Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Guard Online & TDSS redirecting


  • This topic is locked This topic is locked
30 replies to this topic

#1 clrlar97

clrlar97

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 09 October 2011 - 01:35 AM

I have tried the online fix suggestions such as re-starting in safe mode, downloading MalwareBytes, and then running a scan. However, it doesn't allow me to run a scan - it aborts before completion, then on attempt to rescan says file cannot run due to lack of permission. I have also tried Emsisoft Malware scan, but it won't let it complete a scan, either. I am attaching the requested DDS text files. I am also attaching the GMER log as best as I can provide. These are the GMER results that were generated when launching GMER the first time. However, after unchecking the required boxes to be unchecked and then running a scan, the malware shuts the GMER down before it completes the scan. It aborts and then I get the "Blue Screen of Death" followed by auto re-boot. Using other tools to search for rootkits also result in the malware aborting before the scan is complete. I also get the (BSOD) when I try to kill a Guard Online malware process in Windows task manager.

Thank you in advance for your help.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 11 October 2011 - 09:47 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\Windows\3698817051
  • Press Create button and post the content of the Result.txt.

    Important: Restart the computer.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 14 October 2011 - 12:25 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 October 2011 - 11:29 AM

I need a bit more time. I expect to post/respond with the requested logs and answers to questions by later today. Thank you.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 14 October 2011 - 12:59 PM

no problem


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 October 2011 - 01:59 PM

First - thank you very much for your help.

As for any problems: I did not have any while running the requested functions.

As for how the computer works: I no longer seem to have the internet redirects as before.

I am attempting to re-enable Anti-Virus and Anti-Malware programs, and it appears that I cannot re-enable AVG Anti-Virus Free Edition 2012. In the "System Overview" screen, Anti-Virus is listed as Not Active. When I click the "Fix" button, an error message is returned: "Could not finish automatic state repair. We weren't able to fix one or more components." When I attempt to update the software, I click Update Now, the update downloads, but it does not install and returns the error message: "Update failed. General error."

Nor am I able to run a scan using MalwareBytes. When I click on mbam.exe, I receive the error message "Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item."



Below are the requested logs; thank you.



DummyCreator by Farbar
Ran by Christopher (administrator) on 14-10-2011 at 12:10:28
**************************************************************

C:\Windows\3698817051 [14-10-2011 12:10:28]

