Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - a.exe, runit_32.exe


  • This topic is locked This topic is locked
23 replies to this topic

#1 blong

blong

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 18 October 2009 - 10:29 PM

Alright so y I came across a few new processes that were brought to my attention. a.exe and runit_32.exe. I've read up on it and it seems that its a pretty bad rootkit.
I posted a few days ago in this section and it was moved by a moderator to a different forum 'Am I Infected' and now I was told to come back here and post. Anyways I will list the problems associated, what they're doing, and the actions i've taken.

-Noticed quite a few new processes running and researched them.
-Tried to run spybot and ad-aware (they close upon execution and seem to corrupt when trying to run them again)
The message I'm getting when trying to run them again is as follows 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.'
-I've tried running in safemode and get the same errors.
-I'm currently using google chrome and the browser runs fine, but in IE7 anytime i try to go to a website, it gets redirected to random marketing sites.
-Slower CPU performance
-Was advised to run RootRepeal but it does the same thing as the other programs (exit and terminate, then seem to corrupt)
-I was able to run Win32kDiag, and DDS and will post the results as well as attaching the Attach.txt file.
-The moderator informed me that I had a rootkit and to come here for help.

Win32kDiag Log.
-----------------------------------
Running from: C:\Documents and Settings\Brian Long\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Brian Long\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB923191\KB923191

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41.tmp\ZAP41.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F.tmp\ZAP5F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4.tmp\ZAPB4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f91c8d81761d826e33f44f7c4a28e82a\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^



Finished!
-----------------------------------------------------------

DDS.txt



DDS (Ver_09-10-13.01) - NTFSx86
Run by Brian Long at 21:10:42.78 on Fri 10/16/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.577 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\updater\explorer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\BRIANL~1\LOCALS~1\Temp\ir_ext_temp_978\autorun.exe
C:\WINDOWS\system32\txyg.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Brian Long\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Brian Long\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\DOCUME~1\BRIANL~1\LOCALS~1\Temp\a.exe
C:\Documents and Settings\Brian Long\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [SpybotSD TeaTimer] c:\program files\spybot\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\brian long\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [PopRock] c:\docume~1\brianl~1\locals~1\temp\a.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Updater] c:\windows\system32\updater\explorer.exe
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [cftmon] c:\windows\system32\txyg.exe
mRun: [Windows Update] c:\windows\uxvdl88044.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\brianl~1\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206141362386
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-21 24652]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [2008-3-21 148352]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [2008-3-21 16925]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-10-16 20:52 <DIR> --d-h--- c:\windows\PIF
2009-10-16 15:57 <DIR> --d----- c:\program files\Trend Micro
2009-10-16 13:15 0 a------- c:\windows\win32k.sys
2009-10-15 20:52 88 a------- c:\windows\system32\winset.ini
2009-10-15 20:52 137,216 a------- c:\windows\boqwd75272.exe
2009-10-15 20:52 47,104 a------- c:\windows\cggf0805.exe
2009-10-15 20:52 <DIR> --d----- c:\program files\runit
2009-10-15 20:52 69,697 a------- c:\windows\vugqe1347.exe
2009-10-15 20:51 <DIR> --d----- c:\program files\Flash CS3
2009-10-15 12:26 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-10-08 12:49 <DIR> --d----- c:\windows\system32\XPSViewer
2009-10-08 12:48 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-10-08 12:48 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-08 12:48 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-08 12:48 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-08 12:48 <DIR> --d----- C:\d819754bb0c0d13cdb
2009-10-08 12:48 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-10-08 12:48 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-10-08 12:48 117,760 -------- c:\windows\system32\prntvpt.dll
2009-10-07 13:50 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-07 13:49 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-10-07 13:49 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-10-07 13:48 <DIR> --d----- c:\program files\Microsoft SQL Server 2005 Mobile Edition
2009-10-07 13:45 172 a------- c:\windows\ODBC.INI
2009-10-07 13:38 <DIR> --d----- c:\program files\HTML Help Workshop
2009-10-07 13:38 <DIR> --d----- c:\program files\common files\Merge Modules
2009-10-07 13:38 <DIR> --d----- c:\program files\common files\Business Objects
2009-10-07 13:38 <DIR> --d----- c:\program files\CE Remote Tools
2009-10-07 13:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PreEmptive Solutions
2009-10-07 13:36 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2009-10-07 12:02 <DIR> --d----- C:\VB

