Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Computer


  • This topic is locked This topic is locked
25 replies to this topic

#1 bkray

bkray

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 23 October 2009 - 11:07 PM

Hello BC moderators,

- Malware (ActiveScan2, SecurityTool, probably others) has disabled all attempts at online scanners, Malwarebytes, etc from scanning/fixing.

- I have skimmed past threads of assistance with other troubled patrons, and attempted to run Hijackthis, Win32kDiag.exe, RootRepeal, dds, and other assessment progs. They have either hung frozen midway through, closed, or when the scan finished, the Notepad files that were supposed to open with the log file did not open. I even tried the random generated scanner program that prevents the malware from shutting it down, but after running for 2+ hours, I went to bed, and awoke to find the program closed, with no apparent result txt log files.

- I am quite exasperated, so please excuse my frustration and lack of clarity at times. I will post what log files seemed to have been generated, but it is very likely that they are incomplete.

Thank you in advance..

-------

Running from: C:\Documents and Settings\Raymond\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Raymond\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB974455\KB974455

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13A.tmp\ZAP13A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E7.tmp\ZAP1E7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP200.tmp\ZAP200.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207.tmp\ZAP207.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F0.tmp\ZAP2F0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E.tmp\ZAP7E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA30.tmp\ZAPA30.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

<<<<<<<<<<< This is the last line of where Win32kdiag hangs during scan.



Volume in drive C has no label.
Volume Serial Number is F8AC-5E6C

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 40,875,405,312 bytes free

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 24 October 2009 - 01:17 AM

Hi, and Welcome.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"C:\Documents and Settings\Raymond\My Documents\Downloads\Win32kDiag.exe" -f -r

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 24 October 2009 - 12:37 PM

Hi JSntgRvr,

I ran Win32kdiag again, but as I said in my original post, it hangs and never finishes. Last night after I saw your reply, I followed instructions, and left computer on over night and it was still at same log point in morning.

Also, I began downloading Combofix, however, I was running Chrome, and it autosaved in another folder. I carelessly moved to Desktop and renamed without finishing reading instructions. I did not execute the renamed file. I deleted it, and redownloaded from the second link, and changed name during "Save as", but I don't know if I already made a permanent mistake by renaming the file on desktop. Please let me know if I should do anything different, before I continue with rest of instructions.

Thank you.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 24 October 2009 - 03:13 PM

Hi, bkray

Lets start removing some of those folders.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the fix.bat file and post the resulting log.

@echo Off
if exist "%temp%\log.txt" del "%temp%\log.txt"
for %%g in (
"C:\WINDOWS\$hf_mig$\KB920213\KB920213"
"C:\WINDOWS\$hf_mig$\KB925454\KB925454"
"C:\WINDOWS\$hf_mig$\KB928090\KB928090"
"C:\WINDOWS\$hf_mig$\KB929338\KB929338"
"C:\WINDOWS\$hf_mig$\KB931768\KB931768"
"C:\WINDOWS\$hf_mig$\KB931784\KB931784"
"C:\WINDOWS\$hf_mig$\KB932168\KB932168"
"C:\WINDOWS\$hf_mig$\KB933566\KB933566"
"C:\WINDOWS\$hf_mig$\KB937143\KB937143"
"C:\WINDOWS\$hf_mig$\KB939653\KB939653"
"C:\WINDOWS\$hf_mig$\KB942615\KB942615"
"C:\WINDOWS\$hf_mig$\KB943460\KB943460"
"C:\WINDOWS\$hf_mig$\KB944533\KB944533"
"C:\WINDOWS\$hf_mig$\KB947864\KB947864"
"C:\WINDOWS\$hf_mig$\KB974455\KB974455"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13A.tmp\ZAP13A.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E7.tmp\ZAP1E7.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP200.tmp\ZAP200.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207.tmp\ZAP207.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F0.tmp\ZAP2F0.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E.tmp\ZAP7E.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp"
"C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA30.tmp\ZAPA30.tmp"
"C:\WINDOWS\assembly\tmp\tmp"
"C:\WINDOWS\Config\Config"
"C:\WINDOWS\Connection Wizard\Connection Wizard"
"C:\WINDOWS\Debug\UserMode\UserMode"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib"
"C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave"
"C:\WINDOWS\ime\chsime\applets\applets"
"C:\WINDOWS\ime\CHTIME\Applets\Applets"
"C:\WINDOWS\ime\imejp\applets\applets"
"C:\WINDOWS\ime\imejp98\imejp98"
"C:\WINDOWS\ime\imjp8_1\applets\applets"
"C:\WINDOWS\ime\imkr6_1\applets\applets"
"C:\WINDOWS\ime\imkr6_1\dicts\dicts"
"C:\WINDOWS\ime\shared\res\res"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518"
"C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729"
"C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0"
"C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729"
"C:\WINDOWS\java\classes\classes"
"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files"
"C:\WINDOWS\Minidump\Minidump"
"C:\WINDOWS\msapps\msinfo\msinfo"
"C:\WINDOWS\msdownld.tmp\msdownld.tmp"
"C:\WINDOWS\mui\mui"
"C:\WINDOWS\occache\occache"
"C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES"
"C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF"
"C:\WINDOWS\pchealth\helpctr\BATCH\BATCH"
"C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint"
"C:\WINDOWS\pchealth\helpctr\Config\News\News"
"C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles"
"C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs"
"C:\WINDOWS\pchealth\helpctr\System\DFS\DFS"
"C:\WINDOWS\pchealth\helpctr\Temp\Temp"
"C:\WINDOWS\Registration\CRMLog\CRMLog"
"C:\WINDOWS\security\logs\logs"
"C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded"
"C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup"
"C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup"
"C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup"
"C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup"
"C:\WINDOWS\Sun\Java\Deployment\Deployment"
"C:\WINDOWS\SxsCaPendDel\SxsCaPendDel"
) do (
rd /s/q %%g >nul 2>&1
if exist %%g (echo %%~g .... Unable to Delete>>"%temp%\log.txt") ELSE echo %%~g ..... Deleted Successfully !!>>"%temp%\log.txt"
)
start notepad "%temp%\log.txt"
Exit