== End of log ==


ComboFix 11-10-14.03 - Christopher 10/14/2011 12:41:04.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1571 [GMT -5:00]
Running from: c:\users\Christopher\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\prefs.js
c:\users\Christopher\AppData\Roaming\blONtxP0uSiDoG
c:\users\Christopher\AppData\Roaming\blONtxP0uSiDoG\Guard Online .ico
c:\users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Guard Online
c:\users\Christopher\AppData\Roaming\rXqjYCekIrOtAuS
c:\users\Christopher\AppData\Roaming\rXqjYCekIrOtAuS\Guard Online .ico
c:\users\Christopher\AppData\Roaming\sWWWKK8fRL9
c:\users\Christopher\AppData\Roaming\sWWWKK8fRL9\Guard Online .ico
c:\users\Christopher\Desktop\Guard Online .lnk
c:\windows\$NtUninstallKB37723$
c:\windows\$NtUninstallKB37723$\2608725248
c:\windows\$NtUninstallKB37723$\460879836\@
c:\windows\$NtUninstallKB37723$\460879836\bckfg.tmp
c:\windows\$NtUninstallKB37723$\460879836\cfg.ini
c:\windows\$NtUninstallKB37723$\460879836\Desktop.ini
c:\windows\$NtUninstallKB37723$\460879836\keywords
c:\windows\$NtUninstallKB37723$\460879836\kwrd.dll
c:\windows\$NtUninstallKB37723$\460879836\L\qnbwvoto
c:\windows\$NtUninstallKB37723$\460879836\lsflt7.ver
c:\windows\$NtUninstallKB37723$\460879836\U\00000001.@
c:\windows\$NtUninstallKB37723$\460879836\U\00000002.@
c:\windows\$NtUninstallKB37723$\460879836\U\80000000.@
c:\windows\$NtUninstallKB37723$\460879836\U\80000032.@
c:\windows\3698817051
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1b7877dc
.
.
((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
.
.
2011-10-14 17:52 . 2011-10-14 17:56 -------- d-----w- c:\users\Christopher\AppData\Local\temp
2011-10-14 17:52 . 2011-10-14 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-14 15:36 . 2011-10-14 15:36 -------- d--h--w- c:\windows\PIF
2011-10-09 12:46 . 2011-10-09 12:46 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-09 06:09 . 2011-10-09 06:11 -------- d-----w- c:\program files\Emsisoft HiJackFree
2011-10-09 05:45 . 2011-10-09 12:30 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-10-09 04:42 . 2011-10-09 06:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-09 04:39 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-09 03:41 . 2011-10-09 03:49 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-09 02:34 . 2011-10-09 02:34 -------- d-----w- c:\users\Christopher\AppData\Roaming\Malwarebytes
2011-10-09 02:34 . 2011-10-09 02:34 -------- d-----w- c:\programdata\Malwarebytes
2011-10-09 02:34 . 2011-10-09 06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-09 01:58 . 2011-10-09 01:58 -------- d-----w- c:\users\Christopher\AppData\Roaming\e6sWK7fELgZjCkV
2011-10-09 01:30 . 2011-10-09 01:30 -------- d-----w- c:\users\Christopher\AppData\Roaming\jibD3pnG4Q6W7R9
2011-10-09 01:21 . 2011-10-09 01:21 -------- d-----w- c:\users\Christopher\AppData\Roaming\USS22obbF3pG5QJ
2011-10-09 01:21 . 2011-10-09 01:21 3037184 ----a-w- c:\windows\system32\L33ppmGG5aJ6dK8.vir
2011-10-09 01:21 . 2011-10-09 01:21 -------- d-----w- c:\users\Christopher\AppData\Roaming\uAA11uvvS2oF
2011-10-06 04:38 . 2011-10-06 04:38 -------- d-----w- c:\program files\AVG Secure Search
2011-10-06 04:38 . 2011-10-06 04:38 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-06 04:37 . 2011-10-06 04:37 -------- d-----w- c:\users\Christopher\AppData\Roaming\AVG2012
2011-10-06 04:36 . 2011-10-06 12:06 -------- d-----w- c:\programdata\AVG2012
2011-09-16 19:12 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 04:06 . 2011-06-04 16:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 11:30 . 2011-09-13 11:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-13 17:15 . 2011-08-13 17:15 0 ---ha-w- c:\users\Christopher\AppData\Local\BIT41C5.tmp
2011-08-08 11:08 . 2011-08-08 11:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-05 13:44 . 2011-08-05 13:44 0 ---ha-w- c:\users\Christopher\AppData\Local\BITA161.tmp
2011-07-22 13:54 . 2011-08-10 16:06 1383424 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-09-01 14:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-31 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-03 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"emsisoft anti-malware"="c:\program files\emsisoft anti-malware\a2guard.exe" [2011-10-05 3560336]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\users\Christopher\AppData\Roaming\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-4-9 22486]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-29 535336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3317061583-2419336857-3153723009-1003]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-09-01 1025352]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 DsAudioDevice_282;DsAudioDevice_282;c:\windows\system32\drivers\DsAudioDevice_282.sys [2009-01-09 16640]
R3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-31 24064]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2011-05-15 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-10-05 3070944]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-10-06 246600]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-08-12 51632]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 05:11]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 05:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_4420
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_4420
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 216.167.161.35 216.167.161.36
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Christopher\AppData\Roaming\Mozilla\Firefox\Profiles\d6uy2wr0.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4dbd546e&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Add to Amazon Wish List Button: amznUWL2@amazon.com - %profile%\extensions\amznUWL2@amazon.com
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-AMD_Display - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-14 12:56
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5996)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
c:\windows\System32\SndVolSSO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ENET\ENMTRAY.EXE
c:\programdata\U3\U3Launcher\LaunchU3.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\users\CHRIST~1\AppData\Local\Temp\RtkBtMnt.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2011-10-14 13:20:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-14 18:19
.
Pre-Run: 36,481,363,968 bytes free
Post-Run: 35,813,122,048 bytes free
.
- - End Of File - - B86E88C180E91CE90D69E1FAF52856E0

