AVP 2010:Managed to install malwarebytes but won't scan past 2 seconds

Hi, I am in desperate need of help. My computer is infected with Antivirus Pro 2010 and seems to be disabling my internet connection and only seems to let me open Microsoft Word 2003 and not any other programs.

I managed to transfer the malwarebytes program to my infected computer. Installation seemed to be successful but cannot scan my computer. The scanner just disappears after scanning for 2 seconds. When I try to reopen malwarebytes program by clicking on start menu icon, error msg appears stating that I "do not have permission to access..." I have tried doing this in safe mode and normal mode but I still can't get malwarebytes to scan my computer. Please advise.

I am worried about my word documents. If I were to ask someone to reformat my computer, would I be able to back up the files so that not everything gets erased?

I don't know what to do to fix this.
Please advise asap. Thanks.

Last edited by brownie1212 on 2nd October 2009, 8:49 am; edited 2 times in total (Reason for editing : left out info)

Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay.

Please transfer this as well and attempt to use it as instructed.

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Hi, is the geekpolice forum undergoing maintenance at this time? There are boxes with "x" where the graphics should be. For example, I cannot make out what to "rename combofix.exe" in your previous reply...?

DragonMaster Jay wrote:

Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay.

Please transfer this as well and attempt to use it as instructed.

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Last edited by brownie1212 on 2nd October 2009, 4:45 pm; edited 1 time in total (Reason for editing : typo)

Please help! I'm at my wit's end here. thanks in advance for your advice!

I am SOOO close to just chucking my infected computer out my window. For some reason, the graphics on this site do not seem to be loading properly for me (on my GOOD computer) and I have red "x" where icons should appear.
I have the Antivirus pro 2010 AND Windows police programs on the infected desktop. I tried running the computer in safe mode and backing up my important files on my flashdrive. Of course, now I don't know if the malwares/viruses program have latched onto the files I am trying to save.

Neither Explorer nor Firefox would connect so I don't have the option of dl combofix off the site. Also, now that I have crammed up my flashdrive with saved files, I cannot risk opening the files on my one good computer and contaminating it as well. Therefore, I don't even know HOW to install combofix onto the infected computer.

I really don't want to have to erase everything off my hard drive but I'm also scared that my privacy will be compromised (or has been); I have several resumes saved on my C drive. Don't know what to do. Should I just reformat the whole thing?

brownie1212 wrote:

Hi, I am in desperate need of help. My computer is infected with Antivirus Pro 2010 and seems to be disabling my internet connection and only seems to let me open Microsoft Word 2003 and not any other programs.

I managed to transfer the malwarebytes program to my infected computer. Installation seemed to be successful but cannot scan my computer. The scanner just disappears after scanning for 2 seconds. When I try to reopen malwarebytes program by clicking on start menu icon, error msg appears stating that I "do not have permission to access..." I have tried doing this in safe mode and normal mode but I still can't get malwarebytes to scan my computer. Please advise.

I am worried about my word documents. If I were to ask someone to reformat my computer, would I be able to back up the files so that not everything gets erased?

I don't know what to do to fix this.
Please advise asap. Thanks.

HI again,

For some reason, now I can access Firefox in SAFE w/networking mode. I tried to install combofix with the links but it doesn't give me the option of renaming. I only had the option of SAVE FILE and the file name is ComboFix.exe. After downloading, it does not run.

Gives me this message: "ComboFix.exe is an executable file...Use caution when opening this file. Are you sure you want to launch ComboFix.exe?" I press "OK" and another window comes up with the option to "RUN." Again, does not give me the option of renaming combofix.

I can access TASK MANAGER as well. Earlier, "Windows Police" appeared in the Processes Tab and I clicked "End Process" and it came off the list. Even though I only have firefox.exe running at the moment, there are a number of different "Image Names" under Processes tab.

It looks like so:

svchost.exe Local Service 00 3,552 K
firefox.exe Administrator 00 61,292K
svchost.exe NETWORK SERVICE 00 6,008 K
svchost.exe SYSTEM 00 14,104 k
taskmgr.exe Administrator 01 4,328 K
svchost.exe NETWORK SERVICE 00 4,932 K
svchost.exe SYSTEM 00 10,996 k
lsass.exe SYSTEM 00 2,616 K
services.exe SYSTEM 00 4,208 K
winlogon.exe SYSTEM 00 1,180 K
csrss.exe SYSTEM 00 3,288 K
smss.exe SYSTEM 00 400 k
System SYSTEM 00 276 k
System Idle Process SYSTEM 99 16 K

what to do?