==================== Find3M ====================

2009-09-13 08:38 1,852 a------- c:\windows\system32\d3d9caps.dat
2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 02:36 832,512 a------- c:\windows\system32\wininet.dll
2009-08-29 02:36 78,336 a------- c:\windows\system32\ieencode.dll
2009-08-29 02:36 17,408 a------- c:\windows\system32\corpol.dll
2009-08-26 03:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 09:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2006-10-28 00:44 175 a------- c:\program files\autorun.inf


OS:
Windows XP Home SP3

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 19 October 2009 - 01:33 AM

Hi blong,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Go to start > Run copy/paste the following line in the run box and click OK.

    sc config eventlog start= disabled

    A window flashes, it is normal.

  • Important: Reboot the computer.

  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 October 2009 - 01:42 PM

Hey farbar, thanks for your assistance.

Was just going to update you on the instructions that you gave me.

-The first command "sc config eventlog start= disabled" ran fine and a dos window flashed. Then i rebooted.

-After the reboot i executed the second command ""%userprofile%\desktop\win32kdiag.exe" -f -r" and nothing seemed to happen, didn't get any Win32Diag.txt on the desktop.

-I already had that file on my desktop which i posted first, so knowing that the file was on the desktop I moved it to my documents along with all the other .txt files that have been generated before running that second command. Still no log file.

-After doing the commands and the reboot, once booting up 'Windows Police Pro' shows up on my desktop with multiple icons on the taskbar with a window that's frozen in the screen (no i didn't click it lol). So i continuously kill the process so I can try to manage to navigate for the files and it's letting me do it.

-I proceeded to download Combofix to the desktop and ran it, and it gave me every dialog box you showed, started scanning in a blue DOS screen, said 'ComboFix has detected a rootkit" Then told me to reboot, so i rebooted and searched for the ComboFix.txt file on the desktop and it wasn't there. So i searched the entire harddrive for every instance of that name and it resulted in ComboFix.exe on the desktop and like 4 C:\ComboFix with no extensions or anything on them.

I don't know if I should try to run ComboFix again or what, but nothing is cooperating.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 19 October 2009 - 02:32 PM

You have to make sure your antivirus is disabled and not running on reboot. Delete your copy of combofix and download a fresh one. Run it again. After reboot wait a little bit because it should run by itself again to delete files and make the log. If after 10 minutes nothing happened report back.

#5 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 October 2009 - 03:53 PM

Ok the first time i ran combofix from the desktop it didnt run properly. I saved it in a my documents folder, and it ran perfectly. It seems everything that sits on my desktop has problems. Anyways here's the log.

