Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010 Infected!


  • This topic is locked This topic is locked
39 replies to this topic

#1 JNW

JNW

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 21 September 2009 - 08:02 AM

My PC (XP SP3) has the Antivirus Pro 2010 malware. I tried removing it with Malwarebytes but it shuts down (disappears) when I try to start the scan. I also can't use SpyBot or MacAfee programs. Internet Explorer and other programs will not run as well. I started a Hyjackthis log and it too shutdown. Google Chrome does run oddly.

After the AV programs shut down a window pops when I try to run them again stating: "Windows cannot access the specified device, path, or file, You may not have the appropriate permission to access the item" I am an Administrator on the system.

Thanks

The Win32kDiag is the only log that I was able to run successfully:


Log file at : C:\Documents and Settings\TEMP\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-10 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\dllcache\eventlog.dll ()

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\CR_85.tmp\CR_85.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 25 September 2009 - 09:35 PM

Hello JNW,

You have a nasty rootkit on this computer. :(

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r

into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 08:48 AM

Thanks for the help! Here is the log:


Running from: C:\Documents and Settings\Jeff\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Jeff\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ERDNT\ERDNT

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\Managed

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\dllcache\eventlog.dll ()

[1] 2008-04-13 20:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\CR_85.tmp\CR_85.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\CR_85.tmp\CR_85.tmp

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 26 September 2009 - 10:35 AM

Hi JNW,

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========


:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 03:39 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Google chrome is now disabled. I get a warning window that states, "Application cannot be executed. the file is infected. Please activate your antivirus software" I keep getting a host of pop up windows trying to get me to download the Antivirus Pro 2010 program and others I believe.

Fortunately I have Apple Safari on this PC. Hopefully it won't shut down as well.

Here is the Avenger Log:


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 26 September 2009 - 04:06 PM

Hi JNW,

What version of McAfee do you have on this computer?
Is it McAfee Security Center?

Edited by SifuMike, 26 September 2009 - 04:06 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 05:05 PM

Yes.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 26 September 2009 - 06:09 PM

Hi JNW,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfeee Security Center before running ComboFix, as it will prevent it from running.

To Disable McAfeee Security Center
Posted Image




Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 07:23 PM

Ok, looks like ComboFix did the job! Here is the log:

ComboFix 09-09-25.01 - Jeff 09/26/2009 19:59.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.627 [GMT -4:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Jeff\LOCALS~1\Temp\csrss.exe
c:\docume~1\Jeff\LOCALS~1\Temp\services.exe
c:\docume~1\Jeff\LOCALS~1\Temp\svchost.exe
c:\documents and settings\All Users\Application Data\agozuhor._dl
c:\documents and settings\All Users\Application Data\ahokysalo.ban
c:\documents and settings\All Users\Application Data\axesify.reg
c:\documents and settings\All Users\Application Data\bolybufiky.ban
c:\documents and settings\All Users\Application Data\cogupaf.bat
c:\documents and settings\All Users\Application Data\colofef.reg
c:\documents and settings\All Users\Application Data\ehyb._dl
c:\documents and settings\All Users\Application Data\elij.bin
c:\documents and settings\All Users\Application Data\emuli.inf
c:\documents and settings\All Users\Application Data\erevirel.exe
c:\documents and settings\All Users\Application Data\exysajed._sy
c:\documents and settings\All Users\Application Data\guculafor.lib
c:\documents and settings\All Users\Application Data\hoxyrupyko._sy
c:\documents and settings\All Users\Application Data\ikalobyxeq.dl
c:\documents and settings\All Users\Application Data\ikyf.com
c:\documents and settings\All Users\Application Data\inod.vbs
c:\documents and settings\All Users\Application Data\iwal.reg
c:\documents and settings\All Users\Application Data\javo.vbs
c:\documents and settings\All Users\Application Data\jewimemi.scr
c:\documents and settings\All Users\Application Data\kibipese.pif
c:\documents and settings\All Users\Application Data\lycaxileg.inf
c:\documents and settings\All Users\Application Data\lynomyhato.reg
c:\documents and settings\All Users\Application Data\meqejek.bin
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\nilyqaka.reg
c:\documents and settings\All Users\Application Data\nugynaca.dll
c:\documents and settings\All Users\Application Data\okukoh.dll
c:\documents and settings\All Users\Application Data\omoweh._sy
c:\documents and settings\All Users\Application Data\ovegyxib.reg
c:\documents and settings\All Users\Application Data\qyqiwitod.bat
c:\documents and settings\All Users\Application Data\soben.sys
c:\documents and settings\All Users\Application Data\soxojov._dl
c:\documents and settings\All Users\Application Data\sykepyc._sy
c:\documents and settings\All Users\Application Data\tenelu.bin
c:\documents and settings\All Users\Application Data\todu.bat
c:\documents and settings\All Users\Application Data\tufogaw.sys
c:\documents and settings\All Users\Application Data\typito.dl
c:\documents and settings\All Users\Application Data\vegawy.sys
c:\documents and settings\All Users\Application Data\vuqi.inf
c:\documents and settings\All Users\Application Data\xycuf._sy
c:\documents and settings\All Users\Application Data\ybidiru._dl
c:\documents and settings\All Users\Application Data\yjana.scr
c:\documents and settings\All Users\Documents\amipulacec.reg
c:\documents and settings\All Users\Documents\asanim.dl
c:\documents and settings\All Users\Documents\bagy.bat
c:\documents and settings\All Users\Documents\bixuno.vbs
c:\documents and settings\All Users\Documents\bywobo.dll
c:\documents and settings\All Users\Documents\duxeser.reg
c:\documents and settings\All Users\Documents\duxigo.sys
c:\documents and settings\All Users\Documents\ecako._dl
c:\documents and settings\All Users\Documents\elepag.dll
c:\documents and settings\All Users\Documents\epyhu.reg
c:\documents and settings\All Users\Documents\gejug.dl
c:\documents and settings\All Users\Documents\huwepalu.vbs
c:\documents and settings\All Users\Documents\ibegejah.dll
c:\documents and settings\All Users\Documents\ikaqujyx.dll
c:\documents and settings\All Users\Documents\ipyfuw.pif
c:\documents and settings\All Users\Documents\iwurodys.pif
c:\documents and settings\All Users\Documents\iwyjyn.scr
c:\documents and settings\All Users\Documents\jopacej.dll
c:\documents and settings\All Users\Documents\momy.scr
c:\documents and settings\All Users\Documents\ocisiboge.sys
c:\documents and settings\All Users\Documents\odaxuv.exe
c:\documents and settings\All Users\Documents\okuc.dll
c:\documents and settings\All Users\Documents\opalypy.com
c:\documents and settings\All Users\Documents\otopewut.scr
c:\documents and settings\All Users\Documents\ozuzixyzo.reg
c:\documents and settings\All Users\Documents\pytumy.bat
c:\documents and settings\All Users\Documents\rabimi.ban
c:\documents and settings\All Users\Documents\rikyhedate.exe
c:\documents and settings\All Users\Documents\subexyriki._dl
c:\documents and settings\All Users\Documents\sysujivu.exe
c:\documents and settings\All Users\Documents\taxiqid.exe
c:\documents and settings\All Users\Documents\tihizanipo.vbs
c:\documents and settings\All Users\Documents\ukaji.bin
c:\documents and settings\All Users\Documents\virykidiky.com
c:\documents and settings\All Users\Documents\xifybi._dl
c:\documents and settings\All Users\Documents\zyjo.vbs
c:\documents and settings\Jeff\Application Data\dawo.com
c:\documents and settings\Jeff\Application Data\etexi.inf
c:\documents and settings\Jeff\Application Data\icedyv.lib
c:\documents and settings\Jeff\Application Data\lopegix._dl
c:\documents and settings\Jeff\Application Data\luhicalani.reg
c:\documents and settings\Jeff\Application Data\oqeqerax._dl
c:\documents and settings\Jeff\Application Data\sidut.vbs
c:\documents and settings\Jeff\Application Data\uxob.com
c:\documents and settings\Jeff\Application Data\woma.exe
c:\documents and settings\Jeff\Application Data\wudewor.scr
c:\documents and settings\Jeff\Application Data\zizuganudu.reg
c:\documents and settings\Jeff\Local Settings\Application Data\bilyrih.exe
c:\documents and settings\Jeff\Local Settings\Application Data\elusato._dl
c:\documents and settings\Jeff\Local Settings\Application Data\ihilalyn._sy
c:\documents and settings\Jeff\Local Settings\Application Data\vemymac.dll
c:\documents and settings\Jeff\Local Settings\Application Data\xomabyqi.reg
c:\documents and settings\Jeff\Local Settings\Application Data\yhavyrire.inf
c:\documents and settings\Jeff\Local Settings\Application Data\zisagyhu.exe
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\damus.ban
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\etomymoqa.scr
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\guvatuneje.dat
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\iside.vbs
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\isih.inf
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\qerehy.vbs
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\uhinog.dat
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\ukemy.bin
c:\documents and settings\Jeff\Local Settings\Temporary Internet Files\zufunu.scr
c:\documents and settings\Jon\Application Data\fepypovy.com
c:\documents and settings\Jon\Application Data\guduhako.exe
c:\documents and settings\Jon\Application Data\omafanojy._sy
c:\documents and settings\Jon\Local Settings\Application Data\nasadig.scr
c:\documents and settings\Jon\Local Settings\Application Data\oputiji.pif
c:\documents and settings\Jon\Local Settings\Application Data\ukuwisogiv._sy
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\ehywemuka.db
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\levyfir.com
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\usaj.scr
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\vexo.vbs
c:\documents and settings\Jon\Local Settings\Temporary Internet Files\zedega.lib
c:\documents and settings\Mary\Application Data\fuxu.sys
c:\documents and settings\Mary\Application Data\jojehyqup._dl
c:\documents and settings\Mary\Application Data\ledicu.reg
c:\documents and settings\Mary\Application Data\tigaha.sys
c:\documents and settings\Mary\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Mary\Local Settings\Application Data\fojavecogu.com
c:\documents and settings\Mary\Local Settings\Application Data\ixahum.bat
c:\documents and settings\Mary\Local Settings\Application Data\uvasujihon.dl
c:\documents and settings\Mary\Local Settings\Temporary Internet Files\wepy.dll
c:\documents and settings\Mary\Local Settings\Temporary Internet Files\wujuxy.vbs
c:\documents and settings\Mary\Local Settings\Temporary Internet Files\ysyhek.dll
