Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit variant found


  • This topic is locked This topic is locked
11 replies to this topic

#1 slands

slands

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 24 November 2009 - 07:40 PM

Hi,

Originally posted about a redirect problem in Google, trying to give people something to go on. Turns out I possibly have a rootkit installed Referred from following topic. ~ OB http://www.bleepingcomputer.com/forums/t/272133/avabon-browser-redirect-issues-further-info/ and have been advised to post here. Any help in removing this would be great, I am happy to provide further details, and would appreciate an explanation of the below output if anyone can be bothered to take the time or point me in the right direction.

Have been advised to post the following Win32Diag Output:

Win32kDiag

Running from: E:\Web Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\clisslands\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB944338-v2\KB944338-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F5.tmp\ZAP1F5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58.tmp\ZAP58.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62.tmp\ZAP62.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD.tmp\ZAPDD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE0.tmp\ZAPE0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB.tmp\ZAPEB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\IOSUBSYS\IOSUBSYS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\History\Results\Results

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\nso6.tmp\nso6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\RtSigs\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\CommonAppData\Sophos\Sophos Anti-Virus\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\SXS\SXS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinLH_IA64\WinLH_IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_AMD64\WinXP_AMD64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_i386\WinXP_i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1239407060\WinXP_IA64\WinXP_IA64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\sophos_autoupdate1.dir\1241770528\1241770528

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\vmware-temp\vmware-SYSTEM\vmware-SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!


------------

Cheers for all the help from this site :(

Edited by Orange Blossom, 24 November 2009 - 08:20 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 29 November 2009 - 03:47 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 29 November 2009 - 06:23 PM

