tmp
c:\windows\system32\drivers\OLD165.tmp
c:\windows\system32\drivers\OLD163.tmp
c:\windows\system32\drivers\OLD161.tmp
c:\windows\system32\drivers\OLD15F.tmp
c:\windows\system32\drivers\OLD15D.tmp
c:\windows\system32\drivers\OLD15B.tmp
c:\windows\system32\drivers\OLD159.tmp
c:\windows\system32\drivers\OLD157.tmp
c:\windows\system32\drivers\OLD155.tmp
c:\windows\system32\drivers\OLD153.tmp
c:\windows\system32\drivers\OLD151.tmp
c:\windows\system32\drivers\OLD14F.tmp
c:\windows\system32\drivers\OLD14D.tmp
c:\windows\system32\drivers\OLD14B.tmp
c:\windows\system32\drivers\OLD149.tmp
c:\windows\system32\drivers\OLD147.tmp
c:\windows\system32\drivers\OLD145.tmp
c:\windows\system32\drivers\OLD143.tmp
c:\windows\system32\drivers\OLD141.tmp
c:\windows\system32\drivers\OLD13F.tmp
c:\windows\system32\drivers\OLD13D.tmp
c:\windows\system32\drivers\OLD13B.tmp
c:\windows\system32\drivers\OLD139.tmp
c:\windows\system32\drivers\OLD137.tmp
c:\windows\system32\drivers\OLD135.tmp
c:\windows\system32\drivers\OLD133.tmp
c:\windows\system32\drivers\OLD131.tmp
c:\windows\system32\drivers\OLD12F.tmp
c:\windows\system32\drivers\OLD12D.tmp
c:\windows\system32\drivers\OLD12B.tmp
c:\windows\system32\drivers\OLD129.tmp
c:\windows\system32\drivers\OLD127.tmp
c:\windows\system32\drivers\OLD125.tmp
c:\windows\system32\drivers\OLD123.tmp
c:\windows\system32\drivers\OLD121.tmp
c:\windows\system32\drivers\OLD11F.tmp
c:\windows\system32\drivers\OLD11D.tmp
c:\windows\system32\drivers\OLD11B.tmp
c:\windows\system32\drivers\OLD119.tmp
c:\windows\system32\drivers\OLD117.tmp
c:\windows\system32\drivers\OLD115.tmp
c:\windows\system32\drivers\OLD113.tmp
c:\windows\system32\drivers\OLD111.tmp
c:\windows\system32\drivers\OLD10F.tmp
c:\windows\system32\drivers\OLD10D.tmp
c:\windows\system32\drivers\OLD10B.tmp
c:\windows\system32\drivers\OLD109.tmp
c:\windows\system32\drivers\OLD107.tmp
c:\windows\system32\drivers\OLD105.tmp
c:\windows\system32\drivers\OLD103.tmp
c:\windows\system32\drivers\OLD101.tmp
c:\windows\system32\drivers\OLDFF.tmp
c:\windows\system32\drivers\OLDFD.tmp
c:\windows\system32\drivers\OLDFB.tmp
c:\windows\system32\drivers\OLDF9.tmp
c:\windows\system32\drivers\OLDF7.tmp
c:\windows\system32\drivers\OLDF5.tmp
c:\windows\system32\drivers\OLDF3.tmp
c:\windows\SYSTEM32\jakejoki.dll
c:\windows\SYSTEM32\kuwibipa.dll
c:\windows\SYSTEM32\veyopiho.exe
c:\windows\SYSTEM32\wubefivu.exe

FMOVE:: 
c:\windows\SYSTEM32\DLLCACHE\beep.sys|c:\windows\SYSTEM32\DRIVERS\beep.sys 
								  
Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 22 September 2009 - 07:16 PM