c:\documents and settings\Mary\My Documents\ZbThumbnail.info
c:\documents and settings\Mary\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Mary\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Mary\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\TEMP\Application Data\abicevoj.com
c:\documents and settings\TEMP\Application Data\anukuki.pif
c:\documents and settings\TEMP\Application Data\duzakivuwi.vbs
c:\documents and settings\TEMP\Application Data\fehyzofu.bat
c:\documents and settings\TEMP\Application Data\fesijy._sy
c:\documents and settings\TEMP\Application Data\guroqila.bat
c:\documents and settings\TEMP\Application Data\igagup.scr
c:\documents and settings\TEMP\Application Data\ijivixujib.dll
c:\documents and settings\TEMP\Application Data\jafurahesa.reg
c:\documents and settings\TEMP\Application Data\kabe.vbs
c:\documents and settings\TEMP\Application Data\kedor.reg
c:\documents and settings\TEMP\Application Data\keqetodibo.bin
c:\documents and settings\TEMP\Application Data\moxo.scr
c:\documents and settings\TEMP\Application Data\oqogyziw.sys
c:\documents and settings\TEMP\Application Data\pixen.com
c:\documents and settings\TEMP\Application Data\qisa.ban
c:\documents and settings\TEMP\Application Data\qorikuz.bin
c:\documents and settings\TEMP\Application Data\sovu.ban
c:\documents and settings\TEMP\Application Data\tewabeze.ban
c:\documents and settings\TEMP\Application Data\usex.scr
c:\documents and settings\TEMP\Application Data\vulepow.dl
c:\documents and settings\TEMP\Application Data\wofawigi.reg
c:\documents and settings\TEMP\Application Data\xepug.bat
c:\documents and settings\TEMP\Local Settings\Application Data\arez.dl
c:\documents and settings\TEMP\Local Settings\Application Data\cafoqu.pif
c:\documents and settings\TEMP\Local Settings\Application Data\gabos.exe
c:\documents and settings\TEMP\Local Settings\Application Data\jadegyzuce._dl
c:\documents and settings\TEMP\Local Settings\Application Data\mipoda._dl
c:\documents and settings\TEMP\Local Settings\Application Data\mugaduja.bin
c:\documents and settings\TEMP\Local Settings\Application Data\tagasuz.pif
c:\documents and settings\TEMP\Local Settings\Application Data\tytajuto.exe
c:\documents and settings\TEMP\Local Settings\Application Data\xutitafi.vbs
c:\documents and settings\TEMP\Local Settings\Application Data\ygonijeqi.bat
c:\documents and settings\TEMP\Local Settings\Application Data\ynamule._dl
c:\documents and settings\TEMP\Local Settings\Application Data\ynijo.bin
c:\documents and settings\TEMP\Local Settings\Application Data\yzed.com
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\bapita.bat
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\fiduma.scr
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\futo.sys
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\inyduw.sys
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\itagu.dll
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\jepire.pif
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\jiper.bin
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\kebu.com
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\nirixu.pif
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\nybozyse.bat
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\ofeqi.dl
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\rezy.pif
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\rotewyfux.sys
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\sicajoty.scr
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\sita.dat
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\uwulyvovy.db
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\vyzafo.vbs
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\waco._dl
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\ydup._dl
c:\documents and settings\TEMP\Local Settings\Temporary Internet Files\yzavu.pif
C:\p2hhr.bat
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\amusof._dl
c:\program files\Common Files\ciziw.ban
c:\program files\Common Files\cojo._dl
c:\program files\Common Files\eluro.sys
c:\program files\Common Files\etamylici.bin
c:\program files\Common Files\fuhofafeby.dll
c:\program files\Common Files\idolytiv.bin
c:\program files\Common Files\ifopipuxev.reg
c:\program files\Common Files\izeg.dl
c:\program files\Common Files\jenutuweq.dl
c:\program files\Common Files\jowemeb.sys
c:\program files\Common Files\lyfu.scr
c:\program files\Common Files\medi.bat
c:\program files\Common Files\osokedohyt.ban
c:\program files\Common Files\sasuh.dl
c:\program files\Common Files\sexoqy.com
c:\program files\Common Files\tecune.reg
c:\program files\Common Files\ugobinotij.reg
c:\program files\Common Files\uwoxovodo.com
c:\program files\Common Files\welunudoc.reg
c:\program files\Common Files\xikacoce.scr
c:\program files\Common Files\xusuziny.pif
c:\program files\Common Files\xyzu.sys
c:\program files\Common Files\ycilaf.bin
c:\program files\Common Files\yhoji.bat
c:\program files\Common Files\ymeze.com
c:\program files\Common
c:\windows\ahyj.bat
c:\windows\amipubutad.reg
c:\windows\axosewin.bin
c:\windows\befixemane.inf
c:\windows\colo.reg
c:\windows\debyz.exe
c:\windows\dibip.dll
c:\windows\docolowizo._dl
c:\windows\eduk.dll
c:\windows\efokyz.dl
c:\windows\emenake.inf
c:\windows\emojo.ban
c:\windows\epen.dl
c:\windows\eropa.vbs
c:\windows\esegugi.ban
c:\windows\evife.scr
c:\windows\evyxuceto.dll
c:\windows\ewybohymen.reg
c:\windows\exyvun.reg
c:\windows\fatolaras.inf
c:\windows\fefi.vbs
c:\windows\huhy.ban
c:\windows\idecaj.exe
c:\windows\init.bin
c:\windows\iridon.sys
c:\windows\juwimuto.dll
c:\windows\kb913800.exe
c:\windows\lekoxul.scr
c:\windows\lilymolam.bat
c:\windows\luzera.bin
c:\windows\lycatacag.bat
c:\windows\lyfa.bat
c:\windows\lyjoci.vbs
c:\windows\movasu._dl
c:\windows\msa.exe
c:\windows\nuvilele.exe
c:\windows\orogox.inf
c:\windows\pezozunu.dll
c:\windows\qatuzy.dl
c:\windows\qecufasa.scr
c:\windows\qicuq.sys
c:\windows\rujemamehu.inf
c:\windows\syqilikuq._dl
c:\windows\system32\41.exe
c:\windows\system32\avimysy.bin
c:\windows\system32\braviax.exe
c:\windows\system32\buraraha.exe
c:\windows\system32\diyobela.dll
c:\windows\system32\dynywolihi.pif
c:\windows\system32\epehe.exe
c:\windows\system32\epyqor.vbs
c:\windows\system32\esepat.exe
c:\windows\system32\femodywys.ban
c:\windows\system32\fiheq.reg
c:\windows\system32\gavurane.dll
c:\windows\system32\guyugadu.dll
c:\windows\system32\imyd.vbs
c:\windows\system32\iniasd.txt
c:\windows\system32\jifojuse.dll
c:\windows\system32\jinuh.bin
c:\windows\system32\kanolalo.dll.tmp
c:\windows\system32\kidoyera.exe
c:\windows\system32\kosuyapu.dll.tmp
c:\windows\system32\lexab.reg
c:\windows\system32\lomehane.dll
c:\windows\system32\lomugiti.dll
c:\windows\system32\madipoha.exe
c:\windows\system32\nahotifo.exe
c:\windows\system32\ninoxade.exe
c:\windows\system32\niwaluyu.dll.tmp
c:\windows\system32\nzFIu3h78di.dll
c:\windows\system32\olabybusu.reg
c:\windows\system32\pakuzul.sys
c:\windows\system32\qaby.sys
c:\windows\system32\razy.bat
c:\windows\system32\reguligu.dll
c:\windows\system32\sibogaya.dll
c:\windows\system32\suxa.scr
c:\windows\system32\syhocexyra.inf
c:\windows\system32\tehy.vbs
c:\windows\system32\tobekyty.bat
c:\windows\system32\ugycaz.scr
c:\windows\system32\vinabino.dll
c:\windows\system32\vodewenu.dll
c:\windows\system32\vofe.pif
c:\windows\system32\wegahuwe.dll
c:\windows\system32\wemipipo.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wisdstr.exe
c:\windows\system32\wowenewar.sys
c:\windows\system32\wuvoca.bat
c:\windows\system32\wywomytyf.vbs
c:\windows\system32\ycikyfy.bat
c:\windows\system32\yjovide.pif
c:\windows\system32\yomudaki.exe
c:\windows\system32\ywohary._dl
c:\windows\system32\zayezeru.dll
c:\windows\system32\zepulabe.dll
c:\windows\system32\zicev.bin
c:\windows\tavofofuh.dl
c:\windows\tidirediru.inf
c:\windows\ufibol.dll
c:\windows\ugoqicec.vbs
c:\windows\unovoqol._dl
c:\windows\wecoby.scr
c:\windows\xesuvesi.dll
c:\windows\xidaheneba.scr
c:\windows\xonybovyp.pif
c:\windows\ybyhapiga.pif
c:\windows\ykiluce.bin
c:\windows\ynifymybuz.vbs
c:\windows\yvymyhebej.inf
c:\windows\ywybof.exe
c:\windows\zazadub.reg
c:\windows\zihobawupu.reg
c:\windows\zuvered.pif
c:\windows\zybo.pif

