Hi there - I am having the exact same problems as Sisaly is - I cannot run the programs on my computer, google search is hijacked. I have MBAM installed - I cannot run it at all. It will , however, run from setup file but once the scan starts the program disappears after about 5 seconds. Spybot S&D does the same thing - it starts running a scan then disappears. Sometimes my computer also restarts itself. I was able to dl and install a program called STOPzilla which found 38 infections...but now it wants me to buy it before I can remove them? I am very tired of all this and at my wit's end - I have tried everything I can think of but NOTHING will run. Please help?
StephieC981 0 Newbie Poster
PhilliePhan 171 Central Scrutinizer Team Colleague
Sisaly 0 Newbie Poster
Stopzilla IS malware and a scam for your money. That's what these types of viruses are. I hope you get it worked out.
Heck, I hope I get it worked out.
Renaming files hasn't worked for me so far. :(
StephieC981 0 Newbie Poster
Stopzilla IS malware and a scam for your money. That's what these types of viruses are. I hope you get it worked out.
Heck, I hope I get it worked out.Renaming files hasn't worked for me so far. :(
hey sisaly i hope we both get this worked out! srry for hijacking your thread i found this by searching svchasts.exe in google and after spending 24 hours searching for help guess I'm a little fried on my net-etiquette. i will start my own thread tomorrow (too tired now) good luck to u :)
Edit: ok guess i have my own thread now lol. I am running Windows XP Phillie, but as its almost 2 a.m. here I'm going to get some sleep and working on posting details/logs tomorrow. However I do want to let you know that this all started this morning with the sudden appearance of "Windows Police Pro" which seems to be affecting a lot of people all of a sudden.
Will post more tomorrow. thank you!
PhilliePhan 171 Central Scrutinizer Team Colleague
Will post more tomorrow. thank you!
Happy to try to help :)
PhilliePhan 171 Central Scrutinizer Team Colleague
Hi Stephie,
Here is my canned spiel:
As it turns out, this infection is major nasty!
Looks like there are some serious rootkit components to this and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.
If you'd like to continue, please do the following:
Please Download Win32kDiag and save it to your Desktop.
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.
I will check back as soon as time permits.
Cheers :)
PP
StephieC981 0 Newbie Poster
Hey Phillie here is the Win32kdiag log you requested -
Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18D.tmp\ZAP18D.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP295.tmp\ZAP295.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A.tmp\ZAP3A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49.tmp\ZAP49.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CAVTemp\CAVTemp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Drivers\Intel\Intel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Collab\Collab
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Forms\Forms
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\R2LGC9TV\R2LGC9TV
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\ELAD6Q6Q\is1.j.tv2n.net\is1.j.tv2n.net
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\Active
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\system32\Futuremark\MSC\MSC
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\hkcmd.exe
[1] 2005-10-19 08:59:12 126976 C:\WINDOWS\system32\hkcmd.exe ()
[1] 2004-02-10 12:51:30 118784 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe (Intel Corporation)
Cannot access: C:\WINDOWS\system32\igfxtray.exe
PhilliePhan 171 Central Scrutinizer Team Colleague
Hey Phillie here is the Win32kdiag log you requested -
Great :)
Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip
-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :
Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll
-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.
NEXT:
Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r
That should produce a log, as well. Please post it for me.
Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.
-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...