SifuMike - log enclosed

-------------------------------------
ComboFix 09-09-20.01 - hughesc 09/22/2009 17:09.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.343 [GMT -4:00]
Running from: c:\documents and settings\hughesc\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\hughesc\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::
"C:\khwx.exe"
"C:\lriaxaso.exe"
"C:\qcmqsqna.exe"
"c:\windows\system32\drivers\OLD101.tmp"
"c:\windows\system32\drivers\OLD103.tmp"
"c:\windows\system32\drivers\OLD105.tmp"
"c:\windows\system32\drivers\OLD107.tmp"
"c:\windows\system32\drivers\OLD109.tmp"
"c:\windows\system32\drivers\OLD10B.tmp"
"c:\windows\system32\drivers\OLD10D.tmp"
"c:\windows\system32\drivers\OLD10F.tmp"
"c:\windows\system32\drivers\OLD111.tmp"
"c:\windows\system32\drivers\OLD113.tmp"
"c:\windows\system32\drivers\OLD115.tmp"
"c:\windows\system32\drivers\OLD117.tmp"
"c:\windows\system32\drivers\OLD119.tmp"
"c:\windows\system32\drivers\OLD11B.tmp"
"c:\windows\system32\drivers\OLD11D.tmp"
"c:\windows\system32\drivers\OLD11F.tmp"
"c:\windows\system32\drivers\OLD121.tmp"
"c:\windows\system32\drivers\OLD123.tmp"
"c:\windows\system32\drivers\OLD125.tmp"
"c:\windows\system32\drivers\OLD127.tmp"
"c:\windows\system32\drivers\OLD129.tmp"
"c:\windows\system32\drivers\OLD12B.tmp"
"c:\windows\system32\drivers\OLD12D.tmp"
"c:\windows\system32\drivers\OLD12F.tmp"
"c:\windows\system32\drivers\OLD131.tmp"
"c:\windows\system32\drivers\OLD133.tmp"
"c:\windows\system32\drivers\OLD135.tmp"
"c:\windows\system32\drivers\OLD137.tmp"
"c:\windows\system32\drivers\OLD139.tmp"
"c:\windows\system32\drivers\OLD13B.tmp"
"c:\windows\system32\drivers\OLD13D.tmp"
"c:\windows\system32\drivers\OLD13F.tmp"
"c:\windows\system32\drivers\OLD141.tmp"
"c:\windows\system32\drivers\OLD143.tmp"
"c:\windows\system32\drivers\OLD145.tmp"
"c:\windows\system32\drivers\OLD147.tmp"
"c:\windows\system32\drivers\OLD149.tmp"
"c:\windows\system32\drivers\OLD14B.tmp"
"c:\windows\system32\drivers\OLD14D.tmp"
"c:\windows\system32\drivers\OLD14F.tmp"
"c:\windows\system32\drivers\OLD151.tmp"
"c:\windows\system32\drivers\OLD153.tmp"
"c:\windows\system32\drivers\OLD155.tmp"
"c:\windows\system32\drivers\OLD157.tmp"
"c:\windows\system32\drivers\OLD159.tmp"
"c:\windows\system32\drivers\OLD15B.tmp"
"c:\windows\system32\drivers\OLD15D.tmp"
"c:\windows\system32\drivers\OLD15F.tmp"
"c:\windows\system32\drivers\OLD161.tmp"
"c:\windows\system32\drivers\OLD163.tmp"
"c:\windows\system32\drivers\OLD165.tmp"
"c:\windows\system32\drivers\OLD167.tmp"
"c:\windows\system32\drivers\OLD169.tmp"
"c:\windows\system32\drivers\OLD16B.tmp"
"c:\windows\system32\drivers\OLD16D.tmp"
"c:\windows\system32\drivers\OLD16F.tmp"
"c:\windows\system32\drivers\OLD171.tmp"
"c:\windows\system32\drivers\OLD173.tmp"
"c:\windows\system32\drivers\OLD175.tmp"
"c:\windows\system32\drivers\OLD177.tmp"
"c:\windows\system32\drivers\OLD179.tmp"
"c:\windows\system32\drivers\OLD17B.tmp"
"c:\windows\system32\drivers\OLD17D.tmp"
"c:\windows\system32\drivers\OLD17F.tmp"
"c:\windows\system32\drivers\OLD181.tmp"
"c:\windows\system32\drivers\OLD183.tmp"
"c:\windows\system32\drivers\OLD185.tmp"
"c:\windows\system32\drivers\OLD187.tmp"
"c:\windows\system32\drivers\OLD189.tmp"
"c:\windows\system32\drivers\OLD18B.tmp"
"c:\windows\system32\drivers\OLD18D.tmp"
"c:\windows\system32\drivers\OLD18F.tmp"
"c:\windows\system32\drivers\OLD191.tmp"
"c:\windows\system32\drivers\OLD193.tmp"
"c:\windows\system32\drivers\OLD195.tmp"
"c:\windows\system32\drivers\OLD197.tmp"
"c:\windows\system32\drivers\OLD199.tmp"
"c:\windows\system32\drivers\OLD19B.tmp"
"c:\windows\system32\drivers\OLD19D.tmp"
"c:\windows\system32\drivers\OLD19F.tmp"
"c:\windows\system32\drivers\OLD1A1.tmp"
"c:\windows\system32\drivers\OLD1A3.tmp"
"c:\windows\system32\drivers\OLD1A5.tmp"
"c:\windows\system32\drivers\OLD1A7.tmp"
"c:\windows\system32\drivers\OLD1A9.tmp"
"c:\windows\system32\drivers\OLD1AB.tmp"
"c:\windows\system32\drivers\OLD1AD.tmp"
"c:\windows\system32\drivers\OLD1AF.tmp"
"c:\windows\system32\drivers\OLD1B1.tmp"
"c:\windows\system32\drivers\OLD1B3.tmp"
"c:\windows\system32\drivers\OLD1B5.tmp"
"c:\windows\system32\drivers\OLD1C2.tmp"
"c:\windows\system32\drivers\OLDF3.tmp"
"c:\windows\system32\drivers\OLDF5.tmp"
"c:\windows\system32\drivers\OLDF7.tmp"
"c:\windows\system32\drivers\OLDF9.tmp"