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Remove your copy of Combofix as renamed, and follow these steps:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Mypuppy.exe as follows:

    Posted Image

    Posted Image


  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Mypuppy.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Mypuppy.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

Edited by JSntgRvr, 24 October 2009 - 03:15 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 October 2009 - 01:28 AM

Hi JSntgRvr,

The first results of the batch file, I did not save because it rebooted during following steps and I thought log file was saved, but I don't think it was. But I remember all lines turned out successful.

Avenger results:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


"

I followed your steps for Combofix, however it ran for 3 hours and hung on line "Attempting to create system restore point". In the beginning I saw the harddisk light processing, but near end, not much activity. Does it need longer than 3 hours? My harddisk is about 60 GB, but I did not really hear any processing much...

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 25 October 2009 - 10:24 AM

Hi, bkray :(


Download this tool and save it next to Win32kdiag.exe. Drag and drop Win32kdiag.exe into Inherit.exe and click Ok when finished. Click on Win32kdiag.exe to run it. Allow enough time for the application to finish and post the Win32kdiag.txt in your next reply.

Download OTS.exe by OldTimer to your Desktop.
  • Close any open browsers.
  • Double-click on OTS.exe to start the program.
  • Leave all settings as they appear as default, except for the following:
    • Under Drivers, select "All".
    • Under Additional Scans, click on the "Extra" button.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).

Edited by JSntgRvr, 25 October 2009 - 01:22 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 25 October 2009 - 11:32 AM

Hi JSntgRvr,

The last reply was for "Jeff1111", but I assume this is correct reply for my computer (bkray)? :( ?

Just double checking, I will execute steps when I go home from work.

Please let me know that it is correct fix for "bkray" computer, not "Jeff1111" computer :(.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 25 October 2009 - 01:22 PM

Was for you :(

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 October 2009 - 12:07 AM

Hi JSntgRvr,

Win32kDiag:

Running from: C:\Documents and Settings\Raymond\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Raymond\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB974455\KB974455

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13A.tmp\ZAP13A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E7.tmp\ZAP1E7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP200.tmp\ZAP200.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207.tmp\ZAP207.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F0.tmp\ZAP2F0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E.tmp\ZAP7E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA30.tmp\ZAPA30.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 20:11:53 56320 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP617\A0107489.dll (Microsoft Corporation)

[2] 2008-04-13 20:11:53 56320 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP617\A0107493.dll (Microsoft Corporation)

[1] 2004-08-04 07:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-10-02 11:01:58 25198016 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\Temp\24200308-5ee0-4e23-a8f2-34fb715ca3e4\24200308-5ee0-4e23-a8f2-34fb715ca3e4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\48713cb8-9e0e-4733-981b-682fc18c1b4e\48713cb8-9e0e-4733-981b-682fc18c1b4e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\62a16f14-e850-4183-8eca-694579b4ed38\62a16f14-e850-4183-8eca-694579b4ed38

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\8cd25c1c-7396-482d-9ebd-fba42bff75ae\8cd25c1c-7396-482d-9ebd-fba42bff75ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\9cac55bb-9c31-4a70-860e-8b876ca2fdea\9cac55bb-9c31-4a70-860e-8b876ca2fdea

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\c54cc3ab-b92d-499c-bedc-23dbbcf1f765\c54cc3ab-b92d-499c-bedc-23dbbcf1f765

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\fc94c534-1075-4aef-8852-e0647eb04ae2\fc94c534-1075-4aef-8852-e0647eb04ae2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\Creative\PD0630\PD0630

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\twain_32\Lexmark\Lexmark

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!


And OTS is attached.