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
hxxp://193.33.61.160
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-26 23:43 . 2009-09-26 23:43 18627 ----a-w- c:\windows\system32\kycu.com
2009-09-26 23:43 . 2009-09-26 23:43 18361 ----a-w- c:\windows\system32\ujyxu.dat
2009-09-26 23:43 . 2009-09-26 23:43 14111 ----a-w- c:\windows\ifubivu.com
2009-09-26 23:01 . 2009-09-26 23:01 61796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-26 21:53 . 2009-09-26 21:53 11839 ----a-w- c:\program files\Common Files\ketarutyco.dat
2009-09-26 21:53 . 2009-09-26 21:53 10954 ----a-w- c:\windows\system32\ehycejiz.dat
2009-09-26 20:27 . 2009-09-26 20:27 11154 ----a-w- c:\windows\jutofavow.com
2009-09-26 20:25 . 2009-09-26 20:25 15927 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\kohy.dat
2009-09-26 20:25 . 2009-09-26 20:25 13566 ----a-w- c:\windows\ukic.com
2009-09-26 20:18 . 2009-09-26 20:18 14714 ----a-w- c:\windows\pehureme.com
2009-09-26 20:04 . 2009-09-26 20:04 -------- d-----w- c:\documents and settings\TEMP\Application Data\Template
2009-09-24 23:10 . 2009-09-24 23:10 12338 ----a-w- c:\windows\qifuripe.dat
2009-09-24 23:10 . 2009-09-24 23:10 11380 ----a-w- c:\windows\system32\ojusyme.dat
2009-09-24 21:36 . 2009-09-24 21:36 12349 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\jeceviwe.dat
2009-09-23 15:27 . 2009-09-23 15:27 19747 ----a-w- c:\windows\system32\uhor.dat
2009-09-23 15:27 . 2009-09-23 15:27 14099 ----a-w- c:\documents and settings\TEMP\Local Settings\Application Data\zusasusyv.dat
2009-09-23 11:11 . 2009-09-23 11:11 19528 ----a-w- c:\windows\ygulyzupo.com
2009-09-23 11:11 . 2009-09-23 11:11 13747 ----a-w- c:\documents and settings\Mary\Local Settings\Application Data\ilapudufyw.dat
2009-09-22 23:31 . 2009-09-22 23:31 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Adobe
2009-09-21 12:50 . 2009-09-21 12:50 18616 ----a-w- c:\windows\system32\pogetikif.dat
2009-09-20 13:01 . 2009-09-20 15:17 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-09-20 01:29 . 2009-09-20 01:29 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Apple
2009-09-20 01:15 . 2009-09-26 22:01 -------- d-----w- c:\documents and settings\TEMP\Application Data\Apple Computer
2009-09-20 00:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 00:33 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 20:25 . 2009-09-19 20:25 11052 ----a-w- c:\windows\wuxohe.dat
2009-09-19 19:57 . 2009-09-19 19:57 6656 ----a-w- C:\rhjdpc.exe
2009-09-15 16:16 . 2009-09-15 16:16 -------- d-----w- c:\documents and settings\TEMP\Application Data\Malwarebytes
2009-09-15 14:40 . 2009-09-15 14:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-14 20:23 . 2009-09-25 14:34 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2009-09-14 20:17 . 2009-09-25 15:07 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2009-09-14 20:15 . 2009-09-14 20:15 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Identities
2009-09-14 02:39 . 2009-09-14 02:39 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\AOL
2009-09-14 02:35 . 2009-09-14 02:35 -------- d-sh--w- c:\documents and settings\TEMP\IECompatCache
2009-09-14 02:32 . 2009-09-14 02:32 -------- d-sh--w- c:\documents and settings\TEMP\PrivacIE
2009-09-14 02:30 . 2009-09-26 22:01 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Apple Computer
2009-09-14 02:30 . 2009-09-14 02:30 -------- d-sh--w- c:\documents and settings\TEMP\IETldCache
2009-09-09 20:41 . 2009-09-24 21:41 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Temp
2009-09-09 18:05 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 14:29 . 2009-09-08 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-07 20:31 . 2009-09-07 20:31 -------- d-sh--w- c:\documents and settings\Mary\IECompatCache
2009-09-05 02:10 . 2009-09-05 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-04 00:09 . 2009-09-04 00:09 -------- d-----w- c:\program files\MSECache
2009-08-30 21:45 . 2009-08-30 21:45 -------- d-----w- c:\program files\iPod
2009-08-30 21:44 . 2009-08-30 21:45 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 23:43 . 2009-09-26 23:43 18557 ----a-w- c:\documents and settings\TEMP\Application Data\pufixej.dat
2009-09-26 23:43 . 2009-09-26 23:43 12375 ----a-w- c:\program files\Common Files\webaperis.lib
2009-09-26 23:32 . 2009-09-26 23:32 18862 ----a-w- c:\program files\Common Files\yqefacah.db
2009-09-26 23:32 . 2009-09-26 23:32 13271 ----a-w- c:\program files\Common Files\qopi.lib
2009-09-26 22:46 . 2009-09-26 22:46 19866 ----a-w- c:\documents and settings\Jeff\Application Data\urawihamip.dat
2009-09-26 22:24 . 2009-09-26 22:24 19010 ----a-w- c:\program files\Common Files\mesotuviby._sy
2009-09-26 22:24 . 2009-09-26 22:24 15117 ----a-w- c:\program files\Common Files\hylafi._sy
2009-09-26 21:53 . 2009-09-26 21:53 17091 ----a-w- c:\program files\Common Files\sorucirur.lib
2009-09-26 20:28 . 2007-05-13 14:25 -------- d-----w- c:\documents and settings\Jeff\Application Data\Apple Computer
2009-09-26 20:27 . 2009-09-26 20:27 16736 ----a-w- c:\program files\Common Files\uzepac.lib
2009-09-26 20:18 . 2009-09-26 20:18 15839 ----a-w- c:\program files\Common Files\icyf.lib
2009-09-26 20:18 . 2009-09-26 20:18 14204 ----a-w- c:\documents and settings\All Users\Application Data\qagus.dat
