Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit,no desktop, start menu, or right click


  • This topic is locked This topic is locked
12 replies to this topic

#1 dannype03

dannype03

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 25 September 2009 - 07:55 PM

I was informed that I have an active rootkit on my machine.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Administrator at 19:14:28.51 on Fri 09/25/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.526 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.COLLEGE-FB0RJ1I\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} -
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [combofix] c:\windows\system32\cf30384.exe /c c:\combofix\Combobatch.bat
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\admini~1.col\startm~1\programs\startup\is-aphvh.lnk - c:\documents and settings\administrator.college-fb0rj1i\desktop\virus removal tool\is-aphvh\startup.exe
StartupFolder: c:\docume~1\admini~1.col\startm~1\programs\startup\is-dpbbe.lnk - c:\documents and settings\administrator.college-fb0rj1i\desktop\virus removal tool2\is-dpbbe\startup.exe
StartupFolder: c:\docume~1\admini~1.col\startm~1\programs\startup\is-ql2am.lnk - c:\documents and settings\administrator.college-fb0rj1i\desktop\virus removal tool1\is-ql2am\startup.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227572812389
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227258942890
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.col\applic~1\mozilla\firefox\profiles\7mxevb2v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?pr=auto&src_id=11077&client_id=4bc8579c4a18321ea4127bd8&camp_id=-1&install_time=2008-08-30T18:56:13Z&tb_version=1.2.4&q=
FF - plugin: c:\documents and settings\administrator.college-fb0rj1i\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R1 is-9I4FTdrv;is-9I4FTdrv;c:\windows\system32\drivers\90636901.sys [2008-12-7 148496]
R1 is-AP035drv;is-AP035drv;c:\windows\system32\drivers\41802375.sys [2008-11-25 148496]
R1 is-DPBBEdrv;is-DPBBEdrv;c:\windows\system32\drivers\56190061.sys [2009-9-22 148496]
R1 is-EBD2Hdrv;is-EBD2Hdrv;c:\windows\system32\drivers\88009486.sys [2008-12-7 148496]
R1 is-ECMBLdrv;is-ECMBLdrv;c:\windows\system32\drivers\55054126.sys [2008-12-7 148496]
R1 is-N9BOFdrv;is-N9BOFdrv;c:\windows\system32\drivers\11932169.sys [2008-12-6 148496]
R1 is-Q4OS2drv;is-Q4OS2drv;c:\windows\system32\drivers\25978673.sys [2008-12-5 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-2-21 603904]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S1 is-7VTGEdrv;is-7VTGEdrv;c:\windows\system32\drivers\62989555.sys [2008-12-15 148496]
S1 is-APHVHdrv;is-APHVHdrv;c:\windows\system32\drivers\90919186.sys [2009-9-22 148496]
S1 is-CJL8Sdrv;is-CJL8Sdrv;c:\windows\system32\drivers\92311848.sys [2009-1-8 148496]
S1 is-JOITLdrv;is-JOITLdrv;c:\windows\system32\drivers\42864023.sys [2008-12-7 148496]
S1 is-QL2AMdrv;is-QL2AMdrv;c:\windows\system32\drivers\95270689.sys [2009-9-22 148496]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2009-9-22 11904]
S3 Ndcvdmpimm;Ndcvdmpimm; [x]
S4 setup_7.0.0.180;setup_7.0.0.180;"c:\documents and settings\all users.windows\desktop\kaspersky lab tool\setup_7.0.0.180.exe" -r --> c:\documents and settings\all users.windows\desktop\kaspersky lab tool\setup_7.0.0.180.exe [?]