ComboFix 09-11-29.02 - clisslands 29/11/2009 22:58.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.596 [GMT 0:00]
Running from: e:\web downloads\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\windows\jestertb.dll
c:\windows\system32\oem23.inf
c:\windows\system32\oem7.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-25 15:19 . 2009-11-25 15:19 -------- d-----w- c:\program files\Auslogics
2009-11-24 10:00 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-11-24 10:00 . 2001-08-17 22:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-11-24 10:00 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-11-24 10:00 . 2001-08-17 22:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-11-24 10:00 . 2001-08-17 22:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-11-24 10:00 . 2001-08-17 22:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-11-24 10:00 . 2001-08-17 12:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-11-24 10:00 . 2004-08-03 22:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-11-24 10:00 . 2004-08-03 22:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-11-24 10:00 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-11-24 10:00 . 2004-08-03 22:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-11-24 10:00 . 2001-08-17 12:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-11-24 09:58 . 2001-08-17 12:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2009-11-24 09:57 . 2001-08-17 12:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-11-24 09:56 . 2001-08-17 22:36 9216 -c--a-w- c:\windows\system32\dllcache\rsmgrstr.dll
2009-11-24 09:55 . 2001-08-17 22:36 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll
2009-11-24 09:54 . 2001-08-17 14:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-11-24 09:54 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-11-24 09:54 . 2001-08-17 14:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-11-24 09:54 . 2001-08-17 13:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-11-24 09:54 . 2008-04-13 18:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-11-24 09:54 . 2001-08-17 13:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-11-24 09:54 . 2008-04-13 18:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-11-24 09:54 . 2001-08-17 13:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-11-24 09:54 . 2001-08-17 13:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-11-24 09:52 . 2001-08-17 14:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2009-11-24 09:51 . 2001-08-17 13:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2009-11-24 09:50 . 2001-08-17 22:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2009-11-24 09:49 . 2001-08-17 22:36 29768 -c--a-w- c:\windows\system32\dllcache\divasu.dll
2009-11-24 09:48 . 2001-08-17 12:13 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2009-11-24 09:47 . 2001-08-17 12:19 36992 -c--a-w- c:\windows\system32\dllcache\aztw2320.sys
2009-11-24 09:46 . 2001-08-17 14:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-24 09:45 . 2009-11-24 09:45 -------- d-----w- c:\program files\Microsoft SSL ChainSaver
2009-11-17 14:07 . 2009-11-17 14:07 117760 ----a-w- c:\documents and settings\clisslands\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-17 14:06 . 2009-11-17 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-17 14:06 . 2009-11-17 14:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-17 14:06 . 2009-11-17 14:06 -------- d-----w- c:\documents and settings\clisslands\Application Data\SUPERAntiSpyware.com
2009-11-17 14:05 . 2009-11-17 14:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-17 11:14 . 2009-11-17 11:14 -------- d-----w- c:\documents and settings\clisslands\Application Data\Malwarebytes
2009-11-17 11:14 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-17 11:14 . 2009-11-17 11:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-17 11:14 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-17 11:14 . 2009-11-17 11:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-14 04:52 . 2009-04-03 11:15 485376 -c--a-w- c:\windows\system32\dllcache\wmspdmod.dll
2009-11-14 04:52 . 2009-04-03 11:15 485376 ----a-w- c:\windows\system32\wmspdmod.dll
2009-11-14 04:52 . 2009-07-12 12:21 233472 -c--a-w- c:\windows\system32\dllcache\wmpdxm.dll
2009-11-14 04:52 . 2009-07-12 12:21 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-11-14 04:52 . 2009-07-12 12:21 4874240 -c--a-w- c:\windows\system32\dllcache\wmp.dll
2009-11-14 04:52 . 2008-04-14 00:12 33792 -c--a-w- c:\windows\system32\dllcache\tools.dll
2009-11-14 04:51 . 2008-04-14 00:12 29184 -c--a-w- c:\windows\system32\dllcache\rw330ext.dll
2009-11-14 04:51 . 2008-04-14 00:12 27648 -c--a-w- c:\windows\system32\dllcache\rw001ext.dll
2009-11-14 04:51 . 2004-08-04 12:00 403 -c----w- c:\windows\system32\dllcache\npdrmv2.zip
2009-11-14 04:51 . 2004-08-04 12:00 22060 -c----w- c:\windows\system32\dllcache\npds.zip
2009-11-14 04:51 . 2008-04-14 00:12 119808 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2009-11-14 04:49 . 2008-04-14 00:12 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-11-14 04:49 . 2008-04-14 00:11 218112 -c--a-w- c:\windows\system32\dllcache\c_g18030.dll
2009-11-14 04:49 . 2007-04-02 18:26 19456 -c--a-w- c:\windows\system32\dllcache\agt0804.dll
2009-11-14 04:49 . 2007-04-02 18:26 19456 -c--a-w- c:\windows\system32\dllcache\agt0412.dll
2009-11-14 04:49 . 2007-04-02 18:26 19456 -c--a-w- c:\windows\system32\dllcache\agt0411.dll
2009-11-14 04:49 . 2007-04-02 18:26 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll
2009-11-14 04:49 . 2007-04-02 18:25 19456 -c--a-w- c:\windows\system32\dllcache\agt0404.dll
2009-11-14 04:49 . 2007-04-02 18:25 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll
2009-11-11 23:21 . 2009-08-04 15:13 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-11 23:21 . 2009-08-04 14:20 2023936 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-11 23:18 . 2009-06-10 09:19 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-11-11 00:28 . 2009-11-11 00:28 247280 ----a-w- c:\documents and settings\clisslands\Application Data\Mozilla\plugins\npgoogletalk.dll
2009-11-10 03:34 . 2009-11-10 03:44 -------- d-----w- c:\windows\system32\wbem\Repository.001
2009-11-10 03:32 . 2008-04-14 00:11 6144 -c--a-w- c:\windows\system32\dllcache\ftpmib.dll
2009-11-10 03:31 . 2008-04-14 00:11 22528 -c--a-w- c:\windows\system32\dllcache\lpdsvc.dll
2009-11-10 03:31 . 2008-04-14 00:12 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2009-11-10 03:31 . 2008-04-14 00:12 267776 -c--a-w- c:\windows\system32\dllcache\fxssvc.exe
2009-11-10 03:31 . 2008-04-14 00:12 6144 -c--a-w- c:\windows\system32\dllcache\snmpmib.dll
2009-11-10 03:31 . 2008-04-14 00:11 400384 -c--a-w- c:\windows\system32\dllcache\fxsxp32.dll
2009-11-10 03:31 . 2008-04-14 00:12 188416 -c--a-w- c:\windows\system32\dllcache\snmpsmir.dll
2009-11-10 03:31 . 2008-04-14 00:11 39936 -c--a-w- c:\windows\system32\dllcache\hostmib.dll
2009-11-10 03:31 . 2008-04-14 00:09 6656 -c--a-w- c:\windows\system32\dllcache\fxsres.dll
2009-11-10 03:31 . 2008-04-14 00:11 246272 -c--a-w- c:\windows\system32\dllcache\fxst30.dll
2009-11-10 03:31 . 2008-04-14 00:11 23552 -c--a-w- c:\windows\system32\dllcache\fxsext32.dll
2009-11-10 03:31 . 2008-04-13 18:41 20736 -c--a-w- c:\windows\system32\dllcache\ramdisk.sys
2009-11-10 03:30 . 2008-04-14 00:12 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2009-11-10 03:30 . 2008-04-14 00:12 259072 -c--a-w- c:\windows\system32\dllcache\snmpcl.dll
2009-11-10 03:30 . 2008-04-14 00:11 451584 -c--a-w- c:\windows\system32\dllcache\fxsapi.dll
2009-11-10 03:30 . 2008-04-14 00:11 562176 -c--a-w- c:\windows\system32\dllcache\fxsst.dll
2009-11-10 03:30 . 2008-04-14 00:11 192512 -c--a-w- c:\windows\system32\dllcache\fxswzrd.dll
2009-11-10 03:30 . 2008-04-14 00:12 229376 -c--a-w- c:\windows\system32\dllcache\fxscover.exe
2009-11-10 03:30 . 2008-04-14 00:12 33280 -c--a-w- c:\windows\system32\dllcache\snmp.exe
2009-11-10 03:30 . 2008-04-14 00:11 397312 -c--a-w- c:\windows\system32\dllcache\fxstiff.dll
2009-11-10 03:30 . 2008-04-14 00:12 358400 -c--a-w- c:\windows\system32\dllcache\snmpincl.dll
2009-11-10 03:30 . 2008-04-14 00:11 72192 -c--a-w- c:\windows\system32\dllcache\fxscom.dll
2009-11-10 03:30 . 2008-04-14 00:11 8704 -c--a-w- c:\windows\system32\dllcache\fxsperf.dll
2009-11-10 03:30 . 2008-04-14 00:11 154112 -c--a-w- c:\windows\system32\dllcache\fxsui.dll
2009-11-10 03:29 . 2008-04-14 00:11 55296 -c--a-w- c:\windows\system32\dllcache\fxsevent.dll
2009-11-10 03:29 . 2008-04-14 00:11 18944 -c--a-w- c:\windows\system32\dllcache\lprmon.dll
2009-11-10 03:29 . 2008-04-14 00:11 26624 -c--a-w- c:\windows\system32\dllcache\fxsdrv.dll
2009-11-10 03:29 . 2008-04-14 00:11 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2009-11-10 03:29 . 2008-04-14 00:12 142848 -c--a-w- c:\windows\system32\dllcache\fxsclnt.exe
2009-11-10 03:29 . 2008-04-14 00:12 456192 -c--a-w- c:\windows\system32\dllcache\smtpsvc.dll
2009-11-10 03:29 . 2008-04-14 00:11 33792 -c--a-w- c:\windows\system32\dllcache\lmmib2.dll
2009-11-10 03:28 . 2008-04-14 00:12 39936 -c--a-w- c:\windows\system32\dllcache\snmpthrd.dll
2009-11-10 03:28 . 2008-04-14 00:11 101888 -c--a-w- c:\windows\system32\dllcache\evntagnt.dll
2009-11-10 03:28 . 2008-04-14 00:11 331264 -c--a-w- c:\windows\system32\dllcache\aqueue.dll
2009-11-10 02:11 . 2007-06-19 16:26 139264 ----a-w- c:\windows\system32\igfxres.dll
2009-11-10 02:08 . 2009-11-10 02:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Xobni
2009-11-10 01:57 . 2003-03-31 12:00 79872 -c--a-w- c:\windows\system32\dllcache\rwia330.dll
2009-11-10 01:56 . 2001-08-17 22:36 65536 -c--a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2009-11-10 01:55 . 2004-08-03 22:31 57399 -c--a-w- c:\windows\system32\dllcache\cplexe.exe
2009-11-10 01:54 . 2003-03-31 12:00 7680 -c--a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-11-10 01:52 . 2008-04-14 00:12 58434 -c--a-w- c:\windows\system32\dllcache\srchctls.dll
2009-11-10 01:51 . 2008-04-14 00:12 51200 -c--a-w- c:\windows\system32\dllcache\oobebaln.exe
2009-11-10 01:49 . 2008-04-14 00:12 281088 -c--a-w- c:\windows\system32\dllcache\pinball.exe
2009-11-10 01:48 . 2009-03-26 16:31 31280 ----a-r- c:\windows\system32\drivers\vmnetbridge.sys
2009-11-10 01:48 . 2009-03-26 16:31 18736 ----a-r- c:\windows\system32\drivers\vmnet.sys
2009-11-10 01:46 . 2008-04-13 18:45 52864 -c--a-w- c:\windows\system32\dllcache\dmusic.sys
2009-11-10 01:46 . 2008-04-13 18:45 52864 ----a-w- c:\windows\system32\drivers\dmusic.sys
2009-11-10 01:46 . 2008-04-13 18:45 6272 -c--a-w- c:\windows\system32\dllcache\splitter.sys
2009-11-10 01:46 . 2008-04-13 18:45 6272 ----a-w- c:\windows\system32\drivers\splitter.sys
2009-11-10 01:46 . 2008-04-13 18:40 57600 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2009-11-10 01:46 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-11-10 01:44 . 2008-04-14 00:11 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-11-10 01:44 . 2008-04-14 00:11 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-11-10 01:43 . 2008-04-14 00:13 40840 -c--a-w- c:\windows\system32\dllcache\termdd.sys