DragonMaster Jay wrote:

Hi

Reformatting is probably not necessary. I can help you with programs that will help you backup all those necessary files, if that is the case. We should try to clean first, okay.

Please transfer this as well and attempt to use it as instructed.

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Hi

Go ahead and run ComboFix as downloaded. That will be fine.

Hi,

I tried to run combofix as combofix.exe and it asks me to install. After agreeing, the window just disappears and nothing happens.

DragonMaster Jay wrote:

Hi

Go ahead and run ComboFix as downloaded. That will be fine.

Hi

Please download exeHelper

• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Hi,
I dl exeHelper.com. Next window was "Open executable file?" I checked OK. Another window opens: The publisher could not be verified. Are you sure you want to run this software? I click RUN. A black box DOES APPEAR but then it disappears within a second. I go to MY DOCUMENTS where I dl exehelper and I do not see a log.txt file. I do see the application exeHelper. It says document type is MS-DOS Application. I opened it in MS WORD but the characters are nonsense symbols! Why can't I run these programs properly??

DragonMaster Jay wrote:

Hi

Please download exeHelper

• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

This word document "BUG" was saved onto my C drive. I do not know how it got there. I'm posting the contents of the doc.


PUSHD "C:\32788R22FWJFW"

SET "Comspec=C:\WINDOWS\system32\cmd.execf"

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

VER 1>OsVer

GREP.cfxxe -F "5.1.2" OsVer 1>XP.mac

IF 0 == 0 GOTO NT
'SWXCACLS' is not recognized as an internal or external command,
operable program or batch file.

GREP.cfxxe -isq "ProductType.*WinNT" WinNT00 || GOTO Not_NT

SET "Ver_CF=09-10-01.05"

IF NOT EXIST NircmdB.exe COPY /Y Nircmd.cfxxe NircmdB.exe
1 file(s) copied.

PEV UZIP License\pv_5_2_2.zip .\

MOVE /Y PV.exe PV.cfxxe

IF NOT EXIST PEV.cfxxe COPY /Y PEV.exe PEV.cfxxe
1 file(s) copied.

SED "/^PATH=/I!d; s///; s/\x22//g" Oripath 1>OriPath00

PEV -rtf -s+901 .\OriPath00 && (
SED -r "s/\x22//g; s/(.{900}).*/\1/; s/;[^;]*$//" OriPath00 1>OriPath01
FOR /F "TOKENS=*" %G IN (OriPath01) DO @SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"
)

IF NOT EXIST OriPath01 FOR /F "TOKENS=*" %G IN (OriPath00) DO SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%G"

SET "PATH=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft Office\OFFICE11\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\"
Killing 'runonce.exe'
Killing 'grpconv.exe'
Killing 'procmon.exe'
Killing 'ANDRE.EXE'
Killing 'TOLO.exe'
Killing 'Merlin.scr'
Killing 'jalang.exe'
Killing 'jalangkung.exe'
Killing 'jantungan.exe'
Killing 'DOSEN.exe'
Killing 'C3W3K4MPUS.exe'
pv: No matching processes found

PEV -rtf --c:##5# .\* and { License.exe or 32788R22FWJFW.exe or OsVer.exe or WinNT.exe or N_.exe } 1>temp00 && (
PV -o%f * 1>temp01
PEV -tf -t!o --files:temp01 --c:##5#b#f# 1>temp02
GREP -Fif temp00 temp02 1>temp03
SED "/.* /!d; s///" temp03 1>temp04
SED ":a; $!N; s/\n/\x22 \x22/; ta; s/.*/\x22&\x22/" temp04 1>temp05
FOR /F "TOKENS=*" %G IN (temp05) DO @NIRCMD KILLPROCESS %G
)
Active code page: 1252
Could Not Find C:\32788R22FWJFW\AbortB