Thank you~

Attached Files

  • Attached File  OTS.Txt   279.76KB   18 downloads


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 27 October 2009 - 12:24 AM

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"C:\Documents and Settings\Raymond\My Documents\Downloads\Win32kDiag.exe" -f -r

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Files to delete:
c:\documents and settings\all users\application data\83359937\83359937.exe
c:\documents and settings\raymond\local settings\temp\b.exe
c:\windows\msa.exe
c:\windows\svohost.exe
c:\windows\system32\cpcp.cpo
c:\windows\system32\eventlog.dll
c:\windows\system32\skynet.dat
c:\windows\system32\vfefpqss.ini
c:\windows\system32\vfefpqss.ini2
c:\windows\tasks\{7b02ef0b-a410-4938-8480-9ba26420a627}.job
c:\windows\win32k.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

Attempt to run Combofix.

Edited by JSntgRvr, 27 October 2009 - 12:47 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 October 2009 - 02:14 AM

Hi JSntgRvr,

WIN32KDIAG:

Running from: C:\Documents and Settings\Raymond\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Raymond\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\$hf_mig$\KB974455\KB974455

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB974455\KB974455

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP121.tmp\ZAP121.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13A.tmp\ZAP13A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13A.tmp\ZAP13A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13B.tmp\ZAP13B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E7.tmp\ZAP1E7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E7.tmp\ZAP1E7.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP200.tmp\ZAP200.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP200.tmp\ZAP200.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207.tmp\ZAP207.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP207.tmp\ZAP207.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F0.tmp\ZAP2F0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F0.tmp\ZAP2F0.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP309.tmp\ZAP309.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP468.tmp\ZAP468.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E.tmp\ZAP7E.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7E.tmp\ZAP7E.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP97.tmp\ZAP97.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA30.tmp\ZAPA30.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA30.tmp\ZAPA30.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\occache\occache

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\95b0eb6de61f9c4758f6dd82521ed694\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 07:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[2] 2008-04-13 20:11:53 56320 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP617\A0107489.dll (Microsoft Corporation)

[2] 2008-04-13 20:11:53 56320 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP617\A0107493.dll (Microsoft Corporation)

[1] 2004-08-04 07:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\Temp\24200308-5ee0-4e23-a8f2-34fb715ca3e4\24200308-5ee0-4e23-a8f2-34fb715ca3e4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\24200308-5ee0-4e23-a8f2-34fb715ca3e4\24200308-5ee0-4e23-a8f2-34fb715ca3e4

Found mount point : C:\WINDOWS\Temp\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a\3771bed8-b8fd-4f85-b0dd-3aa6066b5f0a

Found mount point : C:\WINDOWS\Temp\48713cb8-9e0e-4733-981b-682fc18c1b4e\48713cb8-9e0e-4733-981b-682fc18c1b4e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\48713cb8-9e0e-4733-981b-682fc18c1b4e\48713cb8-9e0e-4733-981b-682fc18c1b4e

Found mount point : C:\WINDOWS\Temp\49593375-72a2-4a96-9ac5-c9a0a4703651\49593375-72a2-4a96-9ac5-c9a0a4703651

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\49593375-72a2-4a96-9ac5-c9a0a4703651\49593375-72a2-4a96-9ac5-c9a0a4703651

Found mount point : C:\WINDOWS\Temp\62a16f14-e850-4183-8eca-694579b4ed38\62a16f14-e850-4183-8eca-694579b4ed38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\62a16f14-e850-4183-8eca-694579b4ed38\62a16f14-e850-4183-8eca-694579b4ed38

Found mount point : C:\WINDOWS\Temp\8cd25c1c-7396-482d-9ebd-fba42bff75ae\8cd25c1c-7396-482d-9ebd-fba42bff75ae

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\8cd25c1c-7396-482d-9ebd-fba42bff75ae\8cd25c1c-7396-482d-9ebd-fba42bff75ae

Found mount point : C:\WINDOWS\Temp\9cac55bb-9c31-4a70-860e-8b876ca2fdea\9cac55bb-9c31-4a70-860e-8b876ca2fdea

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\9cac55bb-9c31-4a70-860e-8b876ca2fdea\9cac55bb-9c31-4a70-860e-8b876ca2fdea

Found mount point : C:\WINDOWS\Temp\c54cc3ab-b92d-499c-bedc-23dbbcf1f765\c54cc3ab-b92d-499c-bedc-23dbbcf1f765

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\c54cc3ab-b92d-499c-bedc-23dbbcf1f765\c54cc3ab-b92d-499c-bedc-23dbbcf1f765

Found mount point : C:\WINDOWS\Temp\fc94c534-1075-4aef-8852-e0647eb04ae2\fc94c534-1075-4aef-8852-e0647eb04ae2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\fc94c534-1075-4aef-8852-e0647eb04ae2\fc94c534-1075-4aef-8852-e0647eb04ae2

Found mount point : C:\WINDOWS\twain_32\Creative\PD0630\PD0630

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\twain_32\Creative\PD0630\PD0630

Found mount point : C:\WINDOWS\twain_32\Lexmark\Lexmark

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\twain_32\Lexmark\Lexmark

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!