"c:\windows\system32\drivers\OLDFB.tmp"
"c:\windows\system32\drivers\OLDFD.tmp"
"c:\windows\system32\drivers\OLDFF.tmp"
"c:\windows\SYSTEM32\jakejoki.dll"
"c:\windows\SYSTEM32\kuwibipa.dll"
"c:\windows\SYSTEM32\veyopiho.exe"
"c:\windows\SYSTEM32\wubefivu.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\khwx.exe
C:\lriaxaso.exe
C:\qcmqsqna.exe
c:\windows\system32\drivers\OLD101.tmp
c:\windows\system32\drivers\OLD103.tmp
c:\windows\system32\drivers\OLD105.tmp
c:\windows\system32\drivers\OLD107.tmp
c:\windows\system32\drivers\OLD109.tmp
c:\windows\system32\drivers\OLD10B.tmp
c:\windows\system32\drivers\OLD10D.tmp
c:\windows\system32\drivers\OLD10F.tmp
c:\windows\system32\drivers\OLD111.tmp
c:\windows\system32\drivers\OLD113.tmp
c:\windows\system32\drivers\OLD115.tmp
c:\windows\system32\drivers\OLD117.tmp
c:\windows\system32\drivers\OLD119.tmp
c:\windows\system32\drivers\OLD11B.tmp
c:\windows\system32\drivers\OLD11D.tmp
c:\windows\system32\drivers\OLD11F.tmp
c:\windows\system32\drivers\OLD121.tmp
c:\windows\system32\drivers\OLD123.tmp
c:\windows\system32\drivers\OLD125.tmp
c:\windows\system32\drivers\OLD127.tmp
c:\windows\system32\drivers\OLD129.tmp
c:\windows\system32\drivers\OLD12B.tmp
c:\windows\system32\drivers\OLD12D.tmp
c:\windows\system32\drivers\OLD12F.tmp
c:\windows\system32\drivers\OLD131.tmp
c:\windows\system32\drivers\OLD133.tmp
c:\windows\system32\drivers\OLD135.tmp
c:\windows\system32\drivers\OLD137.tmp
c:\windows\system32\drivers\OLD139.tmp
c:\windows\system32\drivers\OLD13B.tmp
c:\windows\system32\drivers\OLD13D.tmp
c:\windows\system32\drivers\OLD13F.tmp
c:\windows\system32\drivers\OLD141.tmp
c:\windows\system32\drivers\OLD143.tmp
c:\windows\system32\drivers\OLD145.tmp
c:\windows\system32\drivers\OLD147.tmp
c:\windows\system32\drivers\OLD149.tmp
c:\windows\system32\drivers\OLD14B.tmp
c:\windows\system32\drivers\OLD14D.tmp
c:\windows\system32\drivers\OLD14F.tmp
c:\windows\system32\drivers\OLD151.tmp
c:\windows\system32\drivers\OLD153.tmp
c:\windows\system32\drivers\OLD155.tmp
c:\windows\system32\drivers\OLD157.tmp
c:\windows\system32\drivers\OLD159.tmp
c:\windows\system32\drivers\OLD15B.tmp
c:\windows\system32\drivers\OLD15D.tmp
c:\windows\system32\drivers\OLD15F.tmp
c:\windows\system32\drivers\OLD161.tmp
c:\windows\system32\drivers\OLD163.tmp
c:\windows\system32\drivers\OLD165.tmp
c:\windows\system32\drivers\OLD167.tmp
c:\windows\system32\drivers\OLD169.tmp
c:\windows\system32\drivers\OLD16B.tmp
c:\windows\system32\drivers\OLD16D.tmp
c:\windows\system32\drivers\OLD16F.tmp
c:\windows\system32\drivers\OLD171.tmp
c:\windows\system32\drivers\OLD173.tmp
c:\windows\system32\drivers\OLD175.tmp
c:\windows\system32\drivers\OLD177.tmp
c:\windows\system32\drivers\OLD179.tmp
c:\windows\system32\drivers\OLD17B.tmp
c:\windows\system32\drivers\OLD17D.tmp
c:\windows\system32\drivers\OLD17F.tmp
c:\windows\system32\drivers\OLD181.tmp
c:\windows\system32\drivers\OLD183.tmp
c:\windows\system32\drivers\OLD185.tmp
c:\windows\system32\drivers\OLD187.tmp
c:\windows\system32\drivers\OLD189.tmp
c:\windows\system32\drivers\OLD18B.tmp
c:\windows\system32\drivers\OLD18D.tmp
c:\windows\system32\drivers\OLD18F.tmp
c:\windows\system32\drivers\OLD191.tmp
c:\windows\system32\drivers\OLD193.tmp
c:\windows\system32\drivers\OLD195.tmp
c:\windows\system32\drivers\OLD197.tmp
c:\windows\system32\drivers\OLD199.tmp
c:\windows\system32\drivers\OLD19B.tmp
c:\windows\system32\drivers\OLD19D.tmp
c:\windows\system32\drivers\OLD19F.tmp
c:\windows\system32\drivers\OLD1A1.tmp
c:\windows\system32\drivers\OLD1A3.tmp
c:\windows\system32\drivers\OLD1A5.tmp
c:\windows\system32\drivers\OLD1A7.tmp
c:\windows\system32\drivers\OLD1A9.tmp
c:\windows\system32\drivers\OLD1AB.tmp
c:\windows\system32\drivers\OLD1AD.tmp
c:\windows\system32\drivers\OLD1AF.tmp
c:\windows\system32\drivers\OLD1B1.tmp
c:\windows\system32\drivers\OLD1B3.tmp
c:\windows\system32\drivers\OLD1B5.tmp
c:\windows\system32\drivers\OLD1C2.tmp
c:\windows\system32\drivers\OLDF3.tmp
c:\windows\system32\drivers\OLDF5.tmp
c:\windows\system32\drivers\OLDF7.tmp
c:\windows\system32\drivers\OLDF9.tmp
c:\windows\system32\drivers\OLDFB.tmp
c:\windows\system32\drivers\OLDFD.tmp
c:\windows\system32\drivers\OLDFF.tmp
c:\windows\SYSTEM32\jakejoki.dll
c:\windows\SYSTEM32\kuwibipa.dll
c:\windows\SYSTEM32\veyopiho.exe
c:\windows\SYSTEM32\wubefivu.exe