ComboFix 09-10-18.06 - Brian Long 10/19/2009 15:37.1.1 - NTFSx86
Running from: c:\documents and settings\Brian Long\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Brian Long\Start Menu\Programs\Startup\runit_32.lnk
c:\program files\autorun.inf
c:\program files\runit
c:\program files\runit\config.txt
c:\program files\runit\runit_32.exe
c:\program files\runit\runitu_32.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\windows\svohost.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\config\systemprofile\Desktop\Windows Police Pro.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\muzapp.exe
c:\windows\system32\nuar.old
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\vugqe1347.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 17:54 . 2009-10-19 20:25 58 ----a-w- c:\windows\wp4.dat
2009-10-19 17:54 . 2009-10-19 20:25 2 ----a-w- c:\windows\wp3.dat
2009-10-19 17:54 . 2009-10-19 20:25 561664 ----a-w- c:\windows\system32\plugie.dll
2009-10-18 16:42 . 2009-10-18 16:53 -------- d--h--w- c:\windows\PIF
2009-10-17 03:33 . 2009-10-17 03:33 -------- d-----w- c:\program files\Trend Micro
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-s---w- c:\documents and settings\Administrator
2009-10-16 18:15 . 2009-10-19 17:37 0 ----a-w- c:\windows\win32k.sys
2009-10-16 18:09 . 2009-10-16 18:09 -------- d-----w- c:\documents and settings\Brian Long\Application Data\Apple Computer
2009-10-16 18:04 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-10-16 01:52 . 2009-10-16 01:52 137216 ----a-w- c:\windows\boqwd75272.exe
2009-10-16 01:52 . 2009-10-16 01:52 47104 ----a-w- c:\windows\cggf0805.exe
2009-10-16 01:51 . 2009-10-16 01:52 -------- d-----w- c:\program files\Flash CS3
2009-10-08 17:49 . 2009-10-08 17:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- C:\d819754bb0c0d13cdb
2009-10-08 17:48 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-08 17:48 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 18:50 . 2009-10-17 03:23 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-07 18:49 . 2009-10-07 18:54 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-07 18:49 . 2009-10-07 18:49 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-10-07 18:48 . 2009-10-07 18:48 -------- d-----w- c:\program files\Microsoft SQL Server 2005 Mobile Edition
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\windows\Symbols
2009-10-07 18:38 . 2009-10-07 18:52 -------- d-----w- c:\program files\Microsoft.NET
2009-10-07 18:38 . 2009-10-07 18:43 -------- d-----w- c:\program files\HTML Help Workshop
2009-10-07 18:38 . 2009-10-07 18:42 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-07 18:38 . 2009-10-07 18:39 -------- d-----w- c:\program files\Common Files\Business Objects
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\program files\CE Remote Tools
2009-10-07 18:36 . 2009-10-07 18:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-07 17:02 . 2009-10-07 18:59 -------- d-----w- C:\VB
2009-10-06 16:07 . 2009-10-14 03:12 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Temp
2009-10-06 16:07 . 2009-10-06 16:07 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 18:12 . 2003-03-31 12:00 347136 ----a-w- c:\windows\system32\txyg.exe
2009-10-16 19:01 . 2008-06-25 23:24 -------- d-----w- c:\program files\Starcraft
2009-10-16 18:03 . 2009-06-24 14:33 81192 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 01:50 . 2008-06-26 04:43 -------- d-----w- c:\documents and settings\Brian Long\Application Data\LimeWire
2009-10-10 23:29 . 2008-03-22 02:59 81192 ----a-w- c:\documents and settings\Brian Long\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 18:46 . 2008-03-22 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-07 18:43 . 2008-07-05 19:55 -------- d-----w- c:\program files\MSBuild
2009-10-07 16:57 . 2008-03-22 03:40 -------- d-----w- c:\program files\Common Files\AOL
2009-09-17 16:30 . 2008-07-08 20:06 -------- d-----w- c:\program files\Spybot
2009-09-13 13:38 . 2008-07-11 07:08 1852 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 21:16 . 2009-09-09 21:16 -------- d-----w- c:\program files\OneRiot
2009-09-06 16:20 . 2008-06-27 00:28 -------- d-----w- c:\program files\LimeWire
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2003-03-31 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-30 17:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-03-31 12:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 10:23 . 2008-11-25 02:15 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-19 20:25 561664 ----a-w- c:\windows\system32\plugie.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-06 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-05 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/21/2008 10:41 PM 24652]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [3/21/2008 12:48 AM 148352]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [3/21/2008 12:48 AM 16925]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004Core.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004UA.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{9516EB1C-AC77-492D-8FD6-A05AFAC9EA6E} - (no file)
HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-Cmaudio - cmicnfg.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 15:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-602609370-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3684)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\WudfHost.exe
c:\combofix\CF23100.exe
c:\windows\system32\rundll32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-19 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 20:51

Pre-Run: 124,408,451,072 bytes free
Post-Run: 126,276,362,240 bytes free

- - End Of File - - BF83E092E42F7234307050169F61C01C

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 19 October 2009 - 04:08 PM

We need to run Combofix again. This time please download a fresh copy to your desktop and run it from there. Make sure you have internet connection and let it installs the Recovery console. Post the log please.