2009-09-26 20:04 . 2009-09-26 20:04 0 ----a-w- c:\documents and settings\TEMP\Application Data\wklnhst.dat
2009-09-26 20:04 . 2008-08-28 13:41 -------- d-----w- c:\program files\McAfee
2009-09-26 19:58 . 2009-09-26 10:18 1082916 ---ha-w- c:\windows\system32\BITCD.tmp
2009-09-26 14:24 . 2009-06-26 14:24 50176 --sha-w- c:\windows\system32\sizesare.dll
2009-09-26 02:12 . 2009-08-22 16:39 -------- d-----w- c:\documents and settings\Kari\Application Data\Skype
2009-09-25 21:35 . 2009-08-22 16:50 -------- d-----w- c:\documents and settings\Kari\Application Data\skypePM
2009-09-23 15:27 . 2009-09-23 15:27 15267 ----a-w- c:\documents and settings\TEMP\Application Data\ofyqah.dat
2009-09-23 15:27 . 2009-09-23 15:27 13155 ----a-w- c:\program files\Common Files\wedul.lib
2009-09-23 11:10 . 2009-06-23 11:10 87552 --sha-w- c:\windows\system32\zayiyahu.dll
2009-09-21 12:50 . 2009-06-21 12:49 50176 --sha-w- c:\windows\system32\sunapija.dll
2009-09-21 12:50 . 2009-09-21 12:50 15522 ----a-w- c:\program files\Common Files\azaqiqe._sy
2009-09-20 00:33 . 2008-12-09 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-19 20:25 . 2009-09-19 20:25 13406 ----a-w- c:\program files\Common Files\fuxorynap.db
2009-09-17 02:20 . 2009-08-25 22:17 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2009-09-17 00:56 . 2009-08-25 23:33 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2009-09-14 19:37 . 2008-10-01 20:57 -------- d-----w- c:\documents and settings\Kari\Application Data\Canon
2009-09-14 19:30 . 2007-01-13 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-13 22:09 . 2009-09-13 22:09 664 ----a-w- c:\documents and settings\Kari\Local Settings\Application Data\d3d9caps.tmp
2009-09-13 16:19 . 2008-09-09 21:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-09 00:42 . 2009-08-21 20:05 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2009-09-08 14:30 . 2007-01-08 13:47 -------- d-----w- c:\program files\Google
2009-09-05 21:48 . 2007-01-08 13:56 78432 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:34 . 2007-01-13 13:33 78432 ----a-w- c:\documents and settings\Kari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 21:45 . 2007-12-13 22:48 -------- d-----w- c:\program files\Common Files\Apple
2009-08-30 13:43 . 2009-08-21 17:30 -------- d-----w- c:\documents and settings\Mary\Application Data\Skype
2009-08-30 13:43 . 2009-08-21 17:33 -------- d-----w- c:\documents and settings\Mary\Application Data\skypePM
2009-08-24 14:38 . 2007-08-26 22:51 -------- d-----w- c:\documents and settings\Admin\Application Data\Canon
2009-08-24 14:35 . 2009-08-24 14:35 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft
2009-08-24 01:20 . 2009-08-21 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-08-21 20:23 . 2009-08-21 20:23 -------- d-----w- c:\program files\EyetoyOnComputer Project
2009-08-21 17:33 . 2009-08-21 17:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----r- c:\program files\Skype
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----w- c:\program files\Common Files\Skype
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-12 19:17 . 2008-05-22 23:52 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 14:04 . 2009-07-30 14:04 61224 ----a-w- c:\documents and settings\Admin\GoToAssistDownloadHelper.exe
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-08-16 09:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 09:18 915456 ----a-w- c:\windows\system32\wininet.dll
2007-01-16 21:47 . 2007-01-16 21:47 251 -c--a-w- c:\program files\wt3d.ini
2009-06-20 12:36 . 2009-06-20 12:36 50688 --sha-w- c:\windows\system32\fovayaga.dll.tmp
2009-06-26 14:24 . 2009-06-26 14:24 73728 --sha-w- c:\windows\system32\fuledipu.exe
2009-06-20 12:36 . 2009-06-20 12:36 50688 --sha-w- c:\windows\system32\kivigoru.dll.tmp
2009-06-20 12:36 . 2009-06-20 12:36 50688 --sha-w- c:\windows\system32\legidonu.dll.tmp
2009-06-21 12:50 . 2009-06-21 12:50 50176 --sha-w- c:\windows\system32\levewani.dll.tmp
2009-06-26 14:24 . 2009-06-26 14:24 172032 --sha-w- c:\windows\system32\pulowule.exe
2009-06-21 12:50 . 2009-06-21 12:50 50176 --sha-w- c:\windows\system32\sawigewe.dll.tmp
2009-06-21 12:50 . 2009-06-21 12:50 50176 --sha-w- c:\windows\system32\zukumuha.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\Mary\Start Menu\Programs\Startup\
Questionmark to Go Result Uploader.lnk.disabled [2009-3-25 2613]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-1-20 1757]
Digital Line Detect.lnk.disabled [2007-1-8 493]
Microsoft Office.lnk.disabled [2007-1-15 1725]
Nikon Monitor.lnk.disabled [2008-6-18 1815]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal1.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
"Verizon_McciTrayApp"=c:\program files\Verizon\McciTrayApp.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\csc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McProxy\\McProxy.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=
"c:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [12/26/2002 10:20 AM 61728]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [12/26/2002 10:14 AM 53568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/9/2008 5:37 PM 92296]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2009 10:29 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [9/20/2009 9:01 AM 34816]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 14:29]