2009-11-10 01:43 . 2008-04-14 00:13 40840 ----a-w- c:\windows\system32\drivers\termdd.sys
2009-11-10 01:43 . 2008-04-13 18:32 196224 -c--a-w- c:\windows\system32\dllcache\rdpdr.sys
2009-11-10 01:43 . 2008-04-13 18:32 196224 ----a-w- c:\windows\system32\drivers\rdpdr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-27 01:18 . 2008-12-29 16:59 -------- d-----w- c:\documents and settings\clisslands\Application Data\uTorrent
2009-11-25 15:23 . 2009-03-25 15:20 -------- d-----w- c:\program files\Log Parser 2.2
2009-11-15 22:23 . 2009-04-21 19:01 -------- d-----w- c:\documents and settings\clisslands\Application Data\FileZilla
2009-11-13 14:40 . 2009-01-15 01:24 -------- d-----w- c:\program files\Spybot
2009-11-13 13:53 . 2009-05-08 13:59 -------- d-----w- c:\program files\Desktop Notepad
2009-11-13 13:51 . 2008-12-18 22:44 -------- d-----w- c:\program files\MZ U.T
2009-11-12 17:43 . 2009-03-13 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-12 03:12 . 2009-08-21 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-11 12:26 . 2009-09-03 17:05 -------- d-----w- c:\program files\Xobni
2009-11-10 02:13 . 2008-11-20 00:53 78640 ----a-w- c:\documents and settings\clisslands\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-10 01:50 . 1982-06-04 01:16 113448 -c--a-w- c:\windows\system32\emptyregdb.dat
2009-11-09 20:20 . 2009-03-18 15:46 -------- d-----w- c:\program files\Advanced Monitoring Agent
2009-11-08 04:05 . 2009-08-21 00:38 -------- d-----w- c:\program files\Microsoft Works
2009-10-07 22:10 . 2009-10-07 22:10 -------- d-----w- c:\documents and settings\clisslands\Application Data\Virgin Broadband
2009-10-07 22:10 . 2009-10-07 22:10 -------- d-----w- c:\program files\Virgin Broadband
2009-10-07 22:10 . 2009-10-07 22:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-10-07 00:29 . 2009-10-07 00:29 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\msxml6Exec.exe
2009-10-07 00:29 . 2009-10-07 00:29 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\Sleep.exe
2009-10-07 00:29 . 2009-10-07 00:29 3181612 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\Installer\CommonCustomActions\vcredistExec.exe
2009-10-07 00:29 . 2008-12-01 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2009-10-07 00:29 . 2009-10-07 00:29 24501456 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{F983B4FE-547B-4C44-BAF7-4F4DBA93D548}\NokiaSoftwareUpdaterSetup_en.exe
2009-09-25 05:37 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37 . 2009-11-10 03:33 81920 ------w- c:\windows\system32\ieencode.dll
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-01-26 22:58 . 2009-01-26 22:58 8 --sh--r- c:\windows\system32\13E1CF47FA.sys
2009-01-26 23:08 . 2009-01-26 22:58 3766 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2008-11-10 31744]
"Google Update"="c:\documents and settings\clisslands\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-06-19 101144]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-06-19 84760]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-06-19 125720]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-04-13 88209]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2008-06-18 12:47 24692 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vmware-converter-server"=2 (0x2)
"vmware-converter-agent"=2 (0x2)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"MSSQL$SOLARWINDS_ORION"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Documents and Settings\\clisslands\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\clisslands\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 74480]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [13/02/2009 16:21 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [13/02/2009 16:21 38528]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [18/06/2008 12:46 47504]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [05/10/2009 12:22 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [21/08/2008 12:04 98304]
R2 Sniffer;SNIFFER Protocol Driver;c:\windows\system32\drivers\sniffer.sys [22/11/2008 14:38 603184]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 21:58 54960]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [18/06/2008 12:46 673872]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [18/06/2008 12:46 2235760]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 7408]
R3 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [18/06/2008 12:46 121136]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [02/03/2009 16:00 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [02/03/2009 16:00 3072]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [06/11/2007 20:22 34064]
S4 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files\Advanced Monitoring Agent\winagent.exe [18/03/2009 15:46 1368064]
S4 MSSQL$SOLARWINDS_ORION;SQL Server (SOLARWINDS_ORION);c:\program files\Solarwinds\Orion\SQLExpress\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/02/2007 05:29 29178224]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [13/02/2009 16:21 14976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/01/2009 21:20 717296]
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1390067357-682003330-1004Core.job
- c:\documents and settings\clisslands\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-14 15:50]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1390067357-682003330-1004UA.job
- c:\documents and settings\clisslands\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-14 15:50]