#7 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 October 2009 - 04:19 PM

Ok the first time i ran it, the recovery console was successful. Ran it again from the desktop and here it is:

ComboFix 09-10-19.01 - Brian Long 10/19/2009 16:11.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.715 [GMT -5:00]
Running from: c:\documents and settings\Brian Long\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 17:54 . 2009-10-19 20:25 58 ----a-w- c:\windows\wp4.dat
2009-10-19 17:54 . 2009-10-19 20:25 2 ----a-w- c:\windows\wp3.dat
2009-10-19 17:54 . 2009-10-19 20:25 561664 ----a-w- c:\windows\system32\plugie.dll
2009-10-18 16:42 . 2009-10-18 16:53 -------- d--h--w- c:\windows\PIF
2009-10-17 03:33 . 2009-10-17 03:33 -------- d-----w- c:\program files\Trend Micro
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-s---w- c:\documents and settings\Administrator
2009-10-16 18:15 . 2009-10-19 17:37 0 ----a-w- c:\windows\win32k.sys
2009-10-16 18:09 . 2009-10-16 18:09 -------- d-----w- c:\documents and settings\Brian Long\Application Data\Apple Computer
2009-10-16 18:04 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-10-16 01:52 . 2009-10-16 01:52 137216 ----a-w- c:\windows\boqwd75272.exe
2009-10-16 01:52 . 2009-10-16 01:52 47104 ----a-w- c:\windows\cggf0805.exe
2009-10-16 01:51 . 2009-10-16 01:52 -------- d-----w- c:\program files\Flash CS3
2009-10-08 17:49 . 2009-10-08 17:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- C:\d819754bb0c0d13cdb
2009-10-08 17:48 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-08 17:48 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 18:50 . 2009-10-17 03:23 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-07 18:49 . 2009-10-07 18:54 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-07 18:49 . 2009-10-07 18:49 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-10-07 18:48 . 2009-10-07 18:48 -------- d-----w- c:\program files\Microsoft SQL Server 2005 Mobile Edition
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\windows\Symbols
2009-10-07 18:38 . 2009-10-07 18:52 -------- d-----w- c:\program files\Microsoft.NET
2009-10-07 18:38 . 2009-10-07 18:43 -------- d-----w- c:\program files\HTML Help Workshop
2009-10-07 18:38 . 2009-10-07 18:42 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-07 18:38 . 2009-10-07 18:39 -------- d-----w- c:\program files\Common Files\Business Objects
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\program files\CE Remote Tools
2009-10-07 18:36 . 2009-10-07 18:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-07 17:02 . 2009-10-07 18:59 -------- d-----w- C:\VB
2009-10-06 16:07 . 2009-10-14 03:12 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Temp
2009-10-06 16:07 . 2009-10-06 16:07 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 18:12 . 2003-03-31 12:00 347136 ----a-w- c:\windows\system32\txyg.exe
2009-10-16 19:01 . 2008-06-25 23:24 -------- d-----w- c:\program files\Starcraft
2009-10-16 18:03 . 2009-06-24 14:33 81192 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 01:50 . 2008-06-26 04:43 -------- d-----w- c:\documents and settings\Brian Long\Application Data\LimeWire
2009-10-10 23:29 . 2008-03-22 02:59 81192 ----a-w- c:\documents and settings\Brian Long\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 18:46 . 2008-03-22 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-07 18:43 . 2008-07-05 19:55 -------- d-----w- c:\program files\MSBuild
2009-10-07 16:57 . 2008-03-22 03:40 -------- d-----w- c:\program files\Common Files\AOL
2009-09-17 16:30 . 2008-07-08 20:06 -------- d-----w- c:\program files\Spybot
2009-09-13 13:38 . 2008-07-11 07:08 1852 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 21:16 . 2009-09-09 21:16 -------- d-----w- c:\program files\OneRiot
2009-09-06 16:20 . 2008-06-27 00:28 -------- d-----w- c:\program files\LimeWire
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2003-03-31 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-30 17:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 10:23 . 2008-11-25 02:15 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-19 20:25 561664 ----a-w- c:\windows\system32\plugie.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-06 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-05 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/21/2008 10:41 PM 24652]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [3/21/2008 12:48 AM 148352]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [3/21/2008 12:48 AM 16925]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004Core.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004UA.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 16:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-602609370-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-19 16:16
ComboFix-quarantined-files.txt 2009-10-19 21:16

