Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirection


  • This topic is locked This topic is locked
23 replies to this topic

#1 rynkiedink

rynkiedink

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 26 September 2009 - 06:42 PM

Hi,

Every time I type something in google and click on a link, the page is redirected to a completely different site. I've tried running MalwareBytes, Spybot, RootRepal, and a few other programs recommended to me to scan my laptop, but with every first run, the program stops after a few seconds and disappears from the screen. Any subsequent time I click to run the program again, a "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them" message pops up. I can't change security settings because the security tab feature isn't unavailable. After another suggestion, I downloaded and ran Win32DiagKit and the following log is:

Running from: C:\Documents and Settings\Do Family\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Do Family\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11.tmp\ZAP11.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP153.tmp\ZAP153.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23A.tmp\ZAP23A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP98.tmp\ZAP98.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEC.tmp\ZAPEC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 06:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 19:11:53 56320 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP303\A0066823.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()

[2] 2009-06-01 11:51:12 23635392 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP273\A0046488.exe (Microsoft Corporation)

[2] 2009-07-07 10:10:56 24539592 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP281\A0051435.exe (Microsoft Corporation)

[2] 2009-07-29 19:49:14 24281536 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP301\A0062424.exe (Microsoft Corporation)

[2] 2009-08-28 16:38:20 24689600 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP314\A0067620.exe (Microsoft Corporation)

[1] 2008-01-02 11:21:38 17642616 C:\i386\MRT.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\mdf7670.tmp\mdf7670.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 01 October 2009 - 04:41 PM

Hello rynkiedink,

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)

"%userprofile%\desktop\win32kdiag.exe" -f -r

into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 01:39 PM

Hi, here are the contents:

Running from: C:\Documents and Settings\Do Family\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Do Family\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11.tmp\ZAP11.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11.tmp\ZAP11.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP153.tmp\ZAP153.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP153.tmp\ZAP153.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23A.tmp\ZAP23A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23A.tmp\ZAP23A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP98.tmp\ZAP98.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP98.tmp\ZAP98.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E.tmp\ZAP9E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEC.tmp\ZAPEC.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEC.tmp\ZAPEC.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425\12.0.6425

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\Temp\mdf7670.tmp\mdf7670.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\mdf7670.tmp\mdf7670.tmp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 01:59 PM

Hi rynkiedink,


Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (next step) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

Edited by SifuMike, 04 October 2009 - 02:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 02:59 PM

The following is the log:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Oct 04 14:54:17 2009

14:54:17: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Oct 04 14:55:02 2009

14:55:02: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 03:08 PM

Hello rynkiedink,

What antivirus are you using?


We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Edited by SifuMike, 04 October 2009 - 03:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 03:31 PM

I'm currently using avg anti-virus. I was previously using Endpoint Symantec, but it stopped working one day and that is when my laptop started having problems with the Google search redirecting. Here is the following log:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...


Failed to open \\?\c:\\Documents and Settings\Do Family\Desktop\RootRepeal.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe: Access is denied.


.

..
Failed to open \\?\c:\\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe: Access is denied.


.

...


Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


...

...

...

...

.
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


..


Failed to open \\?\c:\\Program Files\ZZtoy\mbam.exe: Access is denied.



Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 03:43 PM

Hi,


That log does not look complete. Can you post the rest of it?

Edited by SifuMike, 04 October 2009 - 03:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 04:15 PM

Hi,

There's nothing else in the log. I ran it again. That's all of it.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 04:18 PM

Hi rynkiedink,
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\\Documents and Settings\Do Family\Desktop\RootRepeal.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Common Files\Symantec Shared\COH\COH32.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Eusing Free Registry Cleaner\Regcleaner.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

    "%userprofile%\desktop\inherit" "c:\\Program Files\ZZtoy\mbam.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.

Let me know when you are done. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 04:27 PM

Ok, I'm done.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 04:34 PM

Hi rynkiedink,

See if Endpoint Symantec is working.

If Endpoint Symantec is working then uninstall AVG.

If Endpoint Symantec is not working then uninstall it.


Let me know when you are done.

Edited by SifuMike, 04 October 2009 - 04:36 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 04:43 PM

Hi,

I've uninstalled Endpoint Symantec almost two weeks ago.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:37 PM

Posted 04 October 2009 - 05:10 PM

Hi rynkiedink,


Ok! :(

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.




Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work. ComboFix normally takes about one half hour or less to run.

Post the ComboFix log.

Edited by SifuMike, 04 October 2009 - 05:15 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 rynkiedink

rynkiedink
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 04 October 2009 - 09:52 PM

Hi, here is the ComboFix log:

ComboFix 09-10-04.01 - Do Family 10/04/2009 21:40.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1467 [GMT -5:00]
Running from: c:\documents and settings\Do Family\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\48e76.msi
c:\windows\Installer\9b2e4c.msi
c:\windows\Installer\a5d246.msi
c:\windows\Installer\d5a7f0.msp
c:\windows\Installer\d5a7f8.msp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-04 20:24 . 2007-07-24 20:58 95616 ----a-w- c:\windows\junction.exe
2009-10-04 18:00 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-30 03:45 . 2009-09-30 03:45 -------- d-----w- C:\f766be4ab782aa06bf3fb63b0e7358d0
2009-09-23 10:21 . 2009-09-23 10:21 -------- d-----w- c:\program files\Sophos
2009-09-23 10:16 . 2009-09-23 10:17 -------- d-----w- c:\program files\ZZtoy
2009-09-23 00:37 . 2009-09-23 00:37 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[1].sys
2009-09-22 01:26 . 2009-09-22 01:26 -------- d-----w- c:\documents and settings\Do Family\Local Settings\Application Data\Mozilla
2009-09-22 00:51 . 2009-09-22 00:51 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-22 00:43 . 2009-09-22 00:43 -------- d-----w- c:\windows\system32\XPToolsLicenseComponent
2009-09-22 00:30 . 2009-09-22 00:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-21 23:59 . 2009-09-21 23:59 -------- d-----w- c:\documents and settings\Do Family\Application Data\Malwarebytes
2009-09-21 23:59 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-21 23:59 . 2009-09-21 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-21 23:59 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 23:59 . 2009-09-21 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 22:54 . 2009-09-21 22:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-21 22:54 . 2009-09-21 22:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-21 22:54 . 2009-09-21 22:54 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-21 22:54 . 2009-09-21 22:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-21 22:54 . 2009-10-04 22:19 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-21 22:42 . 2009-09-21 22:42 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-20 19:18 . 2009-09-20 19:18 11952 ----a-w- c:\windows\system32\avgrsstx(2).dll
2009-09-20 19:17 . 2009-09-21 22:36 -------- d-----w- c:\windows\system32\drivers\Avg(2)
2009-09-20 14:02 . 2009-09-20 14:02 -------- d-----w- c:\temp\SEP11.0.4.2Win32bit
2009-09-20 05:56 . 2009-09-23 12:04 -------- d-----w- C:\$AVG8.VAULT$
2009-09-20 05:39 . 2009-09-20 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-09-20 05:38 . 2009-09-20 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-20 05:38 . 2009-09-20 05:38 -------- d-----w- c:\program files\AVG
2009-09-20 05:38 . 2009-09-21 22:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-20 05:31 . 2009-09-20 05:31 -------- d-----w- c:\documents and settings\Do Family\Application Data\AVG8
2009-09-20 04:19 . 2009-09-20 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\gwr
2009-09-19 21:05 . 2009-10-04 17:56 0 ----a-w- c:\windows\win32k.sys
2009-09-09 02:30 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 11:28 . 2009-09-08 11:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-09-08 02:51 . 2009-09-08 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-08 02:49 . 2009-09-08 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 21:31 . 2008-01-05 23:11 70200 ----a-w- c:\documents and settings\Do Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 12:07 . 2008-06-01 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-29 12:04 . 2008-01-08 21:14 -------- d-----w- c:\program files\Microsoft Works
2009-09-24 23:40 . 2009-09-24 23:36 70200 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-22 01:26 . 2008-01-20 02:49 -------- d-----w- c:\documents and settings\Do Family\Application Data\U3
2009-09-20 19:11 . 2009-02-24 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-20 19:09 . 2009-02-24 21:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-17 01:34 . 2008-09-13 03:26 -------- d-----w- c:\documents and settings\Do Family\Application Data\Move Networks
2009-09-09 10:56 . 2009-08-23 02:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 02:51 . 2007-12-27 19:41 -------- d-----w- c:\program files\Google
2009-08-16 13:54 . 2008-06-01 21:12 -------- d-----w- c:\program files\MSBuild
2009-08-16 13:54 . 2009-08-16 13:54 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 18:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-10 18:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-05-19 3561720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 138008]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2000-08-08 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-08-08 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-08-08 28739]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-21 2007832]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-06-06 405504]

c:\documents and settings\Do Family\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-27 50688]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-8-8 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{731AC7F0-7344-4FBE-9B2E-6C5146845A04}"= "c:\windows\system32\ehmeruli.dll" [2007-03-31 319488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-21 22:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/21/2009 5:54 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/21/2009 5:54 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/21/2009 5:53 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/7/2008 7:15 PM 24652]
S2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" --> c:\program files\Windows Defender\MsMpEng.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\8.tmp --> c:\windows\system32\8.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-10-05 c:\windows\Tasks\ClusterTaskUserS-1-5-21-244825347-2868739286-1695091525-1006.job
- c:\windows\system32\Clustbth.exe [2009-06-11 16:31]

2009-10-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-08 02:49]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 02:50]

2009-10-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-08 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Do Family\Application Data\Mozilla\Firefox\Profiles\txafbka1.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-Windows Defender - c:\program files\Windows Defender\MSASCui.exe
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
AddRemove-Recuva - c:\program files\Recuva\uninst.exe
AddRemove-{DE6B27C2-B0A1-4849-9013-01009DA0D5EB} - c:\program files\InstallShield Installation Information\{DE6B27C2-B0A1-4849-9013-01009DA0D5EB}\setup.exe
AddRemove-Move Networks Player - IE - c:\documents and settings\Do Family\Application Data\Move Networks\ie_bin\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 21:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\8.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2204)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\ehmeruli.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\NettutBv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-05 21:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 02:50

Pre-Run: 137,828,372,480 bytes free
Post-Run: 138,410,041,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

231 --- E O F --- 2009-10-04 18:57




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users