2009-11-29 c:\windows\Tasks\SyncToy 2.job
- c:\program files\SyncToy 2.0\SyncToyCmd.exe [2008-08-12 14:07]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 10.44.1.9:8080
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Copy to &Lightning Note - c:\program files\WordPerfect Lightning\Programs\WPLightningCopyToNote.hta
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
Trusted Zone: internet
FF - ProfilePath - c:\documents and settings\clisslands\Application Data\Mozilla\Firefox\Profiles\0xt1a7oj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\clisslands\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\clisslands\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_02\bin\NPJava11.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_02\bin\NPJava12.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_02\bin\NPJava131_02.dll
FF - plugin: c:\program files\JavaSoft\JRE\1.3.1_02\bin\NPJava32.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
user_pref('capability.policy.policynames', 'localfilelinks');user_pref('capability.policy.localfilelinks.sites', 'hxxp://www.webmynd.com http://www.google.com');user_pref('...ri.enabled', 'allAccess');c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe verbose
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Tweak UI 2.10 - c:\windows\system32\mshta.exe res://c:\windows\system32\TweakUI.exe/uninstall.hta



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="system32\DRIVERS\sniffer.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Solarwinds: Job Broker]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Solarwinds: Job Engine]

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Solarwinds: Job Scheduler]
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3764)
c:\program files\Volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\documents and settings\clisslands\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2009-11-29 23:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 23:18

Pre-Run: 824,696,832 bytes free
Post-Run: 852,287,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 4223891109C1334564BD5E9C872BAF84

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 29 November 2009 - 07:36 PM

Hi,

please run win32kdiag again:
Download and run Win32kDiag:Please also run junction:
We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Is there a particular reason why you did not run ComboFix from your Desktop?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 30 November 2009 - 02:08 PM

Hi,

Thanks for your reply. My bad, I forgot to move ComboFix to my desktop. I can rerun if you want?