Pre-Run: 126,288,547,840 bytes free
Post-Run: 126,279,196,672 bytes free

- - End Of File - - EB60E4E5F910FB82585D1925D4CB6D76

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 19 October 2009 - 04:27 PM

Wele done.
  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • We need to scan the system with this special tool.
    • Please download Junction.zip and save it.
    • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
    • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

      cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

      A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.


#9 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 19 October 2009 - 08:42 PM

Ok here we go.

MBAM:

Malwarebytes' Anti-Malware 1.41
Database version: 2992
Windows 5.1.2600 Service Pack 3

10/19/2009 8:26:31 PM
mbam-log-2009-10-19 (20-26-31).txt

Scan type: Quick Scan
Objects scanned: 113753
Time elapsed: 3 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\plugie.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\boqwd75272.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cggf0805.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\mdatdi.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.



-----------------------------------------------------------------------------------------------------------

Junction



Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

..
Failed to open \\?\c:\\Documents and Settings\Brian Long\Desktop\RootRepeal.exe: Access is denied.


.

...
Failed to open \\?\c:\\Documents and Settings\Brian Long\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.



Failed to open \\?\c:\\Documents and Settings\Brian Long\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.


.

...

.\\?\c:\\WINDOWS\$hf_mig$\KB923191\KB923191: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...

...\\?\c:\\WINDOWS\addins\addins: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41.tmp\ZAP41.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F.tmp\ZAP5F.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4.tmp\ZAPB4.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Debug\UserMode\UserMode: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

...\\?\c:\\WINDOWS\ie8updates\ie8updates: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT
Substitute Name: \Device\__max++>\^



..\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\mui\mui: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe: Access is denied.


\\?\c:\\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PCHealth\HelpCtr\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PIF\PIF: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

.\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\f91c8d81761d826e33f44f7c4a28e82a\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SxsCaPendDel\SxsCaPendDel: MOUNT POINT
Substitute Name: \Device\__max++>\^




Failed to open \\?\c:\\WINDOWS\system32\dumprep.exe: Access is denied.


...

...

.\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474: MOUNT POINT
Substitute Name: \Device\__max++>\^

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 20 October 2009 - 02:27 AM

  • Go to start > Run copy/paste the following line in the run box and click OK.

    sc config eventlog start= auto

    A window flashes, it is normal.

  • Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/265374/rootkit-aexe-runit-32exe/
    
    Collect::
    c:\windows\system32\txyg.exe
    File::
    c:\windows\wp4.dat
    c:\windows\wp3.dat
    Registy::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • We need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
    • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

      "%userprofile%\desktop\inherit" "%userprofile%\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db"
      "%userprofile%\desktop\inherit" "%userprofile%\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow"
      "%userprofile%\desktop\inherit" "c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe"
      "%userprofile%\desktop\inherit" "c:\\Documents and Settings\Brian Long\Desktop\RootRepeal.exe"

    • If you get a security warning select Run.
    • You will get a "Finish" popup. Click OK.
    • Do the same for the rest of the lines until you have run all the above commands one by one.
  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • In the left pane click Status. In the right pane click Scan system now.
    • After the scan finished let it remove what it finds and then Click Report.
    • You can get the last report also by clicking on Reports on the left pane.
    • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
    • A window opens, click on Report file.
    • Copy and paste the content of the report to your reply.


#11 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 20 October 2009 - 01:54 PM

All the commands were successful.

Combofix script was successful and here is the log:

ComboFix 09-10-19.04 - Brian Long 10/20/2009 11:52.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.713 [GMT -5:00]
Running from: c:\documents and settings\Brian Long\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian Long\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"

file zipped: c:\windows\system32\txyg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\txyg.exe
c:\windows\wp3.dat
c:\windows\wp4.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.