Edited by clrlar97, 14 October 2011 - 02:55 PM.


#7 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 October 2011 - 02:11 PM

[deleted and added to post above]

Edited by clrlar97, 14 October 2011 - 02:13 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 14 October 2011 - 04:20 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

Let me know if this fixes your security programs

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\users\Christopher\AppData\Local\BIT41C5.tmp
c:\users\Christopher\AppData\Local\BITA161.tmp
c:\windows\system32\L33ppmGG5aJ6dK8.vir

Folder::
c:\users\Christopher\AppData\Roaming\e6sWK7fELgZjCkV
c:\users\Christopher\AppData\Roaming\jibD3pnG4Q6W7R9
c:\users\Christopher\AppData\Roaming\USS22obbF3pG5QJ
c:\users\Christopher\AppData\Roaming\uAA11uvvS2oF

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 October 2011 - 07:00 PM

Thank you again.

I followed your instructions above. Toward the end of running ComboFix, the computer stopped with a multi-color flashing screen and reboot. I elected to run windows in "Normal" mode. There was the message "Windows has recovered from an unsuspected shutdown." Here are the details:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 50
BCP1: EC458A9B
BCP2: 00000000
BCP3: 9C987D10
BCP4: 00000002
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini101411-01.dmp
C:\Users\Christopher\AppData\Local\temp\WER-76612-0.sysdata.xml
C:\Users\Christopher\AppData\Local\temp\WERA285.tmp.version.txt


I followed your above instructions again (drag and drop CFScript.txt into ComboFix). Ran normally this time.

I have tried again to re-enable AVG Anti-Virus and run a MalwareBytes scan again with the same results/error messages as reported above (failure).


Here is the ComboFix log:

ComboFix 11-10-14.04 - Christopher 10/14/2011 18:28:50.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2813.1744 [GMT -5:00]
Running from: c:\users\Christopher\Desktop\ComboFix.exe
Command switches used :: c:\users\Christopher\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Christopher\AppData\Local\BIT41C5.tmp"
"c:\users\Christopher\AppData\Local\BITA161.tmp"
"c:\windows\system32\L33ppmGG5aJ6dK8.vir"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Christopher\AppData\Local\BIT41C5.tmp
c:\users\Christopher\AppData\Local\BITA161.tmp
c:\users\Christopher\AppData\Roaming\e6sWK7fELgZjCkV
c:\users\Christopher\AppData\Roaming\jibD3pnG4Q6W7R9
c:\users\Christopher\AppData\Roaming\uAA11uvvS2oF
c:\users\Christopher\AppData\Roaming\USS22obbF3pG5QJ
c:\windows\system32\L33ppmGG5aJ6dK8.vir
.
.
((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
.
.
2011-10-14 23:36 . 2011-10-14 23:37 -------- d-----w- c:\users\Christopher\AppData\Local\temp
2011-10-14 23:36 . 2011-10-14 23:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-14 15:36 . 2011-10-14 15:36 -------- d--h--w- c:\windows\PIF
2011-10-09 12:46 . 2011-10-09 12:46 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-09 06:09 . 2011-10-09 06:11 -------- d-----w- c:\program files\Emsisoft HiJackFree
2011-10-09 05:45 . 2011-10-09 12:30 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-10-09 04:42 . 2011-10-09 06:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-09 04:39 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-09 03:41 . 2011-10-09 03:49 -------- d-----w- C:\TDSSKiller_Quarantine
2011-10-09 02:34 . 2011-10-09 02:34 -------- d-----w- c:\users\Christopher\AppData\Roaming\Malwarebytes
2011-10-09 02:34 . 2011-10-09 02:34 -------- d-----w- c:\programdata\Malwarebytes
2011-10-09 02:34 . 2011-10-09 06:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-06 04:38 . 2011-10-06 04:38 -------- d-----w- c:\program files\AVG Secure Search
2011-10-06 04:38 . 2011-10-06 04:38 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-10-06 04:37 . 2011-10-06 04:37 -------- d-----w- c:\users\Christopher\AppData\Roaming\AVG2012
2011-10-06 04:36 . 2011-10-06 12:06 -------- d-----w- c:\programdata\AVG2012
2011-09-16 19:12 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 04:06 . 2011-06-04 16:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 11:30 . 2011-09-13 11:30 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-08-08 11:08 . 2011-08-08 11:08 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-07-22 13:54 . 2011-08-10 16:06 1383424 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-09-01 14:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-31 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-01-07 858632]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-03 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-09-23 2404704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"emsisoft anti-malware"="c:\program files\emsisoft anti-malware\a2guard.exe" [2011-10-05 3560336]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LaunchU3.exe.lnk - c:\users\Christopher\AppData\Roaming\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2010-4-9 22486]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-29 535336]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3317061583-2419336857-3153723009-1003]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001
.
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2011-09-12 5265248]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [2011-09-01 1025352]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 DsAudioDevice_282;DsAudioDevice_282;c:\windows\system32\drivers\DsAudioDevice_282.sys [2009-01-09 16640]
R3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-31 24064]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 135664]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-07-11 23120]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-09-13 32592]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files\Emsisoft Anti-Malware\a2ddax86.sys [2011-05-19 17904]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2011-05-15 34768]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-07-11 229840]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-07-11 295248]
S2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-10-05 3070944]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe [2011-10-06 246600]
S3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-08-12 51632]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-07-11 134736]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-07-11 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-07-11 16720]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 05:11]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-09 05:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_4420
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=extensa_4420
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 216.167.161.35 216.167.161.36
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\8.0.1\ViProtocol.dll
FF - ProfilePath - c:\users\Christopher\AppData\Roaming\Mozilla\Firefox\Profiles\d6uy2wr0.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4dbd546e&v=7.008.031.001&i=23&tp=ab&iy=b&ychte=us&lng=en-US&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG2012\Firefox4
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Garmin Communicator: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E} - %profile%\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
FF - Ext: Add to Amazon Wish List Button: amznUWL2@amazon.com - %profile%\extensions\amznUWL2@amazon.com
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-14 18:36
Windows 6.0.6002 Service Pack 2 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-10-14 18:39:55
ComboFix-quarantined-files.txt 2011-10-14 23:39
ComboFix2.txt 2011-10-14 18:20
.
Pre-Run: 35,280,498,688 bytes free
Post-Run: 35,249,844,224 bytes free
.
- - End Of File - - 9E0D5416234A21539EA8D85CDC548F18

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 14 October 2011 - 08:29 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 14 October 2011 - 09:08 PM

Thank you.

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

.
Failed to open \\?\c:\\Program Files\AVG\AVG2012\avgcsrvx.exe: Access is denied.



Failed to open \\?\c:\\Program Files\AVG\AVG2012\AVGIDSAgent.exe: Access is denied.



Failed to open \\?\c:\\Program Files\AVG\AVG2012\avgtray.exe: Access is denied.


..

...

...

.
Failed to open \\?\c:\\Program Files\Emsisoft HiJackFree\a2hjf.com: Access is denied.


..

