Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer does not start, several anti-malware programs quit


  • This topic is locked This topic is locked
23 replies to this topic

#1 Newbert

Newbert

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 29 October 2009 - 05:30 PM

The problem started with Windows Defender service stopped (and not letting to start it with "Access Denied") and McAfee requesting reinstallation. AdAware and SUPERAntiSpyware could not run. When I switched to Safe Mode, after few seconds the desktop disappeared. Access to Task Manager remains, but attempts to run explorer.exe manually fail with the message "Windows cannot access the specified device,path or file. You may not have the appropriate permissions." I am able to get to the Computer Management trough Task Manager>Desktop>My Computer icon, but properties of the groups and users are not accessible.

The same situation (Explorer not running and limited access to other programs through Task Manager) is observed in both Normal and Safe mode, also in the Safe mode's Administrator account. I was able to run a special version of SUPERAntiSpyware from a flash drive. MBAM does not work. HJT quits after a second or so after scan start without any report.

Currently the computer is disconnected from the network, I am using laptop to communicate with you. Hope very much for your assistance.

I was able to run the recommended scanners from the flash drive. The reports are attached here.

I am in an urgent situation related to my work. Please advice, and I will be forever yours.

-----------------------------------------------------------------

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 20:33:52.28 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\mysql\bin\mysqld-nt.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\taskmgr.exe
H:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [combofix] c:\combofix\cf7652.exe /c c:\combofix\Combobatch.bat
mRunOnce: [combofix] c:\combofix\cf7652.exe /c c:\ComboFixCombobatch.bat
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104522526296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5784/mcfscan.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\28v6qpf1.default\
FF - prefs.js: browser.startup.homepage - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/happy-48x48.png
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R? msvsmon80;Visual Studio 2005 Remote Debugger
R? shspusb;Samsung High Speed USB Driver
R? tap0801co;TAP-Win32 Adapter V8 (coLinux)
R? VSPerfDrv90;Performance Tools Driver 9.0
S? Apache2.2;Apache2.2
S? AtiHdmiService;ATI Function Driver for HDMI Service
S? kqemu;kqemu driver
S? vmci;VMware vmci

=============== Created Last 30 ================

2009-10-29 20:14:48 0 d-----w- c:\windows\setup.pss
2009-10-29 19:46:41 0 d-s---w- C:\ComboFix
2009-10-29 18:54:57 98816 ----a-w- c:\windows\sed.exe
2009-10-29 18:54:57 77312 ----a-w- c:\windows\MBR.exe
2009-10-29 18:54:57 236544 ----a-w- c:\windows\PEV.exe
2009-10-29 18:54:57 161792 ----a-w- c:\windows\SWREG.exe
2009-10-29 18:34:22 0 d-----w- c:\program files\HJT4
2009-10-29 18:33:52 0 d-----w- c:\program files\HJT3
2009-10-29 18:31:52 0 d-----w- c:\program files\HJT2
2009-10-29 18:06:56 0 d-----w- c:\program files\HJT
2009-10-29 07:08:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 07:08:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:08:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 07:08:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 00:37:13 0 d-----w- c:\program files\CCleaner
2009-10-28 18:37:49 0 d-----w- c:\windows\McAfee.com
2009-10-27 23:24:57 0 d-----w- C:\data
2009-10-22 04:47:48 0 d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-22 04:45:27 0 d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-21 22:53:41 0 ----a-r- c:\windows\win32k.sys
2009-10-10 05:04:46 0 d-----w- c:\program files\MSXML 4.0
2009-10-04 06:30:04 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 04:37:33 0 d-----r- c:\docume~1\owner\applic~1\Brother
2009-10-04 04:13:48 93 ----a-w- c:\windows\brpcfx.ini
2009-10-04 04:13:48 242 ----a-w- c:\windows\Brpfx04a.ini
2009-10-04 04:13:26 419 ----a-w- c:\windows\BRWMARK.INI
2009-10-04 04:13:26 27 ----a-w- c:\windows\BRPP2KA.INI
2009-10-04 04:13:13 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-10-04 04:13:01 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-10-04 04:13:01 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-10-04 04:12:14 0 d-----w- c:\program files\Brother
2009-10-04 03:59:53 0 d-----w- c:\program files\Nuance
2009-10-04 03:59:16 31567 ----a-w- c:\windows\maxlink.ini
2009-10-04 03:58:18 0 d-----w- c:\program files\common files\ScanSoft Shared
2009-10-04 03:58:08 0 d-----w- c:\program files\ScanSoft
2009-10-04 03:57:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Brother
2009-10-01 02:51:58 14 ----a-w- c:\documents and settings\owner\USB001