2009-10-20 01:15 . 2009-10-20 01:15 -------- d-----w- c:\documents and settings\Brian Long\Application Data\Malwarebytes
2009-10-20 01:15 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 01:15 . 2009-10-20 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 01:15 . 2009-10-20 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 01:15 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 16:42 . 2009-10-18 16:53 -------- d--h--w- c:\windows\PIF
2009-10-17 03:33 . 2009-10-17 03:33 -------- d-----w- c:\program files\Trend Micro
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-10-16 21:48 . 2009-10-17 03:12 -------- d-s---w- c:\documents and settings\Administrator
2009-10-16 18:09 . 2009-10-16 18:09 -------- d-----w- c:\documents and settings\Brian Long\Application Data\Apple Computer
2009-10-16 18:04 . 2009-10-17 03:12 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2009-10-16 01:51 . 2009-10-16 01:52 -------- d-----w- c:\program files\Flash CS3
2009-10-08 17:49 . 2009-10-08 17:49 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- c:\program files\Reference Assemblies
2009-10-08 17:48 . 2009-10-08 17:48 -------- d-----w- C:\d819754bb0c0d13cdb
2009-10-08 17:48 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-08 17:48 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-08 17:48 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-07 18:50 . 2009-10-17 03:23 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-07 18:49 . 2009-10-07 18:54 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-07 18:49 . 2009-10-07 18:49 -------- d-----w- c:\program files\Microsoft Device Emulator
2009-10-07 18:48 . 2009-10-07 18:48 -------- d-----w- c:\program files\Microsoft SQL Server 2005 Mobile Edition
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\windows\Symbols
2009-10-07 18:38 . 2009-10-07 18:52 -------- d-----w- c:\program files\Microsoft.NET
2009-10-07 18:38 . 2009-10-07 18:43 -------- d-----w- c:\program files\HTML Help Workshop
2009-10-07 18:38 . 2009-10-07 18:42 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-10-07 18:38 . 2009-10-07 18:39 -------- d-----w- c:\program files\Common Files\Business Objects
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-10-07 18:38 . 2009-10-07 18:38 -------- d-----w- c:\program files\CE Remote Tools
2009-10-07 18:36 . 2009-10-07 18:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-10-07 17:02 . 2009-10-07 18:59 -------- d-----w- C:\VB
2009-10-06 16:07 . 2009-10-14 03:12 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Temp
2009-10-06 16:07 . 2009-10-06 16:07 -------- d-----w- c:\documents and settings\Brian Long\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 19:01 . 2008-06-25 23:24 -------- d-----w- c:\program files\Starcraft
2009-10-16 18:03 . 2009-06-24 14:33 81192 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-16 01:50 . 2008-06-26 04:43 -------- d-----w- c:\documents and settings\Brian Long\Application Data\LimeWire
2009-10-10 23:29 . 2008-03-22 02:59 81192 ----a-w- c:\documents and settings\Brian Long\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 18:46 . 2008-03-22 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-07 18:43 . 2008-07-05 19:55 -------- d-----w- c:\program files\MSBuild
2009-10-07 16:57 . 2008-03-22 03:40 -------- d-----w- c:\program files\Common Files\AOL
2009-09-17 16:30 . 2008-07-08 20:06 -------- d-----w- c:\program files\Spybot
2009-09-13 13:38 . 2008-07-11 07:08 1852 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 21:16 . 2009-09-09 21:16 -------- d-----w- c:\program files\OneRiot
2009-09-06 16:20 . 2008-06-27 00:28 -------- d-----w- c:\program files\LimeWire
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2003-03-31 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-06-30 17:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2003-03-31 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 10:23 . 2008-11-25 02:15 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-06 133104]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-05 20531]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/21/2008 10:41 PM 24652]
S3 3dfxvs;3dfxvs;c:\windows\system32\drivers\3dfxvsm.sys [3/21/2008 12:48 AM 148352]
S3 w89c940;Winbond W89C940 PCI Ethernet Adapter Driver;c:\windows\system32\drivers\w940nd.sys [3/21/2008 12:48 AM 16925]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004Core.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-602609370-725345543-1004UA.job
- c:\documents and settings\Brian Long\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-06 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-20 11:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-602609370-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-10-20 11:58
ComboFix-quarantined-files.txt 2009-10-20 16:58
ComboFix2.txt 2009-10-19 21:16