=============== Created Last 30 ================

2009-09-25 15:16 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2009-09-25 15:16 <DIR> -cd----- c:\docume~1\admini~1.col\applic~1\SUPERAntiSpyware.com
2009-09-25 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-23 12:59 388,608 a------- c:\windows\system32\CF30384.exe
2009-09-23 12:59 <DIR> -cds---- C:\ComboFix
2009-09-23 01:27 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-09-23 01:06 229,888 a------- c:\windows\PEV.exe
2009-09-23 01:06 388,608 a------- c:\windows\system32\CF3909.exe
2009-09-23 01:02 388,608 a------- c:\windows\system32\CF10057.exe
2009-09-22 22:08 <DIR> -cd----- c:\documents and settings\administrator.college-fb0rj1i\DoctorWeb
2009-09-22 21:23 148,496 a------- c:\windows\system32\drivers\56190061.sys
2009-09-22 20:46 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\IObit
2009-09-22 20:46 <DIR> --d----- c:\program files\IObit
2009-09-22 18:18 <DIR> --d----- c:\program files\GridinSoft Trojan Killer
2009-09-22 17:01 148,496 a------- c:\windows\system32\drivers\95270689.sys
2009-09-22 16:52 148,496 a------- c:\windows\system32\drivers\90919186.sys
2009-09-22 15:58 11,904 a------- c:\windows\system32\drivers\hitmanpro35.sys
2009-09-22 15:58 <DIR> --d----- c:\program files\Hitman Pro 3.5
2009-09-22 15:58 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Hitman Pro
2009-09-21 08:29 <DIR> -cd----- C:\spoolerlogs
2009-09-18 23:01 45 ac------ C:\TEST.XML
2009-09-18 22:23 281 ac-sh--- C:\BOOT.BKK
2009-09-18 22:10 <DIR> --d----- c:\program files\TGTSoft
2009-09-16 21:37 1,409 a------- c:\windows\system32\tmpD346C.FOT
2009-09-16 21:36 90,112 a------- c:\windows\unvise32.exe
2009-09-16 21:31 <DIR> --d----- c:\program files\The Rosetta Stone
2009-08-28 22:46 151 a------- c:\windows\PhotoSnapViewer.INI

==================== Find3M ====================

2009-09-25 15:22 1,130,594,336 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-09-25 15:22 11,520,032 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2007-07-23 17:34 12,330 a------- c:\program files\RezaWarez.tk_Firefox_2.0.0.3.exe

============= FINISH: 19:17:21.84 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/25 19:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: beer.sys
Image Path: C:\WINDOWS\system32\drivers\beer.sys
Address: 0xEE7E9000 Size: 49152 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEFA5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D85000 Size: 8192 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\network diagnostic\network diagnostic
Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\ZGFuaWVs\ZGFuaWVs
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB941569$\$NtUninstallKB941569$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB954211$\$NtUninstallKB954211$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB958690$\$NtUninstallKB958690$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallQ329441$\$NtUninstallQ329441$
Status: Locked to the Windows API!

Path: C:\WINDOWS\Cache\Cache
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\Downloaded Installations
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallWIC$\$NtUninstallWIC$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallWudf01000$\$NtUninstallWudf01000$
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB833407$\$NtUninstallKB833407$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB898461$\$NtUninstallKB898461$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB936782_WMP11$\$NtUninstallKB936782_WMP11$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB938464$\$NtUninstallKB938464$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB939683$\$NtUninstallKB939683$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB951072-v2$\$NtUninstallKB951072-v2$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB954154_WM11$\$NtUninstallKB954154_WM11$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB959772_WM11$\$NtUninstallKB959772_WM11$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB960803$\$NtUninstallKB960803$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB960859$\$NtUninstallKB960859$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB968537$\$NtUninstallKB968537$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB968816_WM9$\$NtUninstallKB968816_WM9$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB971657$\$NtUninstallKB971657$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB973540_WM9L$\$NtUninstallKB973540_WM9L$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallMSCompPackV1$\$NtUninstallMSCompPackV1$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallQ329048$\$NtUninstallQ329048$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallQ329170$\$NtUninstallQ329170$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB954600$\$NtUninstallKB954600$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB955839$\$NtUninstallKB955839$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB956844$\$NtUninstallKB956844$
Status: Locked to the Windows API!

Path: C:\WINDOWS\$NtUninstallKB957095$\$NtUninstallKB957095$
Status: Locked to the Windows API!

Path: C:\WINDOWS\l2schemas\l2schemas
Status: Locked to the Windows API!

Path: C:\WINDOWS\Minidump\Minidump
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\Resources\Cursors\Cursors
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\tsclientmsitrans\tsclientmsitrans
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: c:\documents and settings\administrator.college-fb0rj1i\local settings\temp\etilqs_ajzhmafr3gggxkhpkxqx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\administrator.college-fb0rj1i\local settings\temp\etilqs_pdhepu1vcvsx7qt9g7wz
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP315.tmp\ZAP315.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F5.tmp\ZAP3F5.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423.tmp\ZAP423.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44.tmp\ZAPC44.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\60\60
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\policy\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\msft\windows\system\system
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\msft\windows\net\net
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\common
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\policy\msft\windows\system\system
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\policy\msft\windows\networking\networking
Status: Locked to the Windows API!

==EOF==

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 27 September 2009 - 12:39 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.