CALL :MDCheck
Could Not Find C:\32788R22FWJFW\md5sum00.pif

PEV -rtf -md5979B230F49C5822DE12A7FF1C7088151 .\md5sum.pif || CALL :MDFaiL ChkSum_Fail
.\md5sum.pif

PEV -tf --files:files.pif --c:##5#b#f# 1>mdCheck00.dat

GREP -vs "^!MD5:" mdCheck00.dat 1>mdCheck0a.dat

GREP -Fvf md5sum.pif mdCheck0a.dat 1>mdCheck01.dat && CALL :MDFaiL

GOTO :EOF

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
cfExt=cfxxe
CFLDR=32788R22FWJFW
Chksum=979B230F49C5822DE12A7FF1C7088151
CLIENTNAME=Console
Command switches used=Command switches used
CommonProgramFiles=C:\Program Files\Common Files
Completion time=Completion time
COMPUTERNAME=CAT
ComSpec=C:\WINDOWS\system32\cmd.execf
Connecting to=Connecting to
Connecting to ComboFix servers=Connecting to ComboFix servers
Cryptography Services Error=Cryptography Services Error
Disclaimer=The following websites are not in any way affiliated to ComboFix:~n~n http://www.combofix.org/~n http://www.combofixdownload.com/~n~nIf you have purchased anything from them, I suggest you instruct your~nfinanciers to cancel the transaction.~n~n ----------------------- -----------------------~n~nA guide on proper ComboFix usage may be found at:~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nComboFix is meant for private use. It should never be used in an~nunsupervised environment. If infections are found, it will automatically~nreboot the machine to complete the removal process. Please ensure all~nopened windows are closed before proceeding.~n~nThis software is provided 'as is', without warranty of any kind. All~nimplied warranties are expressly disclaimed. If you do not agree to the~nabove terms, please click No to exit" "DISCLAIMER OF WARRANTY ON SOFTWARE.
DLLs Loaded Under Running Processes=DLLs Loaded Under Running Processes
Drivers/Services=Drivers/Services
Fail2Delete=failed to delete
File Associations=File Associations
File Replicators=File Replicators
Files Infected - Patched=Files Infected - Patched
FIREFOX POLICIES=FIREFOX POLICIES
FP_NO_HOST_CHECK=NO
hȋdden files=hȋdden files
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
is infected=is infected
is missing=is missing
KMD=CF1641.exe
LANG_CF=EN
Line1=Please wait.
Line10=ComboFix has detected the presence of rootkit activity and needs to reboot the machine~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Rootkit !!
Line10A=ComboFix has detected the presence of rootkit activity and needs to reboot the machine" "Rootkit !!
Line11=Scanning for infected files . . .
Line12=This typically doesn't take more than 10 minutes
Line13=However, scan times for badly infected machines may easily double
Line14=%G ...... driver unloaded successfully.
Line15=Rootkit driver %G is still present. A rootkit scan is required
Line16=ComboFix has changed your clock settings.
Line17=Do not change it back. It shall be restored later
Line18=ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
Line19=to: http://www.bleepingcomputer.com/submit-malware.php?channel=4
Line2=ComboFix is preparing to run.
Line20=Preparing Log Report.
Line21=Do not run any programs until ComboFix has finished
Line22=No new files created in this timespan
Line23=*Note* empty entries ^& legit default entries are not shown
Line24=Contents of the 'Scheduled Tasks' folder
Line25=Almost done . . This window will close in a short while
Line26=Please wait a few seconds for the report log to pop up
Line27=ComboFix's log shall be located at C:\COMBOFIX.TXT
Line28=Rebooting Windows . . . Please wait
Line29=Please allow ComboFix to reboot the machine.
Line3=You need Administrative privileges to run this tool" "Not Admin !!
Line30=Overlay aborted ... Please run ComboFix once more
Line31=Date Error: ~%CurrDate.yyyy-MM-dd%~n~nCheck your settings" "DATE ERROR
Line32=C:\WINDOWS\system32\HAL.DLL is missing !!~n~nIt's IMPORTANT that you DO NOT reboot/shutdown the machine~n~nPost to the forums for immediate help. Do not click OK until further instructed" "CRITICAL WARNING !!
Line33=ComboFix needs to submit malware files for further analysis.~n~nPlease ensure that you're connected to the internet before clicking OK" "Submit Files for further analysis