AVENGER:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.
File "c:\documents and settings\all users\application data\83359937\83359937.exe" deleted successfully.
File "c:\documents and settings\raymond\local settings\temp\b.exe" deleted successfully.
File "c:\windows\msa.exe" deleted successfully.
File "c:\windows\svohost.exe" deleted successfully.
File "c:\windows\system32\cpcp.cpo" deleted successfully.
File "c:\windows\system32\eventlog.dll" deleted successfully.
File "c:\windows\system32\skynet.dat" deleted successfully.
File "c:\windows\system32\vfefpqss.ini" deleted successfully.
File "c:\windows\system32\vfefpqss.ini2" deleted successfully.
File "c:\windows\tasks\{7b02ef0b-a410-4938-8480-9ba26420a627}.job" deleted successfully.
File "c:\windows\win32k.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:01 AM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Razer_Pro_Solutions\razerhid.exe
C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Razer_Pro_Solutions\razerofa.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer_Pro_Solutions\razerhid.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe (User 'Default user')
O4 - Startup: Digsby.lnk = C:\Program Files\Digsby\digsby.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O9 - Extra 'Tools' menuitem: UltimateBet - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - C:\Documents and Settings\All Users\Start Menu\Programs\UltimateBet\UltimateBet.lnk (HKCU)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9248 bytes


Also, here is COMBOFIX results.


ComboFix 09-10-26.03 - Raymond 10/27/2009 2:44.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.331 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Mypuppy.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\92377331
c:\documents and settings\All Users\Application Data\92377331\92377331.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Raymond\Desktop\Security Tool.lnk
c:\documents and settings\Raymond\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Raymond\Start Menu\Programs\Windows Police Pro
c:\documents and settings\Raymond\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\program files\Windows Police Pro
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\emMON.exe
c:\windows\msb.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\nuar.old
c:\windows\system32\Packet.dll
c:\windows\system32\pst.dat
c:\windows\system32\pthreadVC.dll
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://mastoblastobrevodo.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 06:38 . 2009-10-27 06:38 -------- d-----w- C:\Mypuppy25587M
2009-10-27 06:35 . 2009-10-27 06:35 -------- d-----w- C:\Mypuppy31733M
2009-10-25 06:51 . 2009-10-27 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\83359937
2009-10-25 02:45 . 2009-10-25 02:46 -------- d-----w- C:\Mypuppy
2009-10-21 11:45 . 2009-10-23 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\85202219
2009-10-21 10:33 . 2009-10-21 10:33 -------- d-----w- c:\program files\trend micro
2009-10-21 10:33 . 2009-10-21 10:33 -------- d-----w- C:\rsit
2009-10-21 10:10 . 2009-10-27 06:21 -------- d--h--w- c:\windows\PIF
2009-10-21 09:55 . 2009-10-21 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\80913526
2009-10-21 09:32 . 2009-10-21 09:34 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-10-21 09:23 . 2009-10-21 09:32 -------- d-----w- c:\documents and settings\Administrator
2009-10-20 12:07 . 2009-10-20 12:07 -------- d-----w- C:\VundoFix Backups
2009-10-20 11:06 . 2009-10-20 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-20 11:06 . 2009-10-27 06:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-20 11:06 . 2009-10-20 11:06 -------- d-----w- c:\documents and settings\Raymond\Application Data\SUPERAntiSpyware.com
2009-10-20 11:04 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-20 11:00 . 2009-10-20 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-10-20 10:13 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-20 10:13 . 2009-10-20 10:13 -------- d-----w- c:\program files\Panda Security
2009-10-20 09:56 . 2009-10-20 10:01 -------- d-----w- c:\windows\BDOSCAN8
2009-10-20 09:49 . 2009-10-21 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\81193729
2009-10-20 09:43 . 2009-10-20 09:47 -------- d-----w- c:\documents and settings\Raymond\.housecall6.6
2009-10-20 09:40 . 2009-10-20 09:40 -------- d-----w- c:\documents and settings\Raymond\Local Settings\Application Data\AVG Security Toolbar
2009-10-20 09:26 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 09:25 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 09:25 . 2009-10-20 10:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 09:17 . 2009-10-21 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\00083415
2009-10-19 19:57 . 2009-10-20 10:09 -------- d-----w- c:\documents and settings\All Users\Application Data\35911928
2009-10-19 09:24 . 2009-10-20 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\36965736
2009-10-19 06:34 . 2009-10-19 06:34 -------- d-----w- C:\$AVG
2009-10-19 06:33 . 2009-10-19 06:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-19 06:33 . 2009-10-23 12:57 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-19 06:33 . 2009-10-19 06:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-19 06:33 . 2009-10-19 06:33 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-19 06:33 . 2009-10-27 04:42 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-19 06:33 . 2009-10-19 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-19 06:33 . 2009-10-19 06:33 -------- d-----w- c:\program files\AVG
2009-10-19 06:33 . 2009-10-19 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-19 06:12 . 2009-10-19 06:12 0 ----a-w- c:\windows\system32\cm.dat
2009-10-18 07:51 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-18 07:34 . 2009-10-19 05:41 58 ----a-w- c:\windows\wp4.dat
2009-10-18 07:34 . 2009-10-19 05:41 2 ----a-w- c:\windows\wp3.dat
2009-10-18 07:34 . 2009-10-19 05:39 582656 ----a-w- c:\windows\system32\plugie.dll
2009-10-16 08:14 . 2009-10-16 08:14 8 ----a-w- c:\windows\system32\prt.dat
2009-10-16 08:14 . 2009-10-21 11:45 19456 ----a-w- c:\windows\system32\perfc5932.dat
2009-10-16 08:14 . 2009-10-21 11:45 1 ----a-w- c:\windows\system32\perfc7683.dat
2009-10-16 08:14 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\userinit.exe
2009-09-29 17:29 . 2009-09-29 17:29 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 05:18 . 2007-05-19 20:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-24 03:04 . 2007-01-21 01:56 -------- d-----w- c:\program files\Warcraft III
2009-10-20 11:38 . 2007-01-11 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-20 11:37 . 2008-03-26 18:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 09:18 . 2007-03-12 06:05 -------- d-----w- c:\program files\PokerStarsBeta
2009-10-19 06:13 . 2009-10-19 06:12 152585 ----a-w- c:\windows\system32\2eht21.tmp
2009-10-16 08:25 . 2009-01-14 05:45 -------- d-----w- c:\program files\UltimateBet
2009-10-16 07:09 . 2007-02-08 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-16 07:04 . 2007-01-11 18:59 -------- d-----w- c:\program files\Microsoft Works
2009-10-11 06:26 . 2007-02-08 22:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\uTorrent
2009-09-29 21:21 . 2008-08-25 21:02 -------- d-----w- c:\program files\Digsby
2009-09-29 17:30 . 2008-02-28 03:46 -------- d-----w- c:\program files\iTunes
2009-09-29 17:29 . 2008-04-04 04:40 -------- d-----w- c:\program files\Common Files\Apple
2009-09-28 06:32 . 2007-09-30 22:49 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-16 20:17 . 2007-01-30 14:24 -------- d-----w- c:\documents and settings\Raymond\Application Data\Apple Computer
2009-09-15 18:58 . 2009-09-15 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 18:53 . 2009-03-18 19:29 -------- d-----w- c:\program files\QuickTime
2009-09-14 07:40 . 2007-08-07 22:27 -------- d-----w- c:\program files\Cake Poker
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 08:14 . 2008-08-22 13:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 05:48 . 2007-10-25 22:01 -------- d-----w- c:\program files\PokerStars
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 21:09 . 2007-01-21 02:01 79321 -c--a-w- c:\windows\War3Unin.dat
2009-08-20 23:12 . 2009-08-20 23:12 3532 ----a-w- C:\drmHeader.bin
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 02:43 . 2008-03-18 16:20 63396 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-10 09:30 . 2007-01-16 20:22 80280 -c--a-w- c:\documents and settings\Raymond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-02-09 05:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2007-02-09 05:30 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 18:51 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-03-25 09:26 . 2007-02-12 04:49 88 -csh--r- c:\windows\system32\AF000ACCDC.sys
.