I see from your other thread that you have win32kdiag.exe already located on your desktop. If you have moved that file elsewhere, please move it back to your desktop for this next step.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



========================



Now delete any copy of combofix.exe that you have if you downloaded it previously.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 27 September 2009 - 07:53 PM

Hey, I'm Dan. Thanks for helping me out. I ran win32kdiag.exe. After it completed my desktop icons and task bar returned.

Running from: C:\Documents and Settings\Administrator.COLLEGE-FB0RJ1I\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$NtUninstallKB833407$\$NtUninstallKB833407$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB833407$\$NtUninstallKB833407$

Found mount point : C:\WINDOWS\$NtUninstallKB898461$\$NtUninstallKB898461$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB898461$\$NtUninstallKB898461$

Found mount point : C:\WINDOWS\$NtUninstallKB936782_WMP11$\$NtUninstallKB936782_WMP11$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB936782_WMP11$\$NtUninstallKB936782_WMP11$

Found mount point : C:\WINDOWS\$NtUninstallKB938464$\$NtUninstallKB938464$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB938464$\$NtUninstallKB938464$

Found mount point : C:\WINDOWS\$NtUninstallKB939683$\$NtUninstallKB939683$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB939683$\$NtUninstallKB939683$

Found mount point : C:\WINDOWS\$NtUninstallKB941569$\$NtUninstallKB941569$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB941569$\$NtUninstallKB941569$

Found mount point : C:\WINDOWS\$NtUninstallKB951072-v2$\$NtUninstallKB951072-v2$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB951072-v2$\$NtUninstallKB951072-v2$

Found mount point : C:\WINDOWS\$NtUninstallKB954154_WM11$\$NtUninstallKB954154_WM11$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB954154_WM11$\$NtUninstallKB954154_WM11$

Found mount point : C:\WINDOWS\$NtUninstallKB954211$\$NtUninstallKB954211$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB954211$\$NtUninstallKB954211$

Found mount point : C:\WINDOWS\$NtUninstallKB954600$\$NtUninstallKB954600$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB954600$\$NtUninstallKB954600$

Found mount point : C:\WINDOWS\$NtUninstallKB955839$\$NtUninstallKB955839$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB955839$\$NtUninstallKB955839$

Found mount point : C:\WINDOWS\$NtUninstallKB956844$\$NtUninstallKB956844$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB956844$\$NtUninstallKB956844$

Found mount point : C:\WINDOWS\$NtUninstallKB957095$\$NtUninstallKB957095$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB957095$\$NtUninstallKB957095$

Found mount point : C:\WINDOWS\$NtUninstallKB958690$\$NtUninstallKB958690$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB958690$\$NtUninstallKB958690$

Found mount point : C:\WINDOWS\$NtUninstallKB959772_WM11$\$NtUninstallKB959772_WM11$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB959772_WM11$\$NtUninstallKB959772_WM11$

Found mount point : C:\WINDOWS\$NtUninstallKB960803$\$NtUninstallKB960803$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB960803$\$NtUninstallKB960803$

Found mount point : C:\WINDOWS\$NtUninstallKB960859$\$NtUninstallKB960859$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB960859$\$NtUninstallKB960859$

Found mount point : C:\WINDOWS\$NtUninstallKB968537$\$NtUninstallKB968537$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB968537$\$NtUninstallKB968537$

Found mount point : C:\WINDOWS\$NtUninstallKB968816_WM9$\$NtUninstallKB968816_WM9$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB968816_WM9$\$NtUninstallKB968816_WM9$

Found mount point : C:\WINDOWS\$NtUninstallKB971657$\$NtUninstallKB971657$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB971657$\$NtUninstallKB971657$

Found mount point : C:\WINDOWS\$NtUninstallKB973540_WM9L$\$NtUninstallKB973540_WM9L$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB973540_WM9L$\$NtUninstallKB973540_WM9L$

Found mount point : C:\WINDOWS\$NtUninstallMSCompPackV1$\$NtUninstallMSCompPackV1$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallMSCompPackV1$\$NtUninstallMSCompPackV1$

Found mount point : C:\WINDOWS\$NtUninstallQ329048$\$NtUninstallQ329048$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallQ329048$\$NtUninstallQ329048$

Found mount point : C:\WINDOWS\$NtUninstallQ329170$\$NtUninstallQ329170$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallQ329170$\$NtUninstallQ329170$

Found mount point : C:\WINDOWS\$NtUninstallQ329441$\$NtUninstallQ329441$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallQ329441$\$NtUninstallQ329441$