.
--------------- FMove ---------------

c:\windows\SYSTEM32\DLLCACHE\beep.sys --> c:\windows\SYSTEM32\DRIVERS\beep.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 )))))))))))))))))))))))))))))))
.

2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-21 00:09 . 2009-09-21 00:09 574 ----a-w- C:\cleanup.bat
2009-09-21 00:09 . 2009-09-21 00:09 135168 ----a-w- C:\zip.exe
2009-09-16 00:38 . 2009-09-16 00:38 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2009-09-15 23:02 . 2009-09-15 23:02 -------- d-----w- C:\Autoruns
2009-09-13 19:34 . 2009-09-13 19:34 -------- d-----w- c:\documents and settings\hughesc\Application Data\SUPERAntiSpyware.com
2009-09-13 19:33 . 2009-09-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 19:04 . 2009-09-13 19:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:49 . 2009-09-21 14:14 -------- d-----w- C:\ComboFix
2009-09-12 16:58 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-10 22:29 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 21:35 . 2009-09-07 21:35 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-04 13:32 . 2009-09-04 13:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:04 . 2009-06-23 16:03 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDF1.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDEF.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDED.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDEB.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDE9.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDE7.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDE5.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDE3.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDE1.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDDF.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDDD.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDDB.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDD9.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDD7.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDD5.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDD3.tmp
2009-09-13 14:53 . 2009-09-13 14:53 84992 ----a-w- c:\windows\system32\drivers\OLDD1.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDCF.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDCD.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDCB.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDC9.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDC7.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDC5.tmp
2009-09-13 14:52 . 2009-09-13 14:52 84992 ----a-w- c:\windows\system32\drivers\OLDC3.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDC1.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDBF.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDBD.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDBB.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDB9.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDB7.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDB5.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDB3.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDB1.tmp
2009-09-13 14:51 . 2009-09-13 14:51 84992 ----a-w- c:\windows\system32\drivers\OLDAF.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDAD.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDAB.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDA9.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDA7.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDA5.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDA3.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLDA1.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLD9F.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLD9D.tmp
2009-09-13 14:50 . 2009-09-13 14:50 84992 ----a-w- c:\windows\system32\drivers\OLD9B.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD99.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD97.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD95.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD93.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD91.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD8F.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD8D.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD8B.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD89.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD87.tmp
2009-09-13 14:49 . 2009-09-13 14:49 84992 ----a-w- c:\windows\system32\drivers\OLD85.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD83.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD81.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD7F.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD7D.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD7B.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD79.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD77.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD75.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD71.tmp
2009-09-13 14:48 . 2009-09-13 14:48 84992 ----a-w- c:\windows\system32\drivers\OLD6F.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD6D.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD6B.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD67.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD63.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD5F.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD5D.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD5B.tmp
2009-09-13 14:47 . 2009-09-13 14:47 84992 ----a-w- c:\windows\system32\drivers\OLD59.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD57.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD54.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD50.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD4E.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD4C.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD4A.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD48.tmp
2009-09-13 14:46 . 2009-09-13 14:46 84992 ----a-w- c:\windows\system32\drivers\OLD46.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD44.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD42.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD3E.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD3C.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD3A.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD38.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD36.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD34.tmp
2009-09-13 14:45 . 2009-09-13 14:45 84992 ----a-w- c:\windows\system32\drivers\OLD32.tmp
2009-09-13 14:44 . 2009-09-13 14:44 84992 ----a-w- c:\windows\system32\drivers\OLD30.tmp
2009-09-13 14:44 . 2009-09-13 14:44 84992 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2009-09-13 14:44 . 2009-09-13 14:44 84992 ----a-w- c:\windows\system32\drivers\OLD2C.tmp
2009-09-13 14:44 . 2009-09-13 14:44 84992 ----a-w- c:\windows\system32\drivers\OLD2A.tmp
2008-12-26 01:19 . 2007-07-09 19:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 01:19 . 2007-07-09 19:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 01:19 . 2007-07-09 19:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 01:19 . 2007-07-09 19:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 01:19 . 2007-07-09 19:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-04-29 684032]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\hughesc\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-10-27 225280]
PowerReg Scheduler.exe [2005-1-8 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-20 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfNavi.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\WINDOWS\\SYSTEM32\\DSentry.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmPfw.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [4/21/2008 11:22 AM 52624]
R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2/15/2008 11:39 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2/15/2008 11:39 PM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [4/21/2008 11:22 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/21/2008 11:22 AM 648456]
S1 sasdifsv;SASDIFSV;\??\g:\superantispyware\SASDIFSV.SYS --> g:\superantispyware\SASDIFSV.SYS [?]
S1 saskutil;SASKUTIL;\??\g:\superantispyware\SASKUTIL.sys --> g:\superantispyware\SASKUTIL.sys [?]
S2 97E9B04DCFB56E9C;97E9B04DCFB56E9C;\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C --> c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C [?]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\SYSTEM32\DRIVERS\mr97310v.sys [7/18/2006 2:40 PM 99840]
S3 sasenum;SASENUM;\??\g:\superantispyware\SASENUM.SYS --> g:\superantispyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: csc.com\csc100.nwk.amer
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\hughesc\Application Data\Mozilla\Firefox\Profiles\o5kl5rvc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-22 18:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\97E9B04DCFB56E9C]
"ImagePath"="\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C"
.
Completion time: 2009-09-22 18:46
ComboFix-quarantined-files.txt 2009-09-22 22:45
ComboFix2.txt 2009-09-21 17:36