Win32Diag:

Running from: C:\Documents and Settings\clisslands\Desktop\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\clisslands\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB944338-v2\KB944338-v2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F5.tmp\ZAP1F5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58.tmp\ZAP58.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62.tmp\ZAP62.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD.tmp\ZAPDD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE0.tmp\ZAPE0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB.tmp\ZAPEB.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system\IOSUBSYS\IOSUBSYS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!



---------------------------------


Junction:


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.\\?\c:\\WINDOWS\$hf_mig$\KB944338-v2\KB944338-v2: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...

.\\?\c:\\WINDOWS\AppPatch\Custom\Custom: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1D5.tmp\ZAP1D5.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F5.tmp\ZAP1F5.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP58.tmp\ZAP58.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP62.tmp\ZAP62.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD9.tmp\ZAPD9.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDD.tmp\ZAPDD.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE0.tmp\ZAPE0.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEB.tmp\ZAPEB.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5.tmp\ZAPF5.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\CSC\d1\d1: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d2\d2: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d3\d3: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d4\d4: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d5\d5: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d6\d6: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d7\d7: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\CSC\d8\d8: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\BATCH\BATCH: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\System\DFS\DFS: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\System\News\News: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\System_OEM\System_OEM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\PIF\PIF: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^

.

...

.\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\5599132effaee562760dce29f8ca8491\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...\\?\c:\\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\EventCache\EventCache: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\system\IOSUBSYS\IOSUBSYS: MOUNT POINT
Substitute Name: \Device\__max++>\^



...

...

...

...\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^





Thanks!

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 01 December 2009 - 09:08 AM

Hi,

no, it's fine. I just wanted to make sure that your Desktop wasn't locked to you.

please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Please also run a scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 01 December 2009 - 10:46 AM

Thanks! (edited - wrong Win32Diag log originally pasted)


Win32Diag:

Running from: C:\Documents and Settings\clisslands\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\clisslands\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!




--------------------------

GMER:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 15:46:01
Windows 5.1.2600 Service Pack 3
Running: ekei6u1e.exe; Driver: C:\DOCUME~1\CLISSL~1\LOCALS~1\Temp\pwldafog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwCreateKey [0xA949EFA0]
SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwDeleteKey [0xA949F0F6]
SSDT \SystemRoot\system32\DRIVERS\savonaccesscontrol.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ZwSetValueKey [0xA949F15C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA92D80B0]

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbhub \Device\00000097 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\00000099 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

---- Files - GMER 1.0.15 ----

ADS C:\Program Files\Mozilla Firefox\?????????????s?????G???????????????????????????????????????????:??????????S???????????????????p??????????????????????????????X?????????s???????????????????????????????????????????????? 61440 bytes executable

---- EOF - GMER 1.0.15 ----




Cheers!

Edited by slands, 01 December 2009 - 10:51 AM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 01 December 2009 - 11:34 AM

Hi,

how is your PC doing now?

Could you please reboot your PC once and run a new scan with gmer afterwards.
Please also run an onlinescan after that:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 02 December 2009 - 06:31 PM

Hi,

I've not had a chance to run GMER while disconnected from the Net, will try do that tomorrow. The ESET scan came back with no errors.

I've checked and the avabon redirect does not seem to be occuring now, I'll keep an eye on it however.

I'll post the GMER log tomorrow, thanks for your help!

#10 slands

slands
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 10 December 2009 - 06:39 PM

Hi, sorry, I've let this slip. I've still not had a chance to run GMER when offline, however as far as I can tell the redirect issues are resolved. Many thanks for all the help. Is there a particular step which would have removed the redirect issues? I'll post the GMER log asap for completeness, thanks again everyone for the help, OrangeBlossom and myrti I owe you both a pint :(

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 11 December 2009 - 12:01 PM

Hi,

it was pretty much a combination of all the tools we used. Every tool used deleted a part of the infection.

Please also run OTL when you find the time, to see what is still active on your PC:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:06 AM

Posted 25 December 2009 - 06:14 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users