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\myapp.exe: Access is denied.



Failed to open \\?\c:\\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bd15882af204d9e7ccc80b34570dd637_b43096ac-1729-412c-a112-ceb5feb63d08: Access is denied.


.

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


\\?\c:\\Qoobox\Quarantine\C\Windows\$NtUninstallKB37723$\2608725248.vir: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config


Failed to open \\?\c:\\System Volume Information\{06a1e325-f22f-11e0-a404-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b944cf9-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b944f36-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b94502f-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{22bb22bb-eec5-11e0-b2cf-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{764882bc-f6ba-11e0-af7d-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412ec99-efbe-11e0-8117-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412ecc7-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412eccb-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{bc35c19f-f687-11e0-864b-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{e2f284ab-f1bd-11e0-8c2a-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.


\\?\c:\\Users\Christopher\Application Data: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming
Substitute Name: C:\Users\Christopher\AppData\Roaming

\\?\c:\\Users\Christopher\Cookies: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Christopher\Local Settings: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local
Substitute Name: C:\Users\Christopher\AppData\Local

\\?\c:\\Users\Christopher\My Documents: JUNCTION
Print Name : C:\Users\Christopher\Documents
Substitute Name: C:\Users\Christopher\Documents

\\?\c:\\Users\Christopher\NetHood: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Christopher\PrintHood: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Christopher\Recent: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Christopher\SendTo: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Christopher\Start Menu: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Christopher\Templates: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Christopher\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local
Substitute Name: C:\Users\Christopher\AppData\Local

\\?\c:\\Users\Christopher\AppData\Local\History: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Christopher\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Christopher\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Christopher\AppData\Local\Microsoft\Windows\Temporary Internet Files



...

...

...

...

...


Failed to open \\?\c:\\Users\Christopher\Desktop\gmer\log.com: Access is denied.


...\\?\c:\\Users\Christopher\Documents\My Music: JUNCTION
Print Name : C:\Users\Christopher\Music
Substitute Name: C:\Users\Christopher\Music

\\?\c:\\Users\Christopher\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Christopher\Pictures
Substitute Name: C:\Users\Christopher\Pictures

\\?\c:\\Users\Christopher\Documents\My Videos: JUNCTION
Print Name : C:\Users\Christopher\Videos
Substitute Name: C:\Users\Christopher\Videos



...

...

..\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

.\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos



...

...

...

...
Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp1940.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6EAD.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp74C7.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp7DC9.tmp: Access is denied.




...

...

...

...

...

...
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93RHN78T\ion=site_below_header;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=728x90,728x91;;source=site;t=;tile=1;ord=1732126363604066[1].7: Access is denied.





Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93RHN78T\on=site_below_player;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=468x62,300x251;;source=site;t=;tile=2;ord=1732126363604066[1].7: Access is denied.


..
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QX09DCXN\11-the-cypher-line-up-2011;dcopt=ist;show=hiphopawards;loc=1;tile=1;ct=specialsflipbookpage;betts=1318139791152;ord=1318140714289;[1].htm: Access is denied.


.
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QX09DCXN\od=;n=hha-11-the-cypher-line-up-2011;show=hiphopawards;loc=2;tile=2;ct=specialsflipbookpage;betts=1318139791708;ord=1318140714289;[1].htm: Access is denied.





Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEHVQPZO\location=site_above_results;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=300x250;;source=site;t=;tile=3;ord=1732126363604066[1].7: Access is denied.


...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

Edited by clrlar97, 14 October 2011 - 09:17 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 14 October 2011 - 09:14 PM

Hello

1. make sure junction.exe is on the C drive

2.click on start

3. click on run

4. type CMD into the run box and click on OK

5. copy and paste thes line into the CMD window


cd c:\
junction -s c:\>log.txt
start log.txt

6. wait about 5 min untill the report popsup

7.copy and paste this report here

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 October 2011 - 09:55 AM

I apologize - before seeing your last post at 9:14 I did edit my post at 9:17 and added the log.txt report - I realized after posting that there was no result that I had not properly saved junction.exe at C:\. Please see my edited posting above with the corrected contents of the log.txt. Thank you.