Best Luck :)
PP
StephieC981 0 Newbie Poster
Phillie here is the Avenger log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
And the other log you wanted :
Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
Removing all found mount points.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18D.tmp\ZAP18D.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP18D.tmp\ZAP18D.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP295.tmp\ZAP295.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP295.tmp\ZAP295.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A.tmp\ZAP3A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A.tmp\ZAP3A.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49.tmp\ZAP49.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP49.tmp\ZAP49.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Found mount point : C:\WINDOWS\CAVTemp\CAVTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode
Found mount point : C:\WINDOWS\Drivers\Intel\Intel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Drivers\Intel\Intel
Found mount point : C:\WINDOWS\ftpcache\ftpcache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ftpcache\ftpcache
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Minidump\Minidump
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\mui\mui
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS\DFS
Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PCHEALTH\HELPCTR\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\security\logs\logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\security\logs\logs
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\5a0d771158cfd69be5ddd26d8f58c73b
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1025\1025
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1028\1028
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1031\1031
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1037\1037
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1041\1041
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1042\1042
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1054\1054
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\2052\2052
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\3076\3076
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Collab\Collab
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Collab\Collab
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Forms\Forms
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Forms\Forms
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\R2LGC9TV\R2LGC9TV
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\R2LGC9TV\R2LGC9TV
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\ELAD6Q6Q\is1.j.tv2n.net\is1.j.tv2n.net
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\ELAD6Q6Q\is1.j.tv2n.net\is1.j.tv2n.net
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#is1.j.tv2n.net\#is1.j.tv2n.net
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\Active
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\Active
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\dhcp\dhcp
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Cannot access: C:\WINDOWS\system32\dumprep.exe
[1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\export\export
Found mount point : C:\WINDOWS\system32\Futuremark\MSC\MSC
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\Futuremark\MSC\MSC
Cannot access: C:\WINDOWS\system32\hkcmd.exe
[1] 2005-10-19 08:59:12 126976 C:\WINDOWS\system32\hkcmd.exe ()
[1] 2004-02-10 12:51:30 118784 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe (Intel Corporation)
Cannot access: C:\WINDOWS\system32\igfxtray.exe
[1] 2005-10-19 08:59:14 155648 C:\WINDOWS\system32\igfxtray.exe ()
[1] 2004-02-10 12:55:32 155648 C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe (Intel Corporation)
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF
Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\system32\MRT.exe ()
[2] 2009-05-07 03:16:29 24699336 C:\System Volume Information\_restore{7E7D7A14-DB24-4DC5-BDB1-10525E353888}\RP1537\A0209107.exe (Microsoft Corporation)
[2] 2009-06-01 12:51:12 23635392 C:\System Volume Information\_restore{7E7D7A14-DB24-4DC5-BDB1-10525E353888}\RP1564\A0211651.exe (Microsoft Corporation)
[2] 2009-07-07 11:10:56 24539592 C:\System Volume Information\_restore{7E7D7A14-DB24-4DC5-BDB1-10525E353888}\RP1588\A0214956.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\sample\sample
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Found mount point : C:\WINDOWS\system32\wbem\Logs\Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\Logs\Logs
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wins\wins
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\xircom\xircom
Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit
Found mount point : C:\WINDOWS\Watson\Watson
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Watson\Watson
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2
Finished!
StephieC981 0 Newbie Poster
Phillie, also after I finished that I was able to get MBAM to run a quick scan after reinstalling it (double-clicking the shortcut on my desktop still produced a "Windows cannot access file" error, but when i used the setup .exe for MBAM it updated/reinstalled and ran the scan) which produced this log:
Malwarebytes' Anti-Malware 1.40
Database version: 2727
Windows 5.1.2600 Service Pack 3
9/1/2009 4:47:50 PM
mbam-log-2009-09-01 (16-47-50).txt
Scan type: Quick Scan
Objects scanned: 98538
Time elapsed: 7 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\igfxtray (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\igfxtray.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
I am going to let it reboot and then try the Full Scan...
PhilliePhan 171 Central Scrutinizer Team Colleague
I am going to let it reboot and then try the Full Scan...
OK, good.
When that's done, post the log for me and then see if you are able to run combofix as per the linky below:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If it runs, post me that log too. If not, we'll have to try it a bit differently.
PP :)
StephieC981 0 Newbie Poster
Just got out of work, here is the log for the MBAM *full* scan:
Malwarebytes' Anti-Malware 1.40
Database version: 2727
Windows 5.1.2600 Service Pack 3
9/1/2009 10:26:17 PM
mbam-log-2009-09-01 (22-26-17).txt
Scan type: Full Scan (C:\|)
Objects scanned: 184734
Time elapsed: 40 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y2BIXXEZ\c73a719[1].flv (Rootkit.TDSS) -> Quarantined and deleted successfully.
PhilliePhan 171 Central Scrutinizer Team Colleague
Just got out of work, here is the log for the MBAM *full* scan:
Great :)
Let's do this now:
If you already have combofix on your machine, DELETE it.
Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.
I will check in tomorrow and have a look at the log and we'll go from there.
PP :)
StephieC981 0 Newbie Poster
Ah, I didn't see your latest post until after I ran Combofix - but I never had it installed before so it was a "fresh" copy. It ran without problems (no need to rename) and here is the log:
ComboFix 09-09-01.04 - Owner 09/01/2009 22:47.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.466 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-515967899-861567501-682003330-1005
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\Installer\156fd.msi
c:\windows\Palace.reg
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\kbiwkmthxwbuth.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\kbiwkmewbfalqp.dll
c:\windows\system32\kbiwkmqqmcnupk.dat
c:\windows\system32\kbiwkmsexeooby.dll
c:\windows\system32\kbiwkmtsppdrch.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_kbiwkmnrerxnmf
-------\Legacy_kbiwkmnrerxnmf
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.