Found mount point : C:\WINDOWS\$NtUninstallWIC$\$NtUninstallWIC$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallWIC$\$NtUninstallWIC$

Found mount point : C:\WINDOWS\$NtUninstallWudf01000$\$NtUninstallWudf01000$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallWudf01000$\$NtUninstallWudf01000$

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP315.tmp\ZAP315.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP315.tmp\ZAP315.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F5.tmp\ZAP3F5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F5.tmp\ZAP3F5.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423.tmp\ZAP423.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP423.tmp\ZAP423.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44.tmp\ZAPC44.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC44.tmp\ZAPC44.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Cache

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\Downloaded Installations

Cannot access: C:\WINDOWS\explorer.exe

Attempting to restore permissions of : C:\WINDOWS\explorer.exe

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\tsclientmsitrans\tsclientmsitrans

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\tsclientmsitrans\tsclientmsitrans

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\l2schemas\l2schemas

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\l2schemas\l2schemas

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\network diagnostic\network diagnostic

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\network diagnostic\network diagnostic

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\Resources\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Resources\Cursors\Cursors

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\10\policy\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\51\policy\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\msft\windows\net\net

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\policy\msft\windows\networking\networking

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\52\policy\msft\windows\networking\networking

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\60\60

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\70\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\70

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\ZGFuaWVs\ZGFuaWVs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ZGFuaWVs\ZGFuaWVs



Finished!


And the combofix:
ComboFix 09-09-25.01 - Administrator 09/27/2009 19:21.8.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.587 [GMT -5:00]
Running from: c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\dcmf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\dlmn.dll
.
---- Previous Run -------
.
c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Google\T-Scan
c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Google\T-Scan\y.gif
c:\windows\AppPatch\dlmn.dll
c:\windows\Installer\eb6e.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-25 20:16 . 2009-09-25 20:16 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2009-09-25 20:16 . 2009-09-25 20:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-25 20:16 . 2009-09-25 20:16 -------- dc----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\SUPERAntiSpyware.com
2009-09-23 06:27 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-23 03:08 . 2009-09-23 03:12 -------- dc----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\DoctorWeb
2009-09-23 02:23 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\56190061.sys
2009-09-23 01:46 . 2009-09-23 01:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit
2009-09-23 01:46 . 2009-09-23 01:46 -------- d-----w- c:\program files\IObit
2009-09-22 23:18 . 2009-09-25 04:28 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2009-09-22 22:01 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\95270689.sys
2009-09-22 21:52 . 2008-07-08 19:54 148496 ----a-w- c:\windows\system32\drivers\90919186.sys
2009-09-22 20:58 . 2009-09-22 22:47 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-09-22 20:58 . 2009-09-22 20:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hitman Pro
2009-09-22 20:58 . 2009-09-22 20:58 -------- d-----w- c:\program files\Hitman Pro 3.5
2009-09-22 15:54 . 2009-09-22 15:55 -------- d-----w- c:\documents and settings\All Users\dpcock
2009-09-22 15:52 . 2009-09-22 15:53 -------- d-----w- c:\documents and settings\All Users\New Folder
2009-09-21 13:29 . 2009-09-21 13:29 -------- dc----w- C:\spoolerlogs
2009-09-19 03:10 . 2009-09-19 03:10 -------- d-----w- c:\program files\TGTSoft
2009-09-17 02:36 . 2004-03-29 21:23 90112 ----a-w- c:\windows\unvise32.exe
2009-09-17 02:31 . 2009-09-17 02:35 -------- d-----w- c:\program files\The Rosetta Stone