2009-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2009-09-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2008-08-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 14:53]

2008-08-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 14:53]

2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{6FEFD570-42FE-464B-AA37-69438045B969}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {B0BAEAAF-3C0C-4153-909E-3FD97A1A2928} = 77.74.48.113
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-lujikilut - c:\windows\system32\reguligu.dll
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
SharedTaskScheduler-{f9fdb9c8-213c-4222-939b-cdd26d722a23} - c:\windows\system32\reguligu.dll
SSODL-yihusoviy-{f9fdb9c8-213c-4222-939b-cdd26d722a23} - c:\windows\system32\reguligu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 20:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-27 20:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 00:17
ComboFix2.txt 2008-12-11 14:31

Pre-Run: 111,803,252,736 bytes free
Post-Run: 114,191,446,016 bytes free

671 --- E O F --- 2009-09-17 14:36

#10 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 07:31 PM

But.....I still cannot run Internet Explorer, Malwarebytes, Spybot or run a McAfee scan. I have not checked all programs.

Same window text as before: "Windows cannot access the specified device, path, or file, You may not have the appropriate permission to access the item"

Thoughts?

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 26 September 2009 - 09:29 PM

Hi JNW,

But.....I still cannot run Internet Explorer, Malwarebytes, Spybot or run a McAfee scan. I have not checked all programs.

Same window text as before: "Windows cannot access the specified device, path, or file, You may not have the appropriate permission to access the item"


Thats the effect of the rootkit. We will deal with that later.



You need to disable your McAfeee Security Center before running ComboFix, as it will prevent it from running.

To Disable McAfeee Security Center
Posted Image


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\kycu.com
c:\windows\system32\ujyxu.dat
c:\windows\ifubivu.com
c:\program files\Common Files\ketarutyco.dat
c:\windows\system32\ehycejiz.dat
c:\windows\jutofavow.com
c:\documents and settings\TEMP\Local Settings\Application Data\kohy.dat
c:\windows\ukic.com
c:\windows\pehureme.com
c:\windows\qifuripe.dat
c:\windows\system32\ojusyme.dat
c:\documents and settings\Jon\Local Settings\Application Data\jeceviwe.dat
c:\windows\system32\uhor.dat
c:\documents and settings\TEMP\Local Settings\Application Data\zusasusyv.dat
c:\windows\ygulyzupo.com
c:\documents and settings\Mary\Local Settings\Application Data\ilapudufyw.dat
c:\windows\system32\pogetikif.dat
c:\windows\wuxohe.dat
C:\rhjdpc.exe
c:\documents and settings\TEMP\Application Data\pufixej.dat
c:\program files\Common Files\webaperis.lib
c:\program files\Common Files\yqefacah.db
c:\program files\Common Files\qopi.lib
c:\documents and settings\Jeff\Application Data\urawihamip.dat
c:\program files\Common Files\mesotuviby._sy
c:\program files\Common Files\hylafi._sy
c:\program files\Common Files\sorucirur.lib
c:\program files\Common Files\uzepac.lib
c:\program files\Common Files\icyf.lib
c:\documents and settings\All Users\Application Data\qagus.dat
c:\documents and settings\TEMP\Application Data\wklnhst.dat
c:\windows\system32\sizesare.dll
c:\documents and settings\TEMP\Application Data\ofyqah.dat
c:\program files\Common Files\wedul.lib
c:\windows\system32\zayiyahu.dll
c:\windows\system32\sunapija.dll
c:\program files\Common Files\azaqiqe._sy
c:\program files\Common Files\fuxorynap.db
c:\windows\system32\fovayaga.dll.tmp
c:\windows\system32\fuledipu.exe
c:\windows\system32\kivigoru.dll.tmp
c:\windows\system32\legidonu.dll.tmp
c:\windows\system32\levewani.dll.tmp
c:\windows\system32\pulowule.exe
c:\windows\system32\sawigewe.dll.tmp
c:\windows\system32\zukumuha.dll.tmp

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 26 September 2009 - 09:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 26 September 2009 - 11:41 PM

Ok, McAfee was disabled correctly this time. Here is the new log.