2009-09-02 03:04 . 2009-09-02 03:04 -------- d-----w- c:\windows\LastGood
2009-09-01 04:59 . 2009-09-01 05:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-09-01 04:36 . 2009-09-01 04:05 -------- d-----w- C:\KILLBAD
2009-09-01 04:17 . 2009-09-01 04:17 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-09-01 04:17 . 2009-09-01 04:17 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-09-01 04:17 . 2009-09-01 04:17 -------- d-----w- c:\program files\Prevx
2009-09-01 04:17 . 2009-09-01 04:18 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-09-01 03:53 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-09-01 03:52 . 2009-09-01 03:52 -------- d-----w- c:\program files\Panda Security
2009-09-01 02:49 . 2009-09-01 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-01 02:43 . 2009-09-01 02:43 -------- d-----w- c:\program files\STOPzilla!
2009-09-01 02:43 . 2009-09-01 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-01 02:43 . 2009-09-01 02:43 -------- d-----w- c:\program files\Common Files\iS3
2009-08-31 18:15 . 2009-08-31 18:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-08-31 17:42 . 2009-08-31 17:42 36168 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 17:39 . 2009-08-31 17:39 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-31 17:27 . 2009-08-31 17:27 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-30 23:29 . 2009-08-30 23:29 -------- d-----w- c:\program files\PopCap Games
2009-08-29 19:13 . 2009-08-29 19:13 -------- d-----w- c:\program files\DinerTown Detective Agency
2009-08-29 04:24 . 2009-08-29 04:24 -------- d-----w- c:\program files\Diner Dash Flo Through Time
2009-08-29 04:24 . 2009-08-29 04:24 -------- d-----w- c:\windows\Diner Dash Flo Through Time
2009-08-28 16:44 . 2005-10-19 12:59 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-08-27 19:34 . 2009-08-27 19:34 -------- dc-h--w- c:\windows\ie8
2009-08-27 03:47 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 03:47 . 2009-09-01 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 03:47 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 03:36 . 2009-08-27 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-27 03:36 . 2009-08-27 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 02:29 . 2009-08-26 02:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 15:09 . 2009-08-25 15:09 -------- d-----w- c:\windows\Diner Dash Seasonal Snack Pack
2009-08-23 15:01 . 2009-08-23 15:01 -------- d-----w- c:\documents and settings\Owner\Application Data\TigerPlayer
2009-08-23 14:58 . 2009-08-23 14:59 -------- d-----w- c:\program files\MpcStar
2009-08-21 00:11 . 2009-08-21 00:11 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-08-20 23:45 . 2009-08-20 23:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-20 23:45 . 2009-08-20 23:45 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-08-20 23:41 . 2009-08-27 18:46 -------- d-----w- c:\windows\ie8updates
2009-08-20 23:35 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-20 23:35 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-20 23:34 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-19 18:28 . 2009-08-19 18:28 -------- d-----w- c:\program files\Wedding Dash - Ready Aim Love
2009-08-19 18:28 . 2009-08-19 18:28 -------- d-----w- c:\windows\Wedding Dash - Ready Aim Love
2009-08-18 15:17 . 2009-08-18 15:17 -------- d-----w- c:\windows\Cooking Dash - DinerTown Studios
2009-08-18 15:17 . 2009-08-18 15:17 -------- d-----w- c:\program files\Cooking Dash - DinerTown Studios
2009-08-18 14:57 . 2009-08-18 14:57 1032192 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p65m119r.Default User\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2009-08-18 14:57 . 2009-08-31 15:15 -------- d-----w- c:\program files\BitComet
2009-08-18 14:52 . 2009-04-01 07:03 634880 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cookingdash\cookingdash.exe
2009-08-18 14:52 . 2009-04-01 07:03 1425408 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cookingdash\game\cookingdash.exe
2009-08-18 14:52 . 2009-02-09 22:28 57344 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cookingdash\pfinstall.dll
2009-08-18 14:52 . 2002-07-26 21:02 153088 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cookingdash\UNWISE.EXE
2009-08-17 02:31 . 2009-08-11 21:34 2203648 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cooking-dash-2\game\cookingdash2.exe
2009-08-17 02:31 . 2009-08-11 21:34 1376256 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cooking-dash-2\cookingdash2.exe
2009-08-17 02:31 . 2009-06-12 20:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cooking-dash-2\pfinstall.dll
2009-08-17 02:31 . 2002-07-26 21:02 153088 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\cooking-dash-2\UNWISE.EXE
2009-08-14 15:49 . 2009-08-14 16:02 -------- d-----w- c:\program files\support.com
2009-08-14 15:48 . 2009-08-14 15:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\SupportSoft
2009-08-14 15:48 . 2009-08-14 15:48 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-08-13 12:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 03:19 . 2009-08-13 03:47 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-08-06 04:41 . 2009-08-06 04:41 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-06 04:41 . 2009-08-06 04:41 -------- d-----w- c:\program files\MSBuild