==================== Find3M ====================

2009-08-17 23:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 19:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-05 09:11:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-04 02:50:59 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2008-08-25 17:38:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080825\index.dat
2008-08-25 20:48:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082520080826\index.dat
2008-08-26 17:25:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat
2008-08-27 12:35:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 20:34:51.60 ===============

Thanks again

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 29 October 2009 - 06:23 PM

Hi, Newbert :(

Welcome.

Please follow these steps:

Step 1

Please save this file to your desktop. Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply. (Please allow the application to finish. You will know as the last sentence in the report will be "Finished".)

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 2

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 29 October 2009 - 08:23 PM

Hi JSntqRvr,

Thanks a lot for your fast response.

I am posting here results of the 1st step. I continue with the 2nd meanwhile.

------------------------------------------------------
Running from: H:\Win32kDiag.exe
Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\$hf_mig$\KB969059\KB969059
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB969059\KB969059
Found mount point : C:\WINDOWS\$hf_mig$\KB971486\KB971486
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB971486\KB971486
Found mount point : C:\WINDOWS\$hf_mig$\KB973525\KB973525
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB973525\KB973525
Found mount point : C:\WINDOWS\$hf_mig$\KB974112\KB974112
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB974112\KB974112
Found mount point : C:\WINDOWS\$hf_mig$\KB974455-IE8\KB974455-IE8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB974455-IE8\KB974455-IE8
Found mount point : C:\WINDOWS\$hf_mig$\KB974571\KB974571
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB974571\KB974571
Found mount point : C:\WINDOWS\$hf_mig$\KB975025\KB975025
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB975025\KB975025
Found mount point : C:\WINDOWS\$hf_mig$\KB975467\KB975467
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB975467\KB975467
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP356.tmp\ZAP356.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP356.tmp\ZAP356.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP358.tmp\ZAP358.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP358.tmp\ZAP358.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP359.tmp\ZAP359.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP359.tmp\ZAP359.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3C0.tmp\ZAP3C0.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3C0.tmp\ZAP3C0.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP444.tmp\ZAP444.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP444.tmp\ZAP444.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A0.tmp\ZAP4A0.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4A0.tmp\ZAP4A0.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4BF.tmp\ZAP4BF.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4BF.tmp\ZAP4BF.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA.tmp\ZAPCA.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCA.tmp\ZAPCA.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB.tmp\ZAPCB.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPCB.tmp\ZAPCB.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\bak\bak
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\bak\bak
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics
Cannot access: C:\WINDOWS\explorer.exe
Attempting to restore permissions of : C:\WINDOWS\explorer.exe
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109120000000000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109120000000000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109120090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109120090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\983B05722D2A359499AC721C2F8A6EDF\9.3.4035\9.3.4035
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\983B05722D2A359499AC721C2F8A6EDF\9.3.4035\9.3.4035
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Minidump\Minidump
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\mui\mui
Found mount point : C:\WINDOWS\occache\occache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\occache\occache
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\repair\Backup\BootableSystemState\BootableSystemState
Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\security\logs\logs
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\158668ba7283d2863392f9e1fe3fc7a1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\158668ba7283d2863392f9e1fe3fc7a1\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\71668abe67b6d77ebac6750f25908a6e\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\9e56f14e7203556d1448d8e8d058de0f\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\e15760431e46367ca5a3dfd40a9d03e3\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\fbdd9f75315c1cf9ff63f37aaca267d3\backup\backup
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB948109_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB960089_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQL9_KB970892_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB948109_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB960089_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixas\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixas\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixdts\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixdts\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixns\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixns\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixrs\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixrs\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixsql\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixsql\files\files
Found mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixtools\files\files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SQLTools9_KB970892_ENU\hotfixtools\files\files
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Cannot access: C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe
Cannot access: C:\WINDOWS\system32\svchost.exe
Attempting to restore permissions of : C:\WINDOWS\system32\svchost.exe
Note: Granted Everyone Full Access to svchost.exe
Found mount point : C:\WINDOWS\Twain32\Twain32
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Twain32\Twain32
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Finished!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 29 October 2009 - 08:41 PM