I did go ahead and run junction again; here are the results:

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

.
Failed to open \\?\c:\\Program Files\AVG\AVG2012\avgcsrvx.exe: Access is denied.



Failed to open \\?\c:\\Program Files\AVG\AVG2012\AVGIDSAgent.exe: Access is denied.



Failed to open \\?\c:\\Program Files\AVG\AVG2012\avgtray.exe: Access is denied.


..

...

...

.
Failed to open \\?\c:\\Program Files\Emsisoft HiJackFree\a2hjf.com: Access is denied.


..

.
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.



Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\myapp.exe: Access is denied.



Failed to open \\?\c:\\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe: Access is denied.


..

...

...

...

...

...

...

...

...

...

\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bd15882af204d9e7ccc80b34570dd637_b43096ac-1729-412c-a112-ceb5feb63d08: Access is denied.


.

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


\\?\c:\\Qoobox\Quarantine\C\Windows\$NtUninstallKB37723$\2608725248.vir: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config


Failed to open \\?\c:\\System Volume Information\{06a1e325-f22f-11e0-a404-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b944cf9-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b944f36-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{1b94502f-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{22bb22bb-eec5-11e0-b2cf-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{764882bc-f6ba-11e0-af7d-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412ec99-efbe-11e0-8117-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412ecc7-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{8412eccb-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{bc35c19f-f687-11e0-864b-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.



Failed to open \\?\c:\\System Volume Information\{e2f284ab-f1bd-11e0-8c2a-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.


\\?\c:\\Users\Christopher\Application Data: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming
Substitute Name: C:\Users\Christopher\AppData\Roaming

\\?\c:\\Users\Christopher\Cookies: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Christopher\Local Settings: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local
Substitute Name: C:\Users\Christopher\AppData\Local

\\?\c:\\Users\Christopher\My Documents: JUNCTION
Print Name : C:\Users\Christopher\Documents
Substitute Name: C:\Users\Christopher\Documents

\\?\c:\\Users\Christopher\NetHood: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Christopher\PrintHood: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Christopher\Recent: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Christopher\SendTo: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Christopher\Start Menu: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Christopher\Templates: JUNCTION
Print Name : C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Christopher\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Christopher\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local
Substitute Name: C:\Users\Christopher\AppData\Local

\\?\c:\\Users\Christopher\AppData\Local\History: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Christopher\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Christopher\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Christopher\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Christopher\AppData\Local\Microsoft\Windows\Temporary Internet Files



...

...

...

...

...


Failed to open \\?\c:\\Users\Christopher\Desktop\gmer\log.com: Access is denied.


...\\?\c:\\Users\Christopher\Documents\My Music: JUNCTION
Print Name : C:\Users\Christopher\Music
Substitute Name: C:\Users\Christopher\Music

\\?\c:\\Users\Christopher\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Christopher\Pictures
Substitute Name: C:\Users\Christopher\Pictures

\\?\c:\\Users\Christopher\Documents\My Videos: JUNCTION
Print Name : C:\Users\Christopher\Videos
Substitute Name: C:\Users\Christopher\Videos



...

...

..\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Cookies: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos

.\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos



...

...

...

...
Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp1940.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6EAD.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp74C7.tmp: Access is denied.



Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp7DC9.tmp: Access is denied.




...

...

...

...

...

...


Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93RHN78T\ion=site_below_header;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=728x90,728x91;;source=site;t=;tile=1;ord=1732126363604066[1].7: Access is denied.



Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93RHN78T\on=site_below_player;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=468x62,300x251;;source=site;t=;tile=2;ord=1732126363604066[1].7: Access is denied.