Pre-Run: 126,223,396,864 bytes free
Post-Run: 126,194,503,680 bytes free

- - End Of File - - A4C32E941B024FD2CC09669D5F5855EF
Upload was successful






----------------------------------------------------------------------------

Avira (takes forever to update lol)




Avira AntiVir Personal
Report file date: Tuesday, October 20, 2009 12:45

Scanning for 1809849 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : BRIAN

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 19:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 15:21:42
ANTIVIR2.VDF : 7.1.6.112 4833792 Bytes 10/15/2009 17:37:37
ANTIVIR3.VDF : 7.1.6.129 164864 Bytes 10/20/2009 17:37:44
Engineversion : 8.2.1.42
AEVDF.DLL : 8.1.1.2 106867 Bytes 10/20/2009 17:43:49
AESCRIPT.DLL : 8.1.2.38 487804 Bytes 10/20/2009 17:43:45
AESCN.DLL : 8.1.2.5 127346 Bytes 10/20/2009 17:43:27
AERDL.DLL : 8.1.3.2 479604 Bytes 10/20/2009 17:43:25
AEPACK.DLL : 8.2.0.1 422263 Bytes 10/20/2009 17:43:09
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39
AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/20/2009 17:42:59
AEHELP.DLL : 8.1.7.0 237940 Bytes 10/20/2009 17:42:00
AEGEN.DLL : 8.1.1.68 364918 Bytes 10/20/2009 17:41:44
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/20/2009 17:38:00
AECORE.DLL : 8.1.8.1 184693 Bytes 10/20/2009 17:37:53
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, October 20, 2009 12:45

Starting search for hidden objects.
'45803' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '54' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Brian Long\My Documents\Downloads\dds.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\Program Files\Flash CS3\keymaker.exe
[DETECTION] Is the TR/Dldr.Agent.klr Trojan
C:\Program Files\Flash CS3\Setup.exe
[DETECTION] Is the TR/Dldr.Agent.klr Trojan
C:\Qoobox\Quarantine\C\Program Files\runit\runit_32.exe.vir
[DETECTION] Is the TR/Agent.ANLP Trojan
C:\Qoobox\Quarantine\C\WINDOWS\svohost.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\vugqe1347.exe.vir
[DETECTION] Is the TR/Agent.ANLP.1 Trojan
--> ProgramFilesDir/runit_32.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\pump.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\txyg.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir
[0] Archive type: RAR SFX (self extracting)
--> wispex.html
[DETECTION] Is the TR/Script.212078 Trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir
[DETECTION] Is the TR/Script.212078 Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP418\A0027211.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0027993.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0028085.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029081.exe
[0] Archive type: RAR SFX (self extracting)
--> wispex.html
[DETECTION] Is the TR/Script.212078 Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029082.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029087.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029089.exe
[0] Archive type: RSRC
--> Object
[1] Archive type: RAR SFX (self extracting)
--> wispex.html
[DETECTION] Is the TR/Script.212078 Trojan
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029187.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029192.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029197.exe
[0] Archive type: RAR SFX (self extracting)
--> wispex.html
[DETECTION] Is the TR/Script.212078 Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029198.exe
[DETECTION] Is the TR/Agent.ANLP.1 Trojan
--> ProgramFilesDir/runit_32.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029199.dll
[DETECTION] Is the TR/Dropper.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029426.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029427.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029428.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029429.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Documents and Settings\Brian Long\My Documents\Downloads\dds.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4b5106f2.qua'!
C:\Program Files\Flash CS3\keymaker.exe
[DETECTION] Is the TR/Dldr.Agent.klr Trojan
[NOTE] The file was moved to '4b5706f3.qua'!
C:\Program Files\Flash CS3\Setup.exe
[DETECTION] Is the TR/Dldr.Agent.klr Trojan
[NOTE] The file was moved to '4b5206f3.qua'!
C:\Qoobox\Quarantine\C\Program Files\runit\runit_32.exe.vir
[DETECTION] Is the TR/Agent.ANLP Trojan
[NOTE] The file was moved to '4b4c0703.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\svohost.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4b4d0704.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\vugqe1347.exe.vir
[DETECTION] Is the TR/Agent.ANLP.1 Trojan
[NOTE] The file was moved to '4b450703.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4b430704.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\pump.exe.vir
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4b4b0703.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\txyg.exe.vir
[DETECTION] Contains recognition pattern of the WORM/Rbot.655092 worm
[NOTE] The file was moved to '4b570706.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\dbsinit.exe.vir
[NOTE] The file was moved to '4b5106f0.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\schtml\wispex.html.vir
[DETECTION] Is the TR/Script.212078 Trojan
[NOTE] The file was moved to '4b5106f7.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP418\A0027211.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
[NOTE] The file was moved to '4b0e06be.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0027993.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4a674a8f.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0028085.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4b0e06bf.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029081.exe
[NOTE] The file was moved to '488c72e0.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029082.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48889580.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029087.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48899dc8.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029089.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4886a410.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029187.exe
[DETECTION] Is the TR/Agent.ANLP Trojan
[NOTE] The file was moved to '488b8db8.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029192.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4f7e8a10.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029197.exe
[NOTE] The file was moved to '4884aa70.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029198.exe
[DETECTION] Is the TR/Agent.ANLP.1 Trojan
[NOTE] The file was moved to '4885b2b8.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029199.dll
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '4882ba80.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029426.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4883c2c8.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029427.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4b0e06c1.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029428.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4881d55a.qua'!
C:\System Volume Information\_restore{3EBEE73C-E509-4820-8155-6746AB987011}\RP422\A0029429.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '489edda2.qua'!