After Combofix please add this step:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    explorer.exe
    svchost.exe
    MRT.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 29 October 2009 - 10:10 PM

JSntgRvr,

Now the results of Combofix. Note that before this step I did not have access to System Services and to System Tray (Explorer was not running) so I was not able to disable remaining McAfee components. Also, installation of Recovery Console was impossible. So Combofix ran in these conditions.

The system state has changed dramatically after the Combofix run. Now the Explorer is running and it seems all access rights are OK. I will proceed with SystemLook now.

--------------------------------------------
ComboFix 09-10-28.08 - Owner 10/30/2009 2:07.3.2 - NTFSx86
Running from: H:\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

-- Previous Run --

c:\windows\system32\eventlog.dll . . . is infected!!

-- Previous Run --

c:\windows\system32\eventlog.dll . . . is infected!!

--------

c:\windows\system32\eventlog.dll . . . is infected!!

--------

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IWINGAMESINSTALLER
-------\Legacy_NPF
-------\Legacy_TDSSSERV
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_iWinGamesInstaller
-------\Service_NPF
-------\Service_tdssserv
-------\Legacy_NPF
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-29 18:34 . 2009-10-29 18:34 -------- d-----w- c:\program files\HJT4
2009-10-29 18:33 . 2009-10-29 18:33 -------- d-----w- c:\program files\HJT3
2009-10-29 18:31 . 2009-10-29 18:31 -------- d-----w- c:\program files\HJT2
2009-10-29 18:06 . 2009-10-29 18:06 -------- d-----w- c:\program files\HJT
2009-10-29 07:08 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 07:08 . 2009-10-29 07:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 07:08 . 2009-10-29 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-29 07:08 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 01:06 . 2009-10-29 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\TextPad
2009-10-29 00:37 . 2009-10-29 00:37 -------- d-----w- c:\program files\CCleaner
2009-10-28 23:36 . 2009-10-28 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-28 20:42 . 2009-10-28 20:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-28 18:37 . 2009-10-28 18:37 -------- d-----w- c:\windows\McAfee.com
2009-10-28 18:19 . 2009-10-28 18:19 -------- d-----w- c:\program files\Windows Defender
2009-10-27 23:24 . 2009-10-28 00:58 -------- d-----w- C:\data
2009-10-22 04:47 . 2009-10-22 04:47 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-22 04:45 . 2009-10-22 04:45 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-21 22:53 . 2009-10-29 18:28 0 ----a-r- c:\windows\win32k.sys
2009-10-10 05:04 . 2009-10-10 05:04 -------- d-----w- c:\program files\MSXML 4.0
2009-10-09 03:14 . 2009-10-09 03:14 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Scansoft
2009-10-04 06:30 . 2009-10-01 10:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 04:47 . 2009-10-04 04:47 -------- d-----w- c:\documents and settings\Dad2\Local Settings\Application Data\Scansoft
2009-10-04 04:37 . 2009-10-04 04:37 -------- d-----r- c:\documents and settings\Owner\Application Data\Brother
2009-10-04 04:21 . 2009-10-04 04:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Scansoft
2009-10-04 04:13 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-10-04 04:13 . 2009-10-04 04:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-10-04 04:13 . 2006-07-07 12:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-10-04 03:59 . 2009-10-04 03:59 -------- d-----w- c:\program files\Nuance
2009-10-04 03:59 . 2009-10-04 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-04 03:58 . 2009-10-04 03:58 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-10-04 03:58 . 2009-10-04 03:58 -------- d-----w- c:\program files\ScanSoft