ComboFix 09-09-25.01 - Jeff 09/27/2009 0:25.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.632 [GMT -4:00]
Running from: c:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jeff\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\qagus.dat"
"c:\documents and settings\Jeff\Application Data\urawihamip.dat"
"c:\documents and settings\Jon\Local Settings\Application Data\jeceviwe.dat"
"c:\documents and settings\Mary\Local Settings\Application Data\ilapudufyw.dat"
"c:\documents and settings\TEMP\Application Data\ofyqah.dat"
"c:\documents and settings\TEMP\Application Data\pufixej.dat"
"c:\documents and settings\TEMP\Application Data\wklnhst.dat"
"c:\documents and settings\TEMP\Local Settings\Application Data\kohy.dat"
"c:\documents and settings\TEMP\Local Settings\Application Data\zusasusyv.dat"
"c:\program files\Common Files\azaqiqe._sy"
"c:\program files\Common Files\fuxorynap.db"
"c:\program files\Common Files\hylafi._sy"
"c:\program files\Common Files\icyf.lib"
"c:\program files\Common Files\ketarutyco.dat"
"c:\program files\Common Files\mesotuviby._sy"
"c:\program files\Common Files\qopi.lib"
"c:\program files\Common Files\sorucirur.lib"
"c:\program files\Common Files\uzepac.lib"
"c:\program files\Common Files\webaperis.lib"
"c:\program files\Common Files\wedul.lib"
"c:\program files\Common Files\yqefacah.db"
"C:\rhjdpc.exe"
"c:\windows\ifubivu.com"
"c:\windows\jutofavow.com"
"c:\windows\pehureme.com"
"c:\windows\qifuripe.dat"
"c:\windows\system32\ehycejiz.dat"
"c:\windows\system32\fovayaga.dll.tmp"
"c:\windows\system32\fuledipu.exe"
"c:\windows\system32\kivigoru.dll.tmp"
"c:\windows\system32\kycu.com"
"c:\windows\system32\legidonu.dll.tmp"
"c:\windows\system32\levewani.dll.tmp"
"c:\windows\system32\ojusyme.dat"
"c:\windows\system32\pogetikif.dat"
"c:\windows\system32\pulowule.exe"
"c:\windows\system32\sawigewe.dll.tmp"
"c:\windows\system32\sizesare.dll"
"c:\windows\system32\sunapija.dll"
"c:\windows\system32\uhor.dat"
"c:\windows\system32\ujyxu.dat"
"c:\windows\system32\zayiyahu.dll"
"c:\windows\system32\zukumuha.dll.tmp"
"c:\windows\ukic.com"
"c:\windows\wuxohe.dat"
"c:\windows\ygulyzupo.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\qagus.dat
c:\documents and settings\Jeff\Application Data\urawihamip.dat
c:\documents and settings\Jon\Local Settings\Application Data\jeceviwe.dat
c:\documents and settings\Mary\Local Settings\Application Data\ilapudufyw.dat
c:\documents and settings\TEMP\Application Data\ofyqah.dat
c:\documents and settings\TEMP\Application Data\pufixej.dat
c:\documents and settings\TEMP\Application Data\wklnhst.dat
c:\documents and settings\TEMP\Local Settings\Application Data\kohy.dat
c:\documents and settings\TEMP\Local Settings\Application Data\zusasusyv.dat
c:\program files\Common Files\azaqiqe._sy
c:\program files\Common Files\fuxorynap.db
c:\program files\Common Files\hylafi._sy
c:\program files\Common Files\icyf.lib
c:\program files\Common Files\ketarutyco.dat
c:\program files\Common Files\mesotuviby._sy
c:\program files\Common Files\qopi.lib
c:\program files\Common Files\sorucirur.lib
c:\program files\Common Files\uzepac.lib
c:\program files\Common Files\webaperis.lib
c:\program files\Common Files\wedul.lib
c:\program files\Common Files\yqefacah.db
C:\rhjdpc.exe
c:\windows\ifubivu.com
c:\windows\jutofavow.com
c:\windows\pehureme.com
c:\windows\qifuripe.dat
c:\windows\system32\ehycejiz.dat
c:\windows\system32\fovayaga.dll.tmp
c:\windows\system32\fuledipu.exe
c:\windows\system32\kivigoru.dll.tmp
c:\windows\system32\kycu.com
c:\windows\system32\legidonu.dll.tmp
c:\windows\system32\levewani.dll.tmp
c:\windows\system32\ojusyme.dat
c:\windows\system32\pogetikif.dat
c:\windows\system32\pulowule.exe
c:\windows\system32\sawigewe.dll.tmp
c:\windows\system32\sizesare.dll
c:\windows\system32\sunapija.dll
c:\windows\system32\uhor.dat
c:\windows\system32\ujyxu.dat
c:\windows\system32\zayiyahu.dll
c:\windows\system32\zukumuha.dll.tmp
c:\windows\ukic.com
c:\windows\wuxohe.dat
c:\windows\ygulyzupo.com