Pre-Run: 2,138,456,064 bytes free
Post-Run: 2,093,694,976 bytes free

445 --- E O F --- 2009-09-11 19:57

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:24 AM

Posted 22 September 2009 - 08:54 PM

Hi barkingcrab,

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\OLDF1.tmp
c:\windows\system32\drivers\OLDEF.tmp
c:\windows\system32\drivers\OLDED.tmp
c:\windows\system32\drivers\OLDEB.tmp
c:\windows\system32\drivers\OLDE9.tmp
c:\windows\system32\drivers\OLDE7.tmp
c:\windows\system32\drivers\OLDE5.tmp
c:\windows\system32\drivers\OLDE3.tmp
c:\windows\system32\drivers\OLDE1.tmp
c:\windows\system32\drivers\OLDDF.tmp
c:\windows\system32\drivers\OLDDD.tmp
c:\windows\system32\drivers\OLDDB.tmp
c:\windows\system32\drivers\OLDD9.tmp
c:\windows\system32\drivers\OLDD7.tmp
c:\windows\system32\drivers\OLDD5.tmp
c:\windows\system32\drivers\OLDD3.tmp
c:\windows\system32\drivers\OLDD1.tmp
c:\windows\system32\drivers\OLDCF.tmp
c:\windows\system32\drivers\OLDCD.tmp
c:\windows\system32\drivers\OLDCB.tmp
c:\windows\system32\drivers\OLDC9.tmp
c:\windows\system32\drivers\OLDC7.tmp
c:\windows\system32\drivers\OLDC5.tmp
c:\windows\system32\drivers\OLDC3.tmp
c:\windows\system32\drivers\OLDC1.tmp
c:\windows\system32\drivers\OLDBF.tmp
c:\windows\system32\drivers\OLDBD.tmp
c:\windows\system32\drivers\OLDBB.tmp
c:\windows\system32\drivers\OLDB9.tmp
c:\windows\system32\drivers\OLDB7.tmp
c:\windows\system32\drivers\OLDB5.tmp
c:\windows\system32\drivers\OLDB3.tmp
c:\windows\system32\drivers\OLDB1.tmp
c:\windows\system32\drivers\OLDAF.tmp
c:\windows\system32\drivers\OLDAD.tmp
c:\windows\system32\drivers\OLDAB.tmp
c:\windows\system32\drivers\OLDA9.tmp
c:\windows\system32\drivers\OLDA7.tmp
c:\windows\system32\drivers\OLDA5.tmp
c:\windows\system32\drivers\OLDA3.tmp
c:\windows\system32\drivers\OLDA1.tmp
c:\windows\system32\drivers\OLD9F.tmp
c:\windows\system32\drivers\OLD9D.tmp
c:\windows\system32\drivers\OLD9B.tmp
c:\windows\system32\drivers\OLD99.tmp
c:\windows\system32\drivers\OLD97.tmp
c:\windows\system32\drivers\OLD95.tmp
c:\windows\system32\drivers\OLD93.tmp
c:\windows\system32\drivers\OLD91.tmp
c:\windows\system32\drivers\OLD8F.tmp
c:\windows\system32\drivers\OLD8D.tmp
c:\windows\system32\drivers\OLD8B.tmp
c:\windows\system32\drivers\OLD89.tmp
c:\windows\system32\drivers\OLD87.tmp
c:\windows\system32\drivers\OLD85.tmp
c:\windows\system32\drivers\OLD83.tmp
c:\windows\system32\drivers\OLD81.tmp
c:\windows\system32\drivers\OLD7F.tmp
c:\windows\system32\drivers\OLD7D.tmp
c:\windows\system32\drivers\OLD7B.tmp
c:\windows\system32\drivers\OLD79.tmp
c:\windows\system32\drivers\OLD77.tmp
c:\windows\system32\drivers\OLD75.tmp
c:\windows\system32\drivers\OLD73.tmp
c:\windows\system32\drivers\OLD71.tmp
c:\windows\system32\drivers\OLD6F.tmp
c:\windows\system32\drivers\OLD6D.tmp
c:\windows\system32\drivers\OLD6B.tmp
c:\windows\system32\drivers\OLD69.tmp
c:\windows\system32\drivers\OLD67.tmp
c:\windows\system32\drivers\OLD65.tmp
c:\windows\system32\drivers\OLD63.tmp
c:\windows\system32\drivers\OLD5F.tmp
c:\windows\system32\drivers\OLD5D.tmp
c:\windows\system32\drivers\OLD5B.tmp
c:\windows\system32\drivers\OLD59.tmp
c:\windows\system32\drivers\OLD57.tmp
c:\windows\system32\drivers\OLD54.tmp
c:\windows\system32\drivers\OLD52.tmp
c:\windows\system32\drivers\OLD50.tmp
c:\windows\system32\drivers\OLD4E.tmp
c:\windows\system32\drivers\OLD4C.tmp
c:\windows\system32\drivers\OLD4A.tmp
c:\windows\system32\drivers\OLD48.tmp
c:\windows\system32\drivers\OLD46.tmp
c:\windows\system32\drivers\OLD44.tmp
c:\windows\system32\drivers\OLD42.tmp
c:\windows\system32\drivers\OLD40.tmp
c:\windows\system32\drivers\OLD3E.tmp
c:\windows\system32\drivers\OLD3C.tmp
c:\windows\system32\drivers\OLD3A.tmp
c:\windows\system32\drivers\OLD38.tmp
c:\windows\system32\drivers\OLD36.tmp
c:\windows\system32\drivers\OLD34.tmp
c:\windows\system32\drivers\OLD32.tmp
c:\windows\system32\drivers\OLD30.tmp
c:\windows\system32\drivers\OLD2E.tmp
c:\windows\system32\drivers\OLD2C.tmp
c:\windows\system32\drivers\OLD2A.tmp