2009-10-04 03:58 . 2009-10-04 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-10-04 03:57 . 2009-10-04 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-10-03 00:22 . 2009-10-03 00:22 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 20:05 . 2009-03-05 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-10-29 02:12 . 2008-08-27 03:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-29 02:05 . 2008-08-27 20:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-28 20:26 . 2008-11-13 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-28 17:25 . 2009-03-05 03:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-10-27 23:23 . 2008-08-24 04:44 122328 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 02:29 . 2007-08-28 15:14 -------- d-----w- c:\program files\PeerGuardian2
2009-10-25 17:45 . 2008-11-19 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-22 05:01 . 2006-02-02 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-22 04:48 . 2008-10-10 05:42 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 04:29 . 2005-03-01 02:20 -------- d-----w- c:\program files\wippo_duerme
2009-10-22 00:25 . 2009-05-31 05:40 -------- d-----w- c:\program files\Snail Mail
2009-10-22 00:22 . 2009-01-27 03:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-17 20:09 . 2005-01-20 01:49 -------- d-----w- c:\program files\iview380
2009-10-16 01:05 . 2008-09-10 21:36 122328 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 02:25 . 2004-12-31 20:17 122328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 04:59 . 2002-02-15 18:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-04 04:12 . 2009-10-04 04:12 -------- d-----w- c:\program files\Brother
2009-10-04 04:12 . 2002-02-15 18:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 03:58 . 2002-02-15 18:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-19 17:22 . 2009-09-18 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-18 17:46 . 2009-09-18 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-08-17 23:33 . 2009-08-17 23:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 19:24 . 2004-08-03 21:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 19:24 . 2004-08-03 20:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 19:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 19:24 . 2004-08-03 20:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 19:24 . 2002-02-15 17:57 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 19:24 . 2002-02-15 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 19:23 . 2004-08-03 21:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 19:23 . 2008-02-02 01:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23 . 2008-02-02 01:27 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:23 . 2002-02-15 17:57 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2002-12-12 08:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2003-12-17 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2003-12-17 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
[-] 2003-03-31 . FE84E045A09A4ABC4DEEF7270448B64E . 200192 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\appmgmts.dll
[-] 2002-08-29 . A0EE5C06390357FEE7B7949DBCA156D3 . 165376 . . [5.1.2600.1106] . . c:\windows\system32\appmgmts.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-08-18 18:49 . 2005-08-18 18:49 307200 c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe

2005-01-22 05:00 . 2005-08-05 21:08 67160 c:\program files\AIM\bak\aim.exe
2005-01-22 05:00 . 2002-11-13 23:50 61440 c:\program files\AIM\aim.exe

2002-02-15 18:25 . 2003-11-01 03:42 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2004-03-11 23:18 . 2004-03-11 23:18 135168 c:\program files\eMachines Bay Reader\bak\shwiconem.exe

2006-05-10 00:43 . 2006-05-10 00:43 3203072 c:\program files\FilmLoop Player\bak\FilmLoop.exe

2006-02-23 22:45 . 2006-02-23 22:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 12:30 . 2009-05-30 12:30 292136 c:\program files\iTunes\iTunesHelper.exe