.
((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-26 23:01 . 2009-09-26 23:01 61796 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-26 20:04 . 2009-09-26 20:04 -------- d-----w- c:\documents and settings\TEMP\Application Data\Template
2009-09-14 02:39 . 2009-09-14 02:39 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\AOL
2009-09-14 02:35 . 2009-09-14 02:35 -------- d-sh--w- c:\documents and settings\TEMP\IECompatCache
2009-09-14 02:32 . 2009-09-14 02:32 -------- d-sh--w- c:\documents and settings\TEMP\PrivacIE
2009-09-14 02:30 . 2009-09-26 22:01 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Apple Computer
2009-09-14 02:30 . 2009-09-14 02:30 -------- d-sh--w- c:\documents and settings\TEMP\IETldCache
2009-09-09 20:41 . 2009-09-24 21:41 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\Temp
2009-09-09 18:05 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 14:29 . 2009-09-08 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-07 20:31 . 2009-09-07 20:31 -------- d-sh--w- c:\documents and settings\Mary\IECompatCache
2009-09-05 02:10 . 2009-09-05 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-04 00:09 . 2009-09-04 00:09 -------- d-----w- c:\program files\MSECache
2009-08-30 21:45 . 2009-08-30 21:45 -------- d-----w- c:\program files\iPod
2009-08-30 21:44 . 2009-08-30 21:45 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-27 00:35 . 2008-08-28 13:41 -------- d-----w- c:\program files\McAfee
2009-09-26 22:01 . 2009-09-20 01:15 -------- d-----w- c:\documents and settings\TEMP\Application Data\Apple Computer
2009-09-26 20:28 . 2007-05-13 14:25 -------- d-----w- c:\documents and settings\Jeff\Application Data\Apple Computer
2009-09-26 19:58 . 2009-09-26 10:18 1082916 ---ha-w- c:\windows\system32\BITCD.tmp
2009-09-26 02:12 . 2009-08-22 16:39 -------- d-----w- c:\documents and settings\Kari\Application Data\Skype
2009-09-25 21:35 . 2009-08-22 16:50 -------- d-----w- c:\documents and settings\Kari\Application Data\skypePM
2009-09-25 15:07 . 2009-09-14 20:17 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2009-09-25 14:34 . 2009-09-14 20:23 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2009-09-20 15:17 . 2009-09-20 13:01 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-09-20 00:33 . 2008-12-09 01:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-17 02:20 . 2009-08-25 22:17 -------- d-----w- c:\documents and settings\Jon\Application Data\Skype
2009-09-17 00:56 . 2009-08-25 23:33 -------- d-----w- c:\documents and settings\Jon\Application Data\skypePM
2009-09-15 16:16 . 2009-09-15 16:16 -------- d-----w- c:\documents and settings\TEMP\Application Data\Malwarebytes
2009-09-15 14:40 . 2009-09-15 14:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2009-09-14 19:37 . 2008-10-01 20:57 -------- d-----w- c:\documents and settings\Kari\Application Data\Canon
2009-09-14 19:30 . 2007-01-13 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-13 22:09 . 2009-09-13 22:09 664 ----a-w- c:\documents and settings\Kari\Local Settings\Application Data\d3d9caps.tmp
2009-09-13 16:19 . 2008-09-09 21:39 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-10 18:54 . 2009-09-20 00:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-20 00:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 00:42 . 2009-08-21 20:05 -------- d-----w- c:\documents and settings\Admin\Application Data\Skype
2009-09-08 14:30 . 2007-01-08 13:47 -------- d-----w- c:\program files\Google
2009-09-05 21:48 . 2007-01-08 13:56 78432 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 21:34 . 2007-01-13 13:33 78432 ----a-w- c:\documents and settings\Kari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 21:45 . 2007-12-13 22:48 -------- d-----w- c:\program files\Common Files\Apple
2009-08-30 13:43 . 2009-08-21 17:30 -------- d-----w- c:\documents and settings\Mary\Application Data\Skype
2009-08-30 13:43 . 2009-08-21 17:33 -------- d-----w- c:\documents and settings\Mary\Application Data\skypePM
2009-08-24 14:38 . 2007-08-26 22:51 -------- d-----w- c:\documents and settings\Admin\Application Data\Canon
2009-08-24 14:35 . 2009-08-24 14:35 -------- d-----w- c:\documents and settings\Admin\Application Data\ArcSoft
2009-08-24 01:20 . 2009-08-21 20:06 -------- d-----w- c:\documents and settings\Admin\Application Data\skypePM
2009-08-21 20:23 . 2009-08-21 20:23 -------- d-----w- c:\program files\EyetoyOnComputer Project
2009-08-21 17:33 . 2009-08-21 17:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----r- c:\program files\Skype
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----w- c:\program files\Common Files\Skype
2009-08-21 17:29 . 2009-08-21 17:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-12 19:17 . 2008-05-22 23:52 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 14:04 . 2009-07-30 14:04 61224 ----a-w- c:\documents and settings\Admin\GoToAssistDownloadHelper.exe
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2005-08-16 09:19 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2005-08-16 09:18 915456 ------w- c:\windows\system32\wininet.dll
2007-01-16 21:47 . 2007-01-16 21:47 251 -c--a-w- c:\program files\wt3d.ini
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_00.13.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-13 01:35 . 2009-09-27 00:35 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-13 01:35 . 2009-09-26 20:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-01-13 01:35 . 2009-09-27 00:35 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-01-13 01:35 . 2009-09-26 20:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-09-27 00:35 . 2009-09-27 00:35 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-01-13 01:35 . 2009-09-26 20:04 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-27 01:34 . 2009-08-28 18:38 24689600 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\Mary\Start Menu\Programs\Startup\
Questionmark to Go Result Uploader.lnk.disabled [2009-3-25 2613]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2007-1-20 1757]
Digital Line Detect.lnk.disabled [2007-1-8 493]
Microsoft Office.lnk.disabled [2007-1-15 1725]
Nikon Monitor.lnk.disabled [2008-6-18 1815]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal1.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal2.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SigmatelSysTrayApp"=stsystra.exe
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
"Verizon_McciTrayApp"=c:\program files\Verizon\McciTrayApp.exe
"ehTray"=c:\windows\ehome\ehtray.exe
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\csc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"=
"c:\\WINDOWS\\ehome\\ehmsas.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\Mcshield.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McProxy\\McProxy.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\McAfee\\MSK\\msksrver.exe"=
"c:\\Program Files\\Verizon\\VSP\\VerizonServicepoint.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"c:\\Program Files\\Dell Support\\DSAgnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcsysmon.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 prohlp01;StarForce Protection Helper Driver v1;c:\windows\system32\drivers\prohlp01.sys [12/26/2002 10:20 AM 61728]
R1 prodrv05;StarForce Protection Environment Driver v5;c:\windows\system32\drivers\prodrv05.sys [12/26/2002 10:14 AM 53568]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/9/2008 5:37 PM 92296]
S2 gupdate1ca3090d017ccc8;Google Update Service (gupdate1ca3090d017ccc8);c:\program files\Google\Update\GoogleUpdate.exe [9/8/2009 10:29 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 rootrepeal1;rootrepeal1;\??\c:\windows\system32\drivers\rootrepeal1.sys --> c:\windows\system32\drivers\rootrepeal1.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [9/20/2009 9:01 AM 34816]
S3 tatertot.scr;tatertot.scr;\??\c:\windows\system32\drivers\tatertot.scr.sys --> c:\windows\system32\drivers\tatertot.scr.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 14:29]

2009-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2009-09-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 14:29]

2008-08-28 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 14:53]

2008-08-28 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-08-28 14:53]

2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{6FEFD570-42FE-464B-AA37-69438045B969}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {B0BAEAAF-3C0C-4153-909E-3FD97A1A2928} = 77.74.48.113
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://144.26.58.59/kxhcm10.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 00:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-09-27 0:33
ComboFix-quarantined-files.txt 2009-09-27 04:33
ComboFix2.txt 2009-09-27 00:17
ComboFix3.txt 2008-12-11 14:31

Pre-Run: 114,125,463,552 bytes free
Post-Run: 114,092,560,384 bytes free

339 --- E O F --- 2009-09-27 01:38

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 26 September 2009 - 11:46 PM

Hi JNW,


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Kaspersky Online Scanner button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 JNW

JNW
  • Topic Starter

  • Members
  • 89 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:33 AM

Posted 27 September 2009 - 09:46 AM

Hey, SifuMike:

Here is the Kaspersky scan. FYI - Because IE was not working I had to download Firefox in order to download the Kaspersky software. It would not work with Google Chrome or Safari.

Thanks

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, September 27, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, September 27, 2009 12:16:40
Records in database: 2927640
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\

Scan statistics:
Objects scanned: 128312
Threats found: 8
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 02:15:58


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir Infected: not-a-virus:FraudTool.Win32.AdvancedAntivirus.km 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Trojan.Win32.FraudPack.tyx 1
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Infected: Trojan.Win32.FraudPack.ube 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fpn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kidoyera.exe.vir Infected: Trojan-Downloader.Win32.Genome.rrb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lomugiti.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Infected: Trojan.Win32.FraudPack.tyx 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-27_00.24.58.zip Infected: Trojan-Downloader.Win32.Small.anpg 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-27_00.24.58.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.balk 3

Selected area has been scanned.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:33 AM

Posted 27 September 2009 - 12:20 PM

Hi JNW,


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste or attach the content of it.

Edited by SifuMike, 27 September 2009 - 12:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users