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 barkingcrab

barkingcrab
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 24 September 2009 - 12:09 PM

SifuMike - requested log enclosed.

Thanks for your continued support!

--------------------------------------------------------
ComboFix 09-09-20.01 - hughesc 09/21/2009 10:57.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.476 [GMT -4:00]
Running from: c:\documents and settings\hughesc\Desktop\Combo-Fix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\documents and settings\All Users\Application Data\12815934
c:\documents and settings\All Users\Application Data\12815934\12815934
c:\documents and settings\All Users\Application Data\12815934\12815934.exe
c:\documents and settings\All Users\Application Data\12815934\pc12815934ins
c:\documents and settings\All Users\Application Data\ginogida.reg
c:\documents and settings\hughesc\Application Data\cucetu.reg
c:\documents and settings\hughesc\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\hughesc\Cookies\uvygi.db
c:\documents and settings\hughesc\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\hughesc\Local Settings\Application Data\huhyzevi.reg
c:\documents and settings\hughesc\Local Settings\Application Data\onidomudy.reg
c:\documents and settings\hughesc\Local Settings\Application Data\suzor.inf
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\deduqy.pif
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\fixyzivosu.com
c:\documents and settings\hughesc\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\hughesc\Start Menu\Advanced Virus Remover.lnk
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Common Files\hatyr.bat
c:\program files\Common Files\ybariba.reg
c:\program files\INSTALL.LOG
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\windows Police Pro.exe
C:\uskwdhpq.exe
c:\windows\ahehuf.dll
c:\windows\dibydune.vbs
c:\windows\dojinaboki.inf
c:\windows\Installer\51573.msp
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\qetibuwo.vbs
c:\windows\svchast.exe
c:\windows\system32\_003618_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003621_.tmp.dll
c:\windows\system32\_003628_.tmp.dll
c:\windows\system32\_003629_.tmp.dll
c:\windows\system32\_003630_.tmp.dll
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003637_.tmp.dll
c:\windows\system32\_003639_.tmp.dll
c:\windows\system32\_003640_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003646_.tmp.dll
c:\windows\system32\_003647_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\_003652_.tmp.dll
c:\windows\system32\_003654_.tmp.dll
c:\windows\system32\_003656_.tmp.dll
c:\windows\system32\_003657_.tmp.dll
c:\windows\system32\_003659_.tmp.dll
c:\windows\system32\_003660_.tmp.dll
c:\windows\system32\_003661_.tmp.dll
c:\windows\system32\_003662_.tmp.dll
c:\windows\system32\_003665_.tmp.dll
c:\windows\system32\_003666_.tmp.dll
c:\windows\system32\_003667_.tmp.dll
c:\windows\system32\_003668_.tmp.dll
c:\windows\system32\_003669_.tmp.dll
c:\windows\system32\_003674_.tmp.dll
c:\windows\system32\_003676_.tmp.dll
c:\windows\system32\_005764_.tmp.dll
c:\windows\system32\_005765_.tmp.dll
c:\windows\system32\_005766_.tmp.dll
c:\windows\system32\_005767_.tmp.dll
c:\windows\system32\_005774_.tmp.dll
c:\windows\system32\_005775_.tmp.dll
c:\windows\system32\_005776_.tmp.dll
c:\windows\system32\_005777_.tmp.dll
c:\windows\system32\_005779_.tmp.dll
c:\windows\system32\_005780_.tmp.dll
c:\windows\system32\_005783_.tmp.dll
c:\windows\system32\_005784_.tmp.dll
c:\windows\system32\_005786_.tmp.dll
c:\windows\system32\_005787_.tmp.dll
c:\windows\system32\_005788_.tmp.dll
c:\windows\system32\_005790_.tmp.dll
c:\windows\system32\_005793_.tmp.dll
c:\windows\system32\_005794_.tmp.dll
c:\windows\system32\_005798_.tmp.dll
c:\windows\system32\_005799_.tmp.dll
c:\windows\system32\_005801_.tmp.dll
c:\windows\system32\_005803_.tmp.dll
c:\windows\system32\_005804_.tmp.dll
c:\windows\system32\_005806_.tmp.dll
c:\windows\system32\_005807_.tmp.dll
c:\windows\system32\_005808_.tmp.dll
c:\windows\system32\_005809_.tmp.dll
c:\windows\system32\_005810_.tmp.dll
c:\windows\system32\_005813_.tmp.dll
c:\windows\system32\_005814_.tmp.dll
c:\windows\system32\_005815_.tmp.dll
c:\windows\system32\_005816_.tmp.dll
c:\windows\system32\_005817_.tmp.dll
c:\windows\system32\_005822_.tmp.dll
c:\windows\system32\_005824_.tmp.dll
c:\windows\system32\12069.exe
c:\windows\system32\16566.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\begajetu.dll
c:\windows\system32\bennuar.old
c:\windows\system32\ddDEsot.dll
c:\windows\system32\desot.exe
c:\windows\system32\drivers\gasfkyewxlyfrx.sys
c:\windows\system32\drivers\SKYNETmdyspqxn.sys
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\UAColidmwqbne.sys
c:\windows\system32\dutudari.dll
c:\windows\system32\gajukilu.dll
c:\windows\system32\gasfkyfoulkxcp.dll
c:\windows\system32\gasfkyfrqobwec.dat
c:\windows\system32\gasfkypxtchxir.dat
c:\windows\system32\gasfkyswywcvkg.dll
c:\windows\system32\gasfkyvwbuyowy.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\lefegosi.exe
c:\windows\system32\lejivaya.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETfolidwfp.dll
c:\windows\system32\SKYNETpdpmmlvm.dat
c:\windows\system32\SKYNETrfiyqxtk.dll
c:\windows\system32\SKYNETspwibabw.dll
c:\windows\system32\SKYNETwowbbylk.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sorujome.exe
c:\windows\system32\sysnet.dat
c:\windows\system32\UACbgqxyyrvkp.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmntflwmurq.dll
c:\windows\system32\UACmputhxdpbo.dat
c:\windows\system32\UACvpxufrqfta.dll
c:\windows\system32\UACwlboaflqev.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wispex.html
c:\windows\Temp\scsE.tmp