2002-02-15 18:16 . 2006-06-04 20:17 282624 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 17:18 . 2009-05-26 17:18 413696 c:\program files\QuickTime\QTTask.exe

2002-02-15 16:51 . 2004-08-04 07:56 15360 c:\windows\system32\bak\ctfmon.exe
2002-02-15 16:51 . 2004-08-04 07:56 15360 c:\windows\system32\ctfmon.exe

2002-02-15 18:17 . 2001-07-09 19:50 155648 c:\windows\system32\bak\NeroCheck.exe
2008-10-12 16:27 . 2006-01-12 15:40 155648 c:\windows\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-19 1421824]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-11 188416]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 185896]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-10-28 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Shortcut to PGW.EXE.lnk - c:\pg_ii\PGW.EXE [2002-9-6 101888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 0:10 24636]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [2/6/2007 21:02 123939]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 23:01 54960]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 19:19 13592]
S3 shspusb;Samsung High Speed USB Driver;c:\windows\system32\drivers\HSPUSB.sys [8/24/2007 17:02 21282]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2/26/2008 4:47 25856]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 16:53 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 12:17 2805000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-30 05:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\28v6qpf1.default\
FF - prefs.js: browser.startup.homepage - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/happy-48x48.png
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-DivX Content Uploader - c:\program files\DivX\DivXContentUploaderUninstall.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{DF403CD5-0374-4380-92C2-21A3EB72068B}_is1 - c:\program files\GXTranscoder.net
AddRemove-wippo_duerme - c:\windows\wippo_duerme.scr



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 02:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1232)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-10-30 2:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 02:38

Pre-Run: 11,109,756,928 bytes free
Post-Run: 11,091,095,552 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - -

Edited by Newbert, 30 October 2009 - 07:48 PM.


#6 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 29 October 2009 - 10:23 PM

Now the report of SystemLook.

---------------------------------------------------------
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 03:17 on 30/10/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a--- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c 1004032 bytes [20:08 31/12/2004] [12:00 31/03/2003] A82B28BFC2E4455FE43022A498C0EF0A
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c 1032192 bytes [18:19 15/08/2007] [07:56 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ERDNT\cache\explorer.exe --a--- 1033216 bytes [02:33 30/10/2009] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\explorer.exe ------ 1033216 bytes [16:51 15/02/2002] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------ 1032192 bytes [07:56 04/08/2004] [07:56 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe --a--- 1033728 bytes [14:40 26/08/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "svchost.exe"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 12800 bytes [20:07 31/12/2004] [12:00 31/03/2003] 0F7D9C87B0CE1FA520473119752C6F79
C:\WINDOWS\ERDNT\cache\svchost.exe --a--- 14336 bytes [02:33 30/10/2009] [07:56 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------ 14336 bytes [07:56 04/08/2004] [07:56 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe --a--- 14336 bytes [14:40 26/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe ------ 14336 bytes [16:51 15/02/2002] [07:56 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

Searching for "MRT.exe"
C:\WINDOWS\system32\MRT.exe --a--- 25198016 bytes [02:00 11/05/2005] [18:01 02/10/2009] C5996D6399A1DAC0589AA0AAFCA5BA9E

-=End Of File=-

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 29 October 2009 - 11:37 PM

Follow these steps:

Download the enclosed folder. Save and extract its contents where you can remember. Once extracted, Open the folder and click on the RunMe.bat. The computer will restart. That is normal.

Attention: This fix is tailored for this user only. Running this fix in your computer may damage its workings.