Line34=Submit malware to Bleeping Computer for analysis.
Line35=Copy/Paste the filepath below into the box above and click Send.
Line36=Infected copy of %~1 was found and disinfected
Line36A=Restored copy from - %~2
Line37=%~1 . . . is infected!!
Line38=((((((((((((((((((((((((( Files Created from %thirty% to %dateX% )))))))))))))))))))))))))))))))
Line39=(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
Line4=C:\WINDOWS\regedit.exe is missing~n~nCopy one from another machine" "Terminal Error - Missing file
Line40=Webserver appears to be temporarily inaccessible.~nFor your convenience, ComboFix created a submissions form located at:~n~n* C:\CF-Submit.htm~n~nPlease use that to manually upload it later. " "Upload Failed!!
Line41=((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
Line42=((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Line43=Deleting Files:
Line43A=Deleting Folders:
Line44=- REDUCED FUNCTIONALITY MODE -
Line45=SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
Line46=scanning hȋdden processes ...
Line47=scanning hȋdden autostart entries ...
Line48=scanning hȋdden files ...
Line49=-- Snapshot reset to current date --
Line5=Current date is ~%CurrDate.yyyy-MM-dd%. ComboFix has expired~n~nClick 'Yes' to run in REDUCED FUNCTIONALITY mode~n~nClick 'No' to exit" "Version_%ver_CF%
Line50=ComboFix is uninstalled" "Info
Line51=Will only install the Recovery Console for Windows XP
Line52=Boot Partition cannot be enumerated correctly
Line53=%BootDir%Boot.ini is not correctly formated
Line54=This machine already has the Recovery Console installed.~n~nAborting operations
Line55=Please click 'YES' in the End User License Agreement (EULA) dialog that follows ..." "Installing the Recovery Console
Line56=Installation file - %~G - cannot be found
Line57=You didn't select YES~n~nInstallation is aborted
Line58=Contents of %BootDir%cmdcons are not in order.~n~nPlease disable your security programs before trying again
Line59=Congratulations!!! The Microsoft Recovery Console was successfully installed.~n~nOn each restart of the machine, a black screen will offer you the option to boot into recovery console mode.~nFor normal use, just ignore the black screen. Windows shall boot normally in 2 seconds~n~nClick 'Yes' to continue scanning for malware" "Info
Line6=Were you trying to run CFScript?~n~nThe name, CFScript appears to be incorrectly spelt" "CFScript Name Error
Line60=Click 'Yes' to continue scanning for malware~n~nClick 'No' to exit" "What's next ?
Line62=There's a newer version of ComboFix available.~n~nWould you like to update ComboFix?" "Update
Line63=--- WARNING !! ---~n~nA critical update is required.~n~nComboFix shall now update itself.~n~n--- WARNING !! ---" "Mandatory Update
Line64=Failed to download updated copy.~n~nWill continue with existing copy" "Failed Download
Line65=ComboFix shall now restart" "Updated
Line66=Interference detected~n~nPlease perform a Rootkit Scan" "Abort!
Line67=You cannot rename ComboFix as %FileName%~n~nPlease use another name, preferbaly made up of alphanumeric characters
Line68=%cd% not in expected location~n~n Inform sUBs now!!
Line69=ComboFix effected repairs on missing C:\WINDOWS\system32\hal.dll
Line7=Attempting to create a new System Restore point
Line70=This machine does not have the 'Microsoft Windows recovery console' installed~n~nWithout it, ComboFix shall not attempt the fixing of some serious infections.~n~nClick 'Yes' to have ComboFix download/install it.~n~nNOTE: this requires an active internet connection." "Microsoft Windows Recovery Console
Line71=Click 'Yes' if this is a WINDOWS XP *HOME EDITION* machine" "XP Home Edition
Line72=Failed to download required files. Aborting ... ~n~nShall continue scanning for malware
Line73=Internal error! Failed to enumerate download path. ~n~nAborting ... Shall continue scanning for malware
Line74=You do not appear to be connected to the internet. Kindly connect before clicking 'OK'
Line75=The following files were trying to attach to ComboFix. They shall be disabled~nKindly note down on paper, the name of each file. We may need it later~n~n%~G" "Parasites found !!
Line76=ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!