2009-08-06 04:40 . 2009-08-06 04:40 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 04:40 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 04:40 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-06 04:40 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 04:40 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 04:40 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-06 04:40 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 04:40 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-06 04:40 . 2009-08-06 04:40 -------- d-----w- C:\8fdd0779ed77368804d5908c87c1629c
2009-08-06 04:40 . 2009-09-01 20:17 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 18:10 . 2007-03-06 18:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-01 05:24 . 2004-01-31 01:27 43 -c--a-w- c:\windows\popcinfo.dat
2009-09-01 02:28 . 2008-10-07 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 19:19 . 2007-03-13 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-29 19:19 . 2005-11-20 04:35 -------- d-----w- c:\documents and settings\Owner\Application Data\PlayFirst
2009-08-27 19:21 . 2005-10-09 04:37 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-08-26 13:06 . 2009-06-02 12:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 13:06 . 2009-06-02 12:40 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 13:06 . 2009-06-02 12:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 03:49 . 2007-03-13 14:33 -------- d-----w- c:\program files\PlayFirst
2009-08-21 00:11 . 2009-06-29 14:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-17 02:31 . 2009-03-24 17:40 466944 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\pfHarness\pfHarness.dll
2009-08-13 03:19 . 2005-08-20 07:21 -------- d-----w- c:\program files\LimeWire
2009-08-06 17:17 . 2008-10-07 20:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-06 11:54 . 2003-12-18 03:12 36168 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 17:45 . 2005-10-09 04:37 -------- d-----w- c:\program files\World of Warcraft
2009-08-05 09:01 . 2004-09-13 00:39 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 02:48 . 2009-06-02 12:58 -------- d-----w- c:\program files\Sony Online Entertainment
2009-07-24 17:24 . 2003-12-18 02:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-24 17:24 . 2009-07-24 17:24 -------- d-----w- c:\program files\Sony
2009-07-21 13:03 . 2009-07-21 04:35 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-07-21 04:35 . 2009-07-21 04:35 -------- d-----w- c:\program files\bfgclient
2009-07-20 20:09 . 2009-07-24 15:28 282624 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p65m119r.Default User\extensions\NPDyyno@dyyno.com\Plugins\npDyyno.dll
2009-07-20 18:57 . 2009-07-20 18:57 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-07-20 18:56 . 2009-07-20 18:56 311296 ----a-r- c:\windows\system32\SZBase5.dll
2009-07-20 18:56 . 2009-07-20 18:56 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-07-17 22:51 . 2009-03-24 17:39 139264 ----a-w- c:\documents and settings\All Users\Application Data\PlayFirst\Games\PlayFirst.EXE
2009-07-17 19:01 . 2004-09-13 00:39 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 17:02 . 2009-07-15 17:01 -------- d-----w- c:\program files\WebEx
2009-07-15 17:01 . 2009-07-15 17:01 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2009-07-14 17:40 . 2008-11-05 00:38 -------- d-----w- c:\program files\Hawking
2009-07-14 17:38 . 2008-11-05 00:39 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-14 17:38 . 2009-07-14 17:38 -------- d-----w- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor
2009-07-14 03:43 . 2004-09-13 00:41 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 19:52 . 2009-07-09 19:52 126976 ----a-r- c:\windows\system32\IS3HTUI5.dll
2009-07-09 19:52 . 2009-07-09 19:52 393216 ----a-r- c:\windows\system32\IS3DBA5.dll
2009-07-09 19:51 . 2009-07-09 19:51 385024 ----a-r- c:\windows\system32\IS3UI5.dll
2009-07-09 19:51 . 2009-07-09 19:51 61440 ----a-r- c:\windows\system32\IS3Hks5.dll
2009-07-09 19:51 . 2009-07-09 19:51 23040 ----a-r- c:\windows\system32\IS3XDat5.dll
2009-07-09 19:50 . 2009-07-09 19:50 225280 ----a-r- c:\windows\system32\IS3Win325.dll
2009-07-09 19:50 . 2009-07-09 19:50 94208 ----a-r- c:\windows\system32\IS3Inet5.dll
2009-07-09 19:50 . 2009-07-09 19:50 90112 ----a-r- c:\windows\system32\IS3Svc5.dll
2009-07-09 19:47 . 2009-07-09 19:47 724992 ----a-r- c:\windows\system32\IS3Base5.dll
2009-07-03 17:09 . 2004-08-24 01:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-09-13 00:39 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-09-13 00:39 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-09-13 00:38 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-09-13 00:38 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-09-13 00:38 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-09-13 00:38 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-24 11:18 . 2004-09-13 00:38 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-09-13 00:38 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2001-08-18 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 20:07 . 2009-07-15 17:19 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2004-09-13 00:38 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-09-13 00:39 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-09-13 00:39 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-09-13 00:38 132096 ----a-w- c:\windows\system32\wkssvc.dll