..
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QX09DCXN\11-the-cypher-line-up-2011;dcopt=ist;show=hiphopawards;loc=1;tile=1;ct=specialsflipbookpage;betts=1318139791152;ord=1318140714289;[1].htm: Access is denied.


.
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QX09DCXN\od=;n=hha-11-the-cypher-line-up-2011;show=hiphopawards;loc=2;tile=2;ct=specialsflipbookpage;betts=1318139791708;ord=1318140714289;[1].htm: Access is denied.




.
Failed to open \\?\c:\\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEHVQPZO\location=site_above_results;dcopt=ist;campaign=;page=category;kw=blinkx;pid=16;sz=300x250;;source=site;t=;tile=3;ord=1732126363604066[1].7: Access is denied.


..

...

...

...

...

...

...

..
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..

Edited by clrlar97, 15 October 2011 - 09:59 AM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:59 AM

Posted 15 October 2011 - 01:50 PM

Hello

We need to reset some permisions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\\Program Files\AVG\AVG2012\avgcsrvx.exe
c:\\Program Files\AVG\AVG2012\AVGIDSAgent.exe
c:\\Program Files\AVG\AVG2012\avgtray.exe
c:\\Program Files\Emsisoft HiJackFree\a2hjf.com
c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe
c:\\Program Files\Malwarebytes' Anti-Malware\myapp.exe
c:\\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
c:\\System Volume Information\{06a1e325-f22f-11e0-a404-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{1b944cf9-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{1b944f36-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{1b94502f-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{22bb22bb-eec5-11e0-b2cf-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{764882bc-f6ba-11e0-af7d-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{8412ec99-efbe-11e0-8117-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{8412ecc7-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{8412eccb-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{bc35c19f-f687-11e0-864b-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\System Volume Information\{e2f284ab-f1bd-11e0-8c2a-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\\Users\Christopher\Desktop\gmer\log.com
c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp1940.tmp
c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6EAD.tmp
c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp74C7.tmp
c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp7DC9.tmp
c:\\Windows\System32\LogFiles\WMI\RtBackup

Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 clrlar97

clrlar97
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:59 AM

Posted 15 October 2011 - 03:36 PM

Thank you, Gringo. Here are the results of running GrantPerms:


GrantPerms by Farbar
Ran by Christopher at 2011-10-15 15:33:37

===============================================
\\?\c:\\Program Files\AVG\AVG2012\avgcsrvx.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\AVG\AVG2012\AVGIDSAgent.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\AVG\AVG2012\avgtray.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Emsisoft HiJackFree\a2hjf.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\Malwarebytes' Anti-Malware\myapp.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{06a1e325-f22f-11e0-a404-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{1b944cf9-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{1b944f36-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{1b94502f-ea9c-11e0-88c7-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{22bb22bb-eec5-11e0-b2cf-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: The system cannot find the file specified.


Operating system error message: The system cannot find the file specified.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{764882bc-f6ba-11e0-af7d-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{8412ec99-efbe-11e0-8117-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{8412ecc7-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{8412eccb-efbe-11e0-8117-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{bc35c19f-f687-11e0-864b-000000000000}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
ERROR: Parsing the SD of <\\?\c:\\System Volume Information\{e2f284ab-f1bd-11e0-8c2a-001d72c87d35}{3808876b-c176-4e48-b7ae-04046e6cc752}> failed with: Access is denied.


Operating system error message: Access is denied.
\\?\c:\\Users\Christopher\Desktop\gmer\log.com

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp1940.tmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\NETWORK SERVICE FULL ALLOW (I)


\\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6EAD.tmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\NETWORK SERVICE FULL ALLOW (I)


\\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp74C7.tmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\NETWORK SERVICE FULL ALLOW (I)


\\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp7DC9.tmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Users READ/EXECUTE ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\NETWORK SERVICE FULL ALLOW (I)


\\?\c:\\Windows\System32\LogFiles\WMI\RtBackup

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users