------- Sigcheck -------

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"razer"="c:\program files\Razer_Pro_Solutions\razerhid.exe" [2005-09-21 143360]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-03-25 573440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-23 2010904]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\Raymond\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2008-9-8 137728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-19 06:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Raymond\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Digsby\\digsby.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Documents and Settings\\Raymond\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Raymond\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8876:TCP"= 8876:TCP:BitComet 8876 TCP
"8876:UDP"= 8876:UDP:BitComet 8876 UDP
"26101:TCP"= 26101:TCP:uTorrent
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"18852:TCP"= 18852:TCP:port
"25500:TCP"= 25500:TCP:port
"53:UDP"= 53:UDP:Promo

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/20/2009 6:13 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2009 2:33 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2009 2:33 AM 360584]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/19/2009 2:33 AM 285392]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys --> c:\windows\system32\Drivers\androidusb.sys [?]
S3 pctvnet;Pinnacle PCTV Ethernet Driver;c:\windows\system32\drivers\pctvnet.sys [8/5/2008 12:06 PM 9340]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [8/16/2007 12:43 AM 13225]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\c:\progra~1\NETGEA~1\SCPMPR5.SYS --> c:\progra~1\NETGEA~1\SCPMPR5.SYS [?]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;c:\progra~1\NETGEA~1\SCPNDIS5.SYS [5/12/2007 3:53 AM 16000]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2573811791-2625424822-2459926663-1007Core.job
- c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:55]