-- Previous Run --

c:\windows\system32\eventlog.dll . . . is infected!!

--------

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyqppprlot
-------\Legacy_gasfkyqppprlot
-------\Service_SKYNETebcbnmpx
-------\Legacy_SKYNETebcbnmpx
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}
-------\Legacy_AntipPolice_
-------\Service_AntipPolice_


((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-09-21 16:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-09-21 00:09 . 2009-09-21 00:09 574 ----a-w- C:\cleanup.bat
2009-09-21 00:09 . 2009-09-21 00:09 135168 ----a-w- C:\zip.exe
2009-09-16 00:38 . 2009-09-16 00:38 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Adobe
2009-09-15 23:02 . 2009-09-15 23:02 -------- d-----w- C:\Autoruns
2009-09-13 19:34 . 2009-09-13 19:34 -------- d-----w- c:\documents and settings\hughesc\Application Data\SUPERAntiSpyware.com
2009-09-13 19:33 . 2009-09-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 19:04 . 2009-09-13 19:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-13 16:49 . 2009-09-21 14:14 -------- d-----w- C:\ComboFix
2009-09-12 16:58 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-12 16:58 . 2002-08-29 11:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-12 14:16 . 2009-09-12 14:16 73728 ----a-w- C:\khwx.exe
2009-09-12 14:16 . 2009-09-12 14:16 49664 ----a-w- C:\lriaxaso.exe
2009-09-12 14:16 . 2009-09-12 14:16 19967 ----a-w- C:\qcmqsqna.exe
2009-09-10 22:29 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 21:35 . 2009-09-07 21:35 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-04 13:32 . 2009-09-04 13:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 15:07 . 2009-09-13 15:07 84992 ----a-w- c:\windows\system32\drivers\OLD1C2.tmp
2009-09-13 15:04 . 2009-06-23 16:03 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-13 15:04 . 2009-09-13 15:04 84992 ----a-w- c:\windows\system32\drivers\OLD1B5.tmp
2009-09-13 15:04 . 2009-09-13 15:04 84992 ----a-w- c:\windows\system32\drivers\OLD1B3.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1B1.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AF.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AD.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1AB.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A9.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A7.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A5.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A3.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD1A1.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD19F.tmp
2009-09-13 15:03 . 2009-09-13 15:03 84992 ----a-w- c:\windows\system32\drivers\OLD19D.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD19B.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD199.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD197.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD195.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD193.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD191.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18F.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18D.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD18B.tmp
2009-09-13 15:02 . 2009-09-13 15:02 84992 ----a-w- c:\windows\system32\drivers\OLD189.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD187.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD185.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD183.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD181.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17F.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17D.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD17B.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD179.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD177.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD175.tmp
2009-09-13 15:01 . 2009-09-13 15:01 84992 ----a-w- c:\windows\system32\drivers\OLD173.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD171.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16F.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16D.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD16B.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD169.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD167.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD165.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD163.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD161.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD15F.tmp
2009-09-13 15:00 . 2009-09-13 15:00 84992 ----a-w- c:\windows\system32\drivers\OLD15D.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD15B.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD159.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD157.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD155.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD153.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD151.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14F.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14D.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD14B.tmp
2009-09-13 14:59 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD149.tmp
2009-09-13 14:58 . 2009-09-13 14:59 84992 ----a-w- c:\windows\system32\drivers\OLD147.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD145.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD143.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD141.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13F.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13D.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD13B.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD139.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD137.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD135.tmp
2009-09-13 14:58 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD133.tmp
2009-09-13 14:57 . 2009-09-13 14:58 84992 ----a-w- c:\windows\system32\drivers\OLD131.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12F.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12D.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD12B.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD129.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD127.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD125.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD123.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD121.tmp
2009-09-13 14:57 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD11F.tmp
2009-09-13 14:56 . 2009-09-13 14:57 84992 ----a-w- c:\windows\system32\drivers\OLD11D.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD11B.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD119.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD117.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD115.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD113.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD111.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10F.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10D.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD10B.tmp
2009-09-13 14:56 . 2009-09-13 14:56 84992 ----a-w- c:\windows\system32\drivers\OLD109.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD107.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD105.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD103.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLD101.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFF.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFD.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDFB.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF9.tmp
2009-09-13 14:55 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF7.tmp
2009-09-13 14:54 . 2009-09-13 14:55 84992 ----a-w- c:\windows\system32\drivers\OLDF5.tmp
2009-09-13 14:54 . 2009-09-13 14:54 84992 ----a-w- c:\windows\system32\drivers\OLDF3.tmp
2008-12-26 01:19 . 2007-07-09 19:01 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-26 01:19 . 2007-07-09 19:01 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-26 01:19 . 2007-07-09 19:01 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-26 01:19 . 2007-07-09 19:01 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-26 01:19 . 2007-07-09 19:01 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-04-20 23:02 . 2009-01-20 23:02 5799 --sha-w- c:\windows\SYSTEM32\jakejoki.dll
2009-06-23 00:14 . 2009-03-23 00:14 5835 --sha-w- c:\windows\SYSTEM32\kuwibipa.dll
2009-04-20 23:02 . 2009-01-20 23:02 5515 --sha-w- c:\windows\SYSTEM32\veyopiho.exe
2009-04-20 23:02 . 2009-01-20 23:02 5799 --sha-w- c:\windows\SYSTEM32\wubefivu.exe
.