End of the scan: Tuesday, October 20, 2009 13:50
Used time: 50:36 Minute(s)

The scan has been done completely.

10629 Scanned directories
523638 Files were scanned
30 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
27 Files were moved to quarantine
0 Files were renamed
4 Files cannot be scanned
523604 Files not concerned
6345 Archives were scanned
4 Warnings
29 Notes
45803 Objects were scanned with rootkit scan
0 Hidden objects were found


Oh and btw, i deleted all objects that were moved to quarantine. All began with trojan, so i figured that's what you wanted.

Edited by blong, 20 October 2009 - 01:58 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 20 October 2009 - 02:15 PM

Well done. You just crossed the danger zone. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal InstructionsWe need to run the tool with the following command to fix some malware related changes.

Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:

"C:\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


#13 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 20 October 2009 - 02:17 PM

This win32diag doesn't need to be deleted via add/remove since its just an executable right?

Just want to make sure i'm deleting it properly before running it again.

Oh and also, can i delete all these log files and .exe's that are residing on my desktop... they're just piling up?

Thanks

Edited by blong, 20 October 2009 - 02:21 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:43 AM

Posted 20 October 2009 - 03:59 PM

This win32diag doesn't need to be deleted via add/remove since its just an executable right?

No you don't need to uninstall it, just delete it.

Oh and also, can i delete all these log files and .exe's that are residing on my desktop... they're just piling up?

You may remove all except Combofix. That one we are going to uninstall later on.

#15 blong

blong
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:43 PM

Posted 20 October 2009 - 04:09 PM

Running from: C:\win32kdiag.exe

Log file at : C:\Documents and Settings\Brian Long\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB923191\KB923191

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB923191\KB923191

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP15C.tmp\ZAP15C.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP267.tmp\ZAP267.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41.tmp\ZAP41.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP41.tmp\ZAP41.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F.tmp\ZAP5F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5F.tmp\ZAP5F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4.tmp\ZAPB4.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB4.tmp\ZAPB4.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ie8updates\ie8updates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ie8updates\ie8updates

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f7c0d52d92848e52e67748bb\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\37f6297b42610206c3fdeaf1ae71345e\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b93f60ba19e546073f72c1a6c59659c8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f91c8d81761d826e33f44f7c4a28e82a\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f91c8d81761d826e33f44f7c4a28e82a\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474



Finished!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users