2009-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2573811791-2625424822-2459926663-1007UA.job
- c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Raymond\Application Data\Mozilla\Firefox\Profiles\h3kz8140.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Raymond\Application Data\Mozilla\Firefox\Profiles\h3kz8140.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\Raymond\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npaxctrl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
HKLM-Run-83359937 - c:\docume~1\ALLUSE~1\APPLIC~1\83359937\83359937.exe
AddRemove-HijackThis - c:\documents and settings\Raymond\Desktop\HijackThis.exe
AddRemove-{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA} - c:\program files\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exeUNINSTALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 02:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\WinRAR\rarext.dll
c:\program files\PowerISO\PWRISOSH.DLL
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\mypuppy31755m\CF8500.exe
c:\program files\Digsby\lib\digsby-app.exe
c:\program files\Razer_Pro_Solutions\razerofa.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Common Files\Teleca Shared\logger.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\mypuppy31755m\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 3:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 07:03

Pre-Run: 44,535,136,256 bytes free
Post-Run: 46,586,052,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9AB241E2AB86681041E295E39AEB7239



I am glad scans have been successful.

Some things I noticed, which I don't know how to fix, or what significance it means.

- My machine does not shut down on its own anymore, even with the scans that try to shutdown when done running (like ComboFix). My screen will go blank with just wallpaper color and mouse can scroll, but no programs or windows task bar shows, and I have to manually turn off by pushing computer button.

- I ran System.ini > Startup Tab to try to disable some trojans, and there a lot of "Disabled" boxes with the trojans still there (like the random number exe files and b.exe). How can I remove? Is it safe for me to delete?

- I know I have lot of random junk on computer, please suggest any things you see in logs that I can remove to keep things tidy.


Thank you!, and I look forward to follow up precautions and final instructions for scans to make sure my system is safe.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 27 October 2009 - 11:51 AM

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :dir
    c:\documents and settings\All Users\Application Data\83359937 /s
    c:\documents and settings\All Users\Application Data\85202219 /s
    c:\documents and settings\All Users\Application Data\80913526 /s
    c:\documents and settings\All Users\Application Data\81193729 /s
    c:\documents and settings\All Users\Application Data\00083415 /s
    c:\documents and settings\All Users\Application Data\35911928 /s
    c:\documents and settings\All Users\Application Data\36965736 /s

    :file
    c:\windows\system32\userinit.exe
    c:\windows\system32\AF000ACCDC.sys

    :filefind
    eventlog.dll
    userinit.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 October 2009 - 03:34 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:26 on 27/10/2009 by Raymond (Administrator - Elevation successful)

========== dir ==========

c:\documents and settings\All Users\Application Data\83359937 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\85202219 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\80913526 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\81193729 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\00083415 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\35911928 - Parameters: "/s"

---Files---
None found.

No folders found.

c:\documents and settings\All Users\Application Data\36965736 - Parameters: "/s"

---Files---
None found.

No folders found.

========== file ==========

c:\windows\system32\userinit.exe - File found and opened.
MD5: A93AEE1928A9D7CE3E16D24EC7380F89
Created at 08:14 on 16/10/2009
Modified at 00:12 on 14/04/2008
Size: 26112 bytes
Attributes: ------
FileDescription: Userinit Logon Application
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
ProductVersion: 5.1.2600.5512
OriginalFilename: USERINIT.EXE
InternalName: userinit
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.

c:\windows\system32\AF000ACCDC.sys - File found and opened.
MD5: 68442272C91ECAF6926947A1D9378B41
Created at 04:49 on 12/02/2007
Modified at 09:26 on 25/03/2007
Size: 88 bytes
Attributes: -r-hsc
No version information available.

========== filefind ==========

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--c 55808 bytes [06:39 20/01/2007] [11:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [17:01 28/08/2008] [11:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78

Searching for "userinit.exe"
C:\i386\userinit.exe --a--c 24576 bytes [06:43 20/01/2007] [11:00 04/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe -----c 24576 bytes [17:01 28/08/2008] [11:00 04/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF
C:\WINDOWS\ERDNT\cache\userinit.exe --a--- 26112 bytes [07:02 27/10/2009] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\ServicePackFiles\i386\userinit.exe -----c 26112 bytes [11:01 28/08/2008] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\userinit.exe ------ 26112 bytes [08:14 16/10/2009] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89

-=End Of File=-

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:50 PM

Posted 27 October 2009 - 05:44 PM

Step 1.

Download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and double click on the RunMe.bat file. The MSDOS window will be displayed for a second. That is Normal.