Upon restart let me know if Explorer is back. If yes, proceed with the next step:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop

File::
C:\WINDOWS\system32\MRT.exe

AWF::
c:\program files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
c:\program files\AIM\bak\aim.exe
c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe
c:\program files\eMachines Bay Reader\bak\shwiconem.exe
c:\program files\FilmLoop Player\bak\FilmLoop.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\QuickTime\bak\qttask.exe
c:\windows\system32\bak\ctfmon.exe
c:\windows\system32\bak\NeroCheck.exe


Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report

Edited by JSntgRvr, 29 October 2009 - 11:39 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 October 2009 - 12:24 AM

JSntgRvr,

Explorer is already back, I mentioned this in my Post #5. Explorer re-appeared after the ComboFix run. I suspect that curing of the infected eventlog.dll by ComboFix was critically important to resolve this. Do I still need in this situation to apply the ExplorerFix.zip routines?

Newbert

#9 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 October 2009 - 01:54 AM

Here are the results of the 2nd ComboFix run:

---------------------------------------------
ComboFix 09-10-28.08 - Owner 10/30/2009 6:16.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2559.1894 [GMT 0:00]
Running from: H:\Combo-Fix.exe
Command switches used :: H:\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\MRT.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))
.

2009-10-30 05:56 . 2009-10-30 06:13 -------- d-----w- C:\Combo-Fix
2009-10-30 03:30 . 2009-10-30 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-10-29 01:06 . 2009-10-29 01:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\TextPad
2009-10-29 00:37 . 2009-10-29 00:37 -------- d-----w- c:\program files\CCleaner
2009-10-28 23:36 . 2009-10-28 23:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-28 20:42 . 2009-10-28 20:42 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-28 18:37 . 2009-10-28 18:37 -------- d-----w- c:\windows\McAfee.com
2009-10-28 18:19 . 2009-10-30 04:52 -------- d-----w- c:\program files\Windows Defender
2009-10-27 23:24 . 2009-10-28 00:58 -------- d-----w- C:\data
2009-10-22 04:47 . 2009-10-22 04:47 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2009-10-22 04:45 . 2009-10-22 04:45 -------- d-----w- c:\windows\SQL9_KB970892_ENU
2009-10-21 22:53 . 2009-10-29 18:28 0 ----a-r- c:\windows\win32k.sys
2009-10-10 05:04 . 2009-10-10 05:04 -------- d-----w- c:\program files\MSXML 4.0
2009-10-09 03:14 . 2009-10-09 03:14 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Scansoft
2009-10-04 06:30 . 2009-10-01 10:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 04:47 . 2009-10-04 04:47 -------- d-----w- c:\documents and settings\Dad2\Local Settings\Application Data\Scansoft
2009-10-04 04:37 . 2009-10-04 04:37 -------- d-----r- c:\documents and settings\Owner\Application Data\Brother
2009-10-04 04:21 . 2009-10-04 04:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Scansoft
2009-10-04 04:13 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2009-10-04 04:13 . 2009-10-04 04:13 50 ----a-w- c:\windows\system32\bridf08b.dat
2009-10-04 04:13 . 2006-07-07 12:40 73728 ------w- c:\windows\system32\BRCrypt.dll
2009-10-04 03:59 . 2009-10-04 03:59 -------- d-----w- c:\program files\Nuance
2009-10-04 03:59 . 2009-10-04 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-10-04 03:58 . 2009-10-04 03:58 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-10-04 03:58 . 2009-10-04 03:58 -------- d-----w- c:\program files\ScanSoft
2009-10-04 03:58 . 2009-10-04 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-10-04 03:57 . 2009-10-04 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-10-03 00:22 . 2009-10-03 00:22 -------- d-----w- c:\documents and settings\Owner\Application Data\DAEMON Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-30 06:16 . 2006-05-10 00:43 -------- d-----w- c:\program files\FilmLoop Player
2009-10-30 05:54 . 2009-03-05 03:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\VMware
2009-10-30 05:54 . 2009-03-05 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-10-30 04:02 . 2005-01-01 01:02 -------- d-----w- c:\program files\Yahoo!
2009-10-30 02:15 . 2008-11-19 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-29 02:12 . 2008-08-27 03:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-29 02:05 . 2008-08-27 20:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-27 23:23 . 2008-08-24 04:44 122328 ----a-w- c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 02:29 . 2007-08-28 15:14 -------- d-----w- c:\program files\PeerGuardian2
2009-10-22 05:01 . 2006-02-02 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-22 04:48 . 2008-10-10 05:42 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-22 04:29 . 2005-03-01 02:20 -------- d-----w- c:\program files\wippo_duerme
2009-10-22 00:22 . 2009-01-27 03:03 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-17 20:09 . 2005-01-20 01:49 -------- d-----w- c:\program files\iview380
2009-10-16 01:05 . 2008-09-10 21:36 122328 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-14 02:25 . 2004-12-31 20:17 122328 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 04:59 . 2002-02-15 18:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-04 04:12 . 2009-10-04 04:12 -------- d-----w- c:\program files\Brother
2009-10-04 04:12 . 2002-02-15 18:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-04 03:58 . 2002-02-15 18:02 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-19 17:22 . 2009-09-18 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-18 17:46 . 2009-09-18 17:46 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-08-17 23:33 . 2009-08-17 23:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 19:24 . 2004-08-03 21:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 19:24 . 2004-08-03 20:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 19:24 . 2005-05-26 10:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 19:24 . 2004-08-03 20:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 19:24 . 2002-02-15 17:57 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 19:24 . 2002-02-15 16:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 19:23 . 2004-08-03 21:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 19:23 . 2008-02-02 01:27 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23 . 2008-02-02 01:27 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:23 . 2002-02-15 17:57 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2002-12-12 08:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.