------- Sigcheck -------

[7] 2002-08-29 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\SYSTEM32\DLLCACHE\beep.sys
[-] 2002-08-29 11:00 . AA056BA75BB5F4BBE4949B8A05190EF8 . 4224 . . [------] . . c:\windows\SYSTEM32\DRIVERS\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-15 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2006-04-29 684032]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-10-06 741376]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 36975]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-06-06 936960]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-01-31 1398024]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\hughesc\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2003-10-27 225280]
PowerReg Scheduler.exe [2005-1-8 256000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-20 106560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfNavi.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\UfSeAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\WINDOWS\\SYSTEM32\\DSentry.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmPfw.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\SYSTEM32\DRIVERS\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
R2 tmevtmgr;tmevtmgr;c:\windows\SYSTEM32\DRIVERS\tmevtmgr.sys [4/21/2008 11:22 AM 52624]
R2 tmpreflt;tmpreflt;c:\windows\SYSTEM32\DRIVERS\tmpreflt.sys [2/15/2008 11:39 PM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\SYSTEM32\DRIVERS\TM_CFW.sys [2/15/2008 11:39 PM 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [4/21/2008 11:22 AM 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [4/21/2008 11:22 AM 648456]
S1 sasdifsv;SASDIFSV;\??\g:\superantispyware\SASDIFSV.SYS --> g:\superantispyware\SASDIFSV.SYS [?]
S1 saskutil;SASKUTIL;\??\g:\superantispyware\SASKUTIL.sys --> g:\superantispyware\SASKUTIL.sys [?]
S2 97E9B04DCFB56E9C;97E9B04DCFB56E9C;\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C --> c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C [?]
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\SYSTEM32\DRIVERS\mr97310v.sys [7/18/2006 2:40 PM 99840]
S3 sasenum;SASENUM;\??\g:\superantispyware\SASENUM.SYS --> g:\superantispyware\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-19 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:04]

2009-06-19 c:\windows\Tasks\wrSpySweeperFullSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-09-19 20:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar =
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
Trusted Zone: csc.com\csc100.nwk.amer
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\hughesc\Application Data\Mozilla\Firefox\Profiles\o5kl5rvc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{fa83d077-1d65-4273-b5c3-0ba94f1a5f37} - yetujigi.dll
HKCU-Run-SUPERAntiSpyware - g:\superantispyware\SUPERAntiSpyware.exe
HKLM-Run-12815934 - c:\documents and settings\All Users\Application Data\12815934\12815934.exe
HKLM-Run-begagiwudi - pihuwali.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 13:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\97E9B04DCFB56E9C]
"ImagePath"="\??\c:\windows\system32\97E9B04DCFB56E9C\97E9B04DCFB56E9C"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-21 13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-21 17:35

Pre-Run: 1,289,977,856 bytes free
Post-Run: 2,098,397,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

472 --- E O F --- 2009-09-11 19:57




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users