Step 2.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

Folder::
c:\documents and settings\All Users\Application Data\83359937
c:\documents and settings\All Users\Application Data\85202219
c:\documents and settings\All Users\Application Data\80913526
c:\documents and settings\All Users\Application Data\81193729
c:\documents and settings\All Users\Application Data\00083415
c:\documents and settings\All Users\Application Data\35911928
c:\documents and settings\All Users\Application Data\36965736

Suspect::
c:\windows\system32\AF000ACCDC.sys
c:\windows\system32\2eht21.tmp

FCopy::
C:\eventlog.dll | C:\Windows\System32\eventlog.dll


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

===============================================================


Additionally, when CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 bkray

bkray
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 27 October 2009 - 10:25 PM

ComboFix 09-10-27.04 - Raymond 10/27/2009 23:11.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.512 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Mypuppy.exe
Command switches used :: c:\documents and settings\Raymond\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: c:\windows\system32\2eht21.tmp
file zipped: c:\windows\system32\AF000ACCDC.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\00083415
c:\documents and settings\All Users\Application Data\35911928
c:\documents and settings\All Users\Application Data\36965736
c:\documents and settings\All Users\Application Data\80913526
c:\documents and settings\All Users\Application Data\81193729
c:\documents and settings\All Users\Application Data\83359937
c:\documents and settings\All Users\Application Data\85202219
c:\windows\system32\plUGie.dll

.
--------------- FCopy ---------------

c:\eventlog.dll --> c:\Windows\System32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-28 03:11 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-10-28 03:11 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-28 02:58 . 2009-10-28 03:05 -------- d-----w- C:\Mypuppy29931M
2009-10-28 02:55 . 2009-10-28 02:56 -------- d-----w- C:\Mypuppy11090M
2009-10-28 00:44 . 2009-10-28 02:49 -------- d-----w- C:\Mypuppy15756M
2009-10-28 00:40 . 2008-04-14 00:11 56320 ------w- C:\eventlog.dll
2009-10-27 06:38 . 2009-10-27 06:38 -------- d-----w- C:\Mypuppy25587M
2009-10-27 06:35 . 2009-10-27 06:35 -------- d-----w- C:\Mypuppy31733M
2009-10-25 02:45 . 2009-10-25 02:46 -------- d-----w- C:\Mypuppy
2009-10-21 10:33 . 2009-10-27 07:05 -------- d-----w- c:\program files\trend micro
2009-10-21 10:33 . 2009-10-21 10:33 -------- d-----w- C:\rsit
2009-10-21 10:10 . 2009-10-27 06:21 -------- d--h--w- c:\windows\PIF
2009-10-21 09:32 . 2009-10-21 09:34 -------- d-----w- c:\documents and settings\Administrator\.housecall6.6
2009-10-21 09:23 . 2009-10-21 09:32 -------- d-----w- c:\documents and settings\Administrator
2009-10-20 12:07 . 2009-10-20 12:07 -------- d-----w- C:\VundoFix Backups
2009-10-20 11:06 . 2009-10-20 11:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-20 11:06 . 2009-10-28 03:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-20 11:06 . 2009-10-20 11:06 -------- d-----w- c:\documents and settings\Raymond\Application Data\SUPERAntiSpyware.com
2009-10-20 11:04 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-20 11:00 . 2009-10-20 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-10-20 10:13 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-20 10:13 . 2009-10-20 10:13 -------- d-----w- c:\program files\Panda Security
2009-10-20 09:56 . 2009-10-20 10:01 -------- d-----w- c:\windows\BDOSCAN8
2009-10-20 09:43 . 2009-10-20 09:47 -------- d-----w- c:\documents and settings\Raymond\.housecall6.6
2009-10-20 09:40 . 2009-10-20 09:40 -------- d-----w- c:\documents and settings\Raymond\Local Settings\Application Data\AVG Security Toolbar
2009-10-20 09:26 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 09:25 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 09:25 . 2009-10-20 10:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 06:34 . 2009-10-19 06:34 -------- d-----w- C:\$AVG
2009-10-19 06:33 . 2009-10-19 06:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-19 06:33 . 2009-10-23 12:57 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-19 06:33 . 2009-10-19 06:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-19 06:33 . 2009-10-19 06:33 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-19 06:33 . 2009-10-27 20:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-19 06:33 . 2009-10-19 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-19 06:33 . 2009-10-19 06:33 -------- d-----w- c:\program files\AVG
2009-10-19 06:33 . 2009-10-19 06:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-19 06:12 . 2009-10-19 06:12 0 ----a-w- c:\windows\system32\cm.dat
2009-10-18 07:51 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-18 07:34 . 2009-10-19 05:41 58 ----a-w- c:\windows\wp4.dat
2009-10-18 07:34 . 2009-10-19 05:41 2 ----a-w- c:\windows\wp3.dat
2009-10-16 08:14 . 2009-10-16 08:14 8 ----a-w- c:\windows\system32\prt.dat
2009-10-16 08:14 . 2009-10-21 11:45 19456 ----a-w- c:\windows\system32\perfc5932.dat
2009-10-16 08:14 . 2009-10-21 11:45 1 ----a-w- c:\windows\system32\perfc7683.dat
2009-10-16 08:14 . 2008-04-14 00:12 26112 ------w- c:\windows\system32\userinit.exe
2009-09-29 17:29 . 2009-09-29 17:29 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 22:45 . 2007-01-21 01:56 -------- d-----w- c:\program files\Warcraft III
2009-10-27 05:18 . 2007-05-19 20:38 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 11:38 . 2007-01-11 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-20 11:37 . 2008-03-26 18:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-19 09:18 . 2007-03-12 06:05 -------- d-----w- c:\program files\PokerStarsBeta
2009-10-19 06:13 . 2009-10-19 06:12 152585 ----a-w- c:\windows\system32\2eht21.tmp
2009-10-16 08:25 . 2009-01-14 05:45 -------- d-----w- c:\program files\UltimateBet
2009-10-16 07:09 . 2007-02-08 20:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-16 07:04 . 2007-01-11 18:59 -------- d-----w- c:\program files\Microsoft Works
2009-10-11 06:26 . 2007-02-08 22:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\uTorrent
2009-09-29 21:21 . 2008-08-25 21:02 -------- d-----w- c:\program files\Digsby
2009-09-29 17:30 . 2008-02-28 03:46 -------- d-----w- c:\program files\iTunes
2009-09-29 17:29 . 2008-04-04 04:40 -------- d-----w- c:\program files\Common Files\Apple
2009-09-28 06:32 . 2007-09-30 22:49 -------- d-----w- c:\program files\Full Tilt Poker
2009-09-16 20:17 . 2007-01-30 14:24 -------- d-----w- c:\documents and settings\Raymond\Application Data\Apple Computer
2009-09-15 18:58 . 2009-09-15 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 18:53 . 2009-03-18 19:29 -------- d-----w- c:\program files\QuickTime
2009-09-14 07:40 . 2007-08-07 22:27 -------- d-----w- c:\program files\Cake Poker
2009-09-11 14:18 . 2004-08-10 18:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 08:14 . 2008-08-22 13:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 05:48 . 2007-10-25 22:01 -------- d-----w- c:\program files\PokerStars
2009-09-04 21:03 . 2004-08-10 18:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:00 . 2004-08-10 18:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 21:09 . 2007-01-21 02:01 79321 -c--a-w- c:\windows\War3Unin.dat
2009-08-20 23:12 . 2009-08-20 23:12 3532 ----a-w- C:\drmHeader.bin
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 02:43 . 2008-03-18 16:20 63396 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-10 09:30 . 2007-01-16 20:22 80280 -c--a-w- c:\documents and settings\Raymond\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2004-08-10 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-10 19:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-10 19:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-10 19:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-10 18:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-10 19:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2007-02-09 05:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2007-02-09 05:30 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-10 19:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 18:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 18:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-03-25 09:26 . 2007-02-12 04:49 88 -csh--r- c:\windows\system32\AF000ACCDC.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-27_06.56.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 00:40 . 2008-04-14 00:11 56320 c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"razer"="c:\program files\Razer_Pro_Solutions\razerhid.exe" [2005-09-21 143360]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-03-25 573440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-23 2010904]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]