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 00:36 . 2008-11-28 17:19 11534552 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-28 00:36 . 2008-11-28 17:19 1130594336 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-28 00:15 . 2008-02-07 06:54 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-09-25 20:15 . 2008-11-19 06:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-25 18:32 . 2009-06-06 19:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 20:28 . 2008-11-19 15:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-22 05:15 . 2007-09-28 07:36 -------- d-----w- c:\program files\FlashGet
2009-09-10 19:54 . 2009-06-06 19:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-06-06 19:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 19:23 . 2008-01-01 03:19 -------- d-----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Move Networks
2009-08-24 03:46 . 2009-08-24 03:46 -------- d-----w- c:\program files\MSXML 4.0
2009-08-24 02:15 . 2009-08-23 02:18 -------- dc----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Ahead
2009-08-23 02:17 . 2009-08-23 02:17 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Ahead
2009-08-23 02:16 . 2009-08-23 02:14 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-23 02:14 . 2009-08-23 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Nero
2009-08-23 02:14 . 2009-08-23 02:14 -------- d-----w- c:\program files\Nero
2009-08-23 00:27 . 2009-08-23 00:27 -------- dc----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Canneverbe_Limited
2009-08-23 00:27 . 2007-11-26 08:41 18240 -c--a-w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 00:27 . 2009-08-23 00:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Canneverbe Limited
2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- c:\program files\MSBuild
2009-08-22 08:04 . 2009-08-22 08:04 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 07:57 . 2009-08-22 07:57 -------- d-----w- c:\program files\MSXML 6.0
2009-08-21 03:38 . 2007-07-07 18:54 -------- d-----w- c:\program files\DivX
2009-08-21 03:36 . 2009-07-28 19:22 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-20 03:25 . 2009-08-20 03:25 -------- d-----w- c:\program files\Common Files\Nero
2009-08-20 03:25 . 2009-08-20 03:25 -------- d-----w- c:\program files\Nero 9
2009-08-08 06:10 . 2009-08-08 06:06 -------- d-----w- c:\program files\Graboid
2009-08-08 06:08 . 2009-08-08 06:08 -------- dc----w- c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\MozillaControl
2009-08-08 06:07 . 2008-07-15 03:27 -------- d-----w- c:\program files\VideoLAN
2009-08-05 09:11 . 2001-08-23 17:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2001-08-23 17:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2005-01-28 20:44 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2007-07-23 22:34 . 2007-07-23 22:34 12330 ----a-w- c:\program files\RezaWarez.tk_Firefox_2.0.0.3.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-07-09 19:08 . 2007-07-09 19:08 479232 -c--a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-09 19:08 . 2007-07-09 19:08 548864 -c--a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-09 19:08 . 2007-07-09 19:08 626688 -c--a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-08 05:06 . 2008-12-08 01:07 106528 -csha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-31 4670704]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Start Menu\Programs\Startup\
is-APHVH.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool\is-APHVH\startup.exe [2009-9-22 65536]
is-DPBBE.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool2\is-DPBBE\startup.exe [2009-9-22 65536]
is-QL2AM.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool1\is-QL2AM\startup.exe [2009-9-22 65536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"EPSON NX300 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "c:\windows\TEMP\E_S249.tmp" /EF "HKCU"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=

R1 is-9I4FTdrv;is-9I4FTdrv;c:\windows\system32\drivers\90636901.sys [12/7/2008 4:29 PM 148496]
R1 is-AP035drv;is-AP035drv;c:\windows\system32\drivers\41802375.sys [11/25/2008 11:11 PM 148496]
R1 is-DPBBEdrv;is-DPBBEdrv;c:\windows\system32\drivers\56190061.sys [9/22/2009 9:23 PM 148496]
R1 is-EBD2Hdrv;is-EBD2Hdrv;c:\windows\system32\drivers\88009486.sys [12/7/2008 4:59 PM 148496]
R1 is-ECMBLdrv;is-ECMBLdrv;c:\windows\system32\drivers\55054126.sys [12/7/2008 4:41 PM 148496]
R1 is-N9BOFdrv;is-N9BOFdrv;c:\windows\system32\drivers\11932169.sys [12/6/2008 6:06 AM 148496]
R1 is-Q4OS2drv;is-Q4OS2drv;c:\windows\system32\drivers\25978673.sys [12/5/2008 7:14 PM 148496]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
S1 is-7VTGEdrv;is-7VTGEdrv;c:\windows\system32\drivers\62989555.sys [12/15/2008 10:41 PM 148496]
S1 is-APHVHdrv;is-APHVHdrv;c:\windows\system32\drivers\90919186.sys [9/22/2009 4:52 PM 148496]
S1 is-CJL8Sdrv;is-CJL8Sdrv;c:\windows\system32\drivers\92311848.sys [1/8/2009 1:04 AM 148496]
S1 is-JOITLdrv;is-JOITLdrv;c:\windows\system32\drivers\42864023.sys [12/7/2008 4:39 PM 148496]
S1 is-QL2AMdrv;is-QL2AMdrv;c:\windows\system32\drivers\95270689.sys [9/22/2009 5:01 PM 148496]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [9/22/2009 3:58 PM 11904]
S3 Ndcvdmpimm;Ndcvdmpimm; [x]
S3 PSEXESVC;PsExec;c:\windows\PSEXESVC.EXE --> c:\windows\PSEXESVC.EXE [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 03:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Mozilla\Firefox\Profiles\7mxevb2v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?pr=auto&src_id=11077&client_id=4bc8579c4a18321ea4127bd8&camp_id=-1&install_time=2008-08-30T18:56Z&tb_version=1.2.4&q=
FF - plugin: c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