------- Sigcheck -------

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll
[-] 2003-12-17 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2003-12-17 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
[-] 2003-03-31 . FE84E045A09A4ABC4DEEF7270448B64E . 200192 . . [5.1.2600.1106] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\appmgmts.dll
[-] 2002-08-29 . A0EE5C06390357FEE7B7949DBCA156D3 . 165376 . . [5.1.2600.1106] . . c:\windows\system32\appmgmts.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-30_02.14.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-30 05:54 . 2009-10-30 05:54 16384 c:\windows\temp\Perflib_Perfdata_ae4.dat
+ 2009-06-18 18:48 . 2009-06-18 18:48 142832 c:\windows\system32\drivers\MpFilter.sys
+ 2009-10-30 03:30 . 2009-10-30 03:30 259072 c:\windows\Installer\46843b.msi
+ 2009-10-30 03:30 . 2009-10-30 03:30 211968 c:\windows\Installer\468436.msi
+ 2009-10-30 03:29 . 2009-10-30 03:29 301056 c:\windows\Installer\468431.msi
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-01-22 05:00 . 2005-08-05 21:08 67160 c:\program files\AIM\bak\aim.exe
2005-01-22 05:00 . 2002-11-13 23:50 61440 c:\program files\AIM\aim.exe

2004-03-11 23:18 . 2004-03-11 23:18 135168 c:\program files\eMachines Bay Reader\bak\shwiconem.exe

2006-02-23 22:45 . 2006-02-23 22:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2009-05-30 12:30 . 2009-05-30 12:30 292136 c:\program files\iTunes\iTunesHelper.exe

2002-02-15 18:16 . 2006-06-04 20:17 282624 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 17:18 . 2009-05-26 17:18 413696 c:\program files\QuickTime\QTTask.exe

2002-02-15 18:17 . 2001-07-09 19:50 155648 c:\windows\system32\bak\NeroCheck.exe
2008-10-12 16:27 . 2006-01-12 15:40 155648 c:\windows\system32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-19 1421824]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="c:\program files\A4Tech\Mouse\Amoumain.exe" [2007-02-11 188416]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 185896]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2008-10-28 64048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2008-05-29 1085440]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-12-21 86016]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Shortcut to PGW.EXE.lnk - c:\pg_ii\PGW.EXE [2002-9-6 101888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Brother\\Brmfl08b\\FAXRX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner

R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 0:10 24636]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [2/6/2007 21:02 123939]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/28/2008 23:01 54960]
S3 shspusb;Samsung High Speed USB Driver;c:\windows\system32\drivers\HSPUSB.sys [8/24/2007 17:02 21282]
S3 tap0801co;TAP-Win32 Adapter V8 (coLinux);c:\windows\system32\drivers\tap0801co.sys [2/26/2008 4:47 25856]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 16:53 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 12:17 2805000]

--- Other Services/Drivers In Memory ---

*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-30 05:24]

2009-10-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {E5ABEB00-B357-4884-9949-77B2C71A7EE3} - hxxp://www.intel.com/design/motherbd/boardid/BoardID.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\28v6qpf1.default\
FF - prefs.js: browser.startup.homepage - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/happy-48x48.png
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-30 06:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1240)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP3\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-10-30 6:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-30 06:46
ComboFix2.txt 2009-10-30 02:38

Pre-Run: 10,378,248,192 bytes free
Post-Run: 10,381,131,776 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - EF5CB42E2F47530E6758CD2D244151C4

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 30 October 2009 - 06:43 AM

JSntgRvr,

Explorer is already back, I mentioned this in my Post #5. Explorer re-appeared after the ComboFix run. I suspect that curing of the infected eventlog.dll by ComboFix was critically important to resolve this. Do I still need in this situation to apply the ExplorerFix.zip routines?

Newbert

No. No need to run ExplorerFix. I missed that on your post.

We need to remove a trojan in the computer.

There is a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected, and the backups. We will then restore these files.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 October 2009 - 10:11 AM

JSntgRvr,

Find AWF report follows here.

Newbert

------------------------------------------------------------------------------

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Fri 10/30/2009
The current time is: 14:44:44.54


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 21:08 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\EMACHI~1\BAK

03/11/2004 23:18 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 22:45 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/04/2006 20:17 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 19:50 155,648 NeroCheck.exe
1 File(s) 155,648 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Nov 13 2002 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
135168 Mar 11 2004 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe"
292136 May 30 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 2 2009 "C:\WINDOWS\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe"
413696 May 26 2009 "C:\Program Files\QuickTime\QTTask.exe"
282624 Jun 4 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jan 12 2006 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"


end of report

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 30 October 2009 - 11:14 AM

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy)(Please include the quotation marks):

    "C:\Program Files\AIM\bak\aim.exe"
    "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe"
    "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\WINDOWS\system32\bak\NeroCheck.exe"



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 October 2009 - 11:31 AM

Report of Find AWF with option 2:

-----------------------------------------------

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Fri 10/30/2009
The current time is: 16:21:19.09


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 21:08 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\EMACHI~1\BAK

03/11/2004 23:18 135,168 shwiconem.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 22:45 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/04/2006 20:17 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

07/09/2001 19:50 155,648 NeroCheck.exe
1 File(s) 155,648 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Aug 5 2005 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
135168 Mar 11 2004 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 2 2009 "C:\WINDOWS\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe"
282624 Jun 4 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Jun 4 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"


end of report

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:38 AM

Posted 30 October 2009 - 11:43 AM

Hi, Newbert

Last but not least:
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\AIM\bak
    C:\Program Files\eMachines Bay Reader\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\QuickTime\bak
    C:\WINDOWS\system32\bak
    C:\WINDOWS\BAK
    C:\Program Files\MSN Messenger\BAK



  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

Edited by JSntgRvr, 30 October 2009 - 11:44 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Newbert

Newbert
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 October 2009 - 11:52 AM

Hi JSntgRvr,

Report of Find AWF with option 3 is here:

---------------------------------------------------

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Fri 10/30/2009
The current time is: 16:47:42.46


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\EMACHI~1\BAK

03/11/2004 23:18 135,168 shwiconem.exe
1 File(s) 135,168 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

135168 Mar 11 2004 "C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe"


end of report




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users