c:\documents and settings\Raymond\Start Menu\Programs\Startup\
Digsby.lnk - c:\program files\Digsby\digsby.exe [2008-9-8 137728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-19 06:33 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Raymond\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Digsby\\digsby.exe"=
"c:\\Program Files\\Digsby\\lib\\digsby-app.exe"=
"c:\\Documents and Settings\\Raymond\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Raymond\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\explorer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8876:TCP"= 8876:TCP:BitComet 8876 TCP
"8876:UDP"= 8876:UDP:BitComet 8876 UDP
"26101:TCP"= 26101:TCP:uTorrent
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
"18852:TCP"= 18852:TCP:port
"25500:TCP"= 25500:TCP:port
"53:UDP"= 53:UDP:Promo

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/20/2009 6:13 AM 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2009 2:33 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2009 2:33 AM 360584]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/19/2009 2:33 AM 285392]
S2 WDefend;WDefend;c:\windows\svohost.exe --> c:\windows\svohost.exe [?]
S3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys --> c:\windows\system32\Drivers\androidusb.sys [?]
S3 pctvnet;Pinnacle PCTV Ethernet Driver;c:\windows\system32\drivers\pctvnet.sys [8/5/2008 12:06 PM 9340]
S3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [8/16/2007 12:43 AM 13225]
S3 SCPMPR5;SCPMPR5 NDIS Protocol Driver;\??\c:\progra~1\NETGEA~1\SCPMPR5.SYS --> c:\progra~1\NETGEA~1\SCPMPR5.SYS [?]
S3 SCPNDIS5;SCPNDIS5 NDIS Protocol Driver;c:\progra~1\NETGEA~1\SCPNDIS5.SYS [5/12/2007 3:53 AM 16000]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2573811791-2625424822-2459926663-1007Core.job
- c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:55]

2009-10-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2573811791-2625424822-2459926663-1007UA.job
- c:\documents and settings\Raymond\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 12:55]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Raymond\Application Data\Mozilla\Firefox\Profiles\h3kz8140.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-10-28 23:20
ComboFix-quarantined-files.txt 2009-10-28 03:20
ComboFix2.txt 2009-10-27 07:03

Pre-Run: 46,461,382,656 bytes free
Post-Run: 46,424,133,632 bytes free

- - End Of File - - 4FC946FE7E9576989360EF0EC7FA7E09
Upload was successful




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users