2005-11-24 01:46 . 2005-11-24 01:47 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-11-14 16:31 . 2006-11-14 16:31 34384 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-11-14 16:31 . 2006-11-14 16:31 93848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 13:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-12 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-26 2007832]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 13:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GoBack.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GoBack.lnk
backup=c:\windows\pss\GoBack.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUpdate.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNUtil.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNTray.exe"=
"c:\\Program Files\\Microsoft Broadband Networking\\MSBNCfg.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"7476:TCP"= 7476:TCP:BitComet 7476 TCP
"7476:UDP"= 7476:UDP:BitComet 7476 UDP
"14749:TCP"= 14749:TCP:BitComet 14749 TCP
"14749:UDP"= 14749:UDP:BitComet 14749 UDP
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/31/2009 11:53 PM 28544]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [9/1/2009 12:17 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [9/1/2009 12:17 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2009 8:40 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2009 8:40 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 10:27 AM 297752]
R2 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [5/12/2009 2:13 PM 61328]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/29/2009 10:27 AM 908056]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [9/1/2009 12:17 AM 4368952]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 MN130;Microsoft(R) PCI Adapter MN-130;c:\windows\system32\drivers\MN130-51.sys [5/29/2002 2:25 PM 38400]
S3 UNDPX2K;UNDPX2K;\??\c:\windows\system32\drivers\UNDPX2K.SYS --> c:\windows\system32\drivers\UNDPX2K.SYS [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-08-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
WebBrowser-{9D69F5EE-E293-4834-8587-4B94296E84E6} - (no file)
ShellExecuteHooks-{6809e580-a3a7-11d1-9a00-00a0c945b006} - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: { - c:\documents and settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} - hxxp://thesims.ea.com/teleport/superstar/MaxisSuperstarTeleX.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p65m119r.Default User\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p65m119r.Default User\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p65m119r.Default User\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\MpcStar\Codecs\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 23:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-515967899-861567501-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(688)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\ati2evxx.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Roxio\GoBack\GBPoll.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
.
**************************************************************************
.
Completion time: 2009-09-02 23:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 03:10
Pre-Run: 68,243,374,080 bytes free
Post-Run: 68,216,741,888 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=,1,2,3,4,5,6,7,8,9
375 --- E O F --- 2009-09-02 02:31
PhilliePhan 171 Central Scrutinizer Team Colleague
Ah, I didn't see your latest post until after I ran Combofix - but I never had it installed before so it was a "fresh" copy. It ran without problems (no need to rename) and here is the log:
Great :)
I will have a look at the log in more detail tomorrow and post any necessary manual fixes then.
You can go ahead and delete C:\KILLBAD - it didn't have much effect, lol!
PP :)
PhilliePhan 171 Central Scrutinizer Team Colleague
I will have a look at the log in more detail tomorrow and post any necessary manual fixes then.
Hi Stephie,
Everything looks OK to me. I think you are good to go.
Let's remove Combofix and the files/folders it created:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK
This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.
**You should be careful about the P2P stuff and File Sharing, etc . . . That's likely how you got infected.
That's the extent of my lecture......
Cheers :)
PP
StephieC981 0 Newbie Poster
**You should be careful about the P2P stuff and File Sharing, etc . . . That's likely how you got infected.
That's the extent of my lecture......
Cheers :)
PP
Thank you so much Phillie I can't thank you enough - I would have had no idea how to fix this problem on my own.
And ty for the warning, I believe that is how I got infected also and will certainly be much more careful in the future !!!
Thanks again -
Steph
PhilliePhan 171 Central Scrutinizer Team Colleague
Thanks again -
Steph
You're Welcome! :)
Salem commented: Another great result :) +36
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.