Line77=%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!
Line78=%~1 was missing
Line79=%~1 . . . is missing!!
Line8=Rich text formats (RTF) are unacceptable !!~n~nPlease save CFScript commands as a textfile, using Notepad.exe" "ERROR - Script format is incorrect
Line80=!! ALERT !! It is NOT SAFE to continue!~n~nThe contents of the ComboFix package has been compromised.~nPlease download a fresh copy from:~n~nhttp://www.bleepingcomputer.com/combofix/how-to-use-combofix~n~nNote: You may be infected with a file patching virus 'Virut'" "Error
Line81=ComboFix's script appears tampered. It is not safe to continue.~nComboFix shall now exit. Please inform the forum helper that's aiding~nyou. Unless further instructed to do so, do not run ComboFix again." "Failed Verification
Line82=Webserver appears to be temporarily inaccessible.~nFor your convenience, a zipped file has been created at:~n~nC:\CFCollect.zip~n~nPlease upload the file to BleepingComputer~n~nDo not forget to fill in the 'Comments' section" "Upload Failed!!
Line83=NETSVCS REQUIRES REPAIRS - current entries shown
Line84=http://download.bleepingcomputer.com/sUBs/ComboFix.exe~nhttp://www.forospyware.com/sUBs/ComboFix.exe~n~nComboFix.exe may be downloaded from any of the above sites. If you~nhave downloaded from some other site, there's a likely chance that it~nmay be tainted. For peace of mind, I suggest that you delete the current~ncopy and get a fresh one." "Caution
Line85=Manual Fix is required for restoring CommonStartup
Line9=Rootkit driver %G is present. ... attempting disinfection
Line90=ComboFix needs to perform a deeper scan
Line91=This should not take more than 10-15 minutes
Line92=Infected HTML files detected.
Line93=ComboFix will now attempt to disinfect
Line94=This is going to take some time
Line95=Disinfection complete !!! ... continuing Log Report preparation
Line96=Recovery in Progress . . .
Line97=WARNING !! Do not manually reboot the machine yourself
LOCKED REGISTRY KEYS=LOCKED REGISTRY KEYS
LOGONSERVER=\\CAT
machine was rebooted=machine was rebooted
not completed=not completed
NUMBER_OF_PROCESSORS=2
ORPHANS REMOVED=ORPHANS REMOVED
OS=Windows_NT
Other Running Processes=Other Running Processes
Other Services/Drivers In Memory=Other Services/Drivers In Memory
Path=C:\32788R22FWJFW;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft Office\OFFICE11\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\
PATHEXT=.cfxxe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
Possible infected sites=Possible infected sites
Post-Run=Post-Run
Pre-Run=Pre-Run
Previous Run=Previous Run
PROCESS=PROCESS
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RecoveryConsole=WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Resident AV is active=Resident AV is active
RestorePoint= * Created a new restore point
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
Running from=Running from
SAFEBOOT_OPTION=MINIMAL
scan completed successfully=scan completed successfully
SESSIONNAME=Console
sfxcmd="G:\ComboFix.exe"
sfxname=G:\ComboFix.exe
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
Stage=Completed Stage_
Supplementary Scan=Supplementary Scan
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
The following files were disabled during the run=The following files were disabled during the run
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
Upload was successful=Upload was successful
Uploading files to server=Uploading files to server
USERDOMAIN=CAT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
Ver_CF=09-10-01.05
WecVersionForRosebud.518=2
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

GREP -F \ temp01 && CALL :Aux

GREP -Fi "C:\WINDOWS\system32\userinit.exe" Userinit00 || (SWREG ADD "hklm\software\microsoft\windows nt\currentversion\winlogon" /v Userinit /d "C:\WINDOWS\system32\userinit.exe," )
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

SET SfxCmd 1>SET00

SED -r "/SfxCmd=/I!d; s///; s/\s*$//; s/^(\x22[^\x22]*\x22|[^\x22]\S*) +//; s/^\x22*G:\\ComboFix.exe\x22*//I; s/^([^\x22]\S*)/@SET SfxCmd=\x22\1\x22/; s/^(\x22.*)/@SET SfxCmd=\1/" SET00 1>sfx.cmd

DEL /A/F SET00

ATTRIB +R "G:