Notify-dimsntfy - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1044)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\TUProgSt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-28 19:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 00:47
ComboFix2.txt 2008-11-24 17:13

Pre-Run: 43,275,612,160 bytes free
Post-Run: 43,252,756,480 bytes free

Current=1 Default=1 Failed=2 LastKnownGood=3 Sets=1,2,3,4
226 --- E O F --- 2009-09-09 08:07

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 28 September 2009 - 07:02 AM

Can you tell me anything about these files that are running at startup?

c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Start Menu\Programs\Startup\
is-APHVH.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool\is-APHVH\startup.exe [2009-9-22 65536]
is-DPBBE.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool2\is-DPBBE\startup.exe [2009-9-22 65536]
is-QL2AM.lnk - c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool1\is-QL2AM\startup.exe [2009-9-22 65536]


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 28 September 2009 - 01:39 PM

I'm assuming that the files are the same because they are all 49.7 mb, however they were created at different times on September 22 2009. They appear to be an antivirus but I don't know where they came from. Here is the malwarebytes log.

Malwarebytes' Anti-Malware 1.41
Database version: 2868
Windows 5.1.2600 Service Pack 2

9/28/2009 1:31:51 PM
mbam-log-2009-09-28 (13-31-51).txt

Scan type: Quick Scan
Objects scanned: 121982
Time elapsed: 9 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 28 September 2009 - 07:14 PM

It does seem unusual to have those files loading at startup, especially if you're not aware of what they are and what they do.

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\documents and settings\Administrator.COLLEGE-FB0RJ1I\Desktop\Virus Removal Tool\is-APHVH\startup.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 28 September 2009 - 09:13 PM

My computer is working fine . I haven't been on it as much because I have another one. As far as I can tell it's working normal.

Scanners
[ArcaVir]
2009-06-16 Found nothing
[G DATA]
No result available
[A-Squared]
2009-06-17 Found nothing
[Ikarus]
2009-06-17 Found nothing
[Avast! antivirus]
2009-06-16 Found nothing
[Kaspersky Anti-Virus]
2009-06-17 Found nothing
[Grisoft AVG Anti-Virus]
2009-06-17 Found nothing
[ESET NOD32]
2009-06-17 Found nothing
[Avira AntiVir]
2009-06-17 Found nothing
[Norman Virus Control]
2009-06-16 Found nothing
[Softwin BitDefender]
2009-06-17 Found nothing
[Panda Antivirus]
2009-06-16 Found nothing
[ClamAV]
2009-06-17 Found nothing
[Quick Heal]
2009-06-17 Found nothing
[CPsecure]
2009-06-17 Troj.Spy.W32.KeyLogger.bhg
[Sophos]
2009-06-17 Found nothing
[Dr.Web]
2009-06-17 Found nothing
[VirusBlokAda VBA32]
2009-06-16 Found nothing
[Frisk F-Prot Antivirus]
2009-06-16 Found nothing
[VirusBuster]
2009-06-16 Found nothing
[F-Secure Anti-Virus]
2009-06-17 Found nothing

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 29 September 2009 - 07:44 AM

You should have a folder on your desktop named Virus Removal Tool
Do you know how long it has been there?

Please open the folder and let me know what you find inside.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 29 September 2009 - 09:14 AM

Properties says that it was created 9/22/09. The file is kaspersky. I opened one of the image folders and saw its background.

#10 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 29 September 2009 - 09:20 AM

I remember putting kaspersky on my computer and trying to run a scan but it would scan for maybe seconds and then close. Since I have posted on here I have only run programs that you all tell me to run.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 30 September 2009 - 07:48 AM

In that case it doesn't seem to be anything malicious. But I would still question why it is running at startup. If these are simple Kaspersky removal tools then you may just be able to delete them, but since they've created registry entries you'll want to look at Add/Remove Programs and see if you can just uninstall it.

If everything else is running smoothly, let's go ahead and clean up and then I'll post some final recommendations for you.


We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 dannype03

dannype03
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:48 AM

Posted 30 September 2009 - 01:48 PM

Completed these steps

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:48 AM

Posted 30 September 2009 - 05:49 PM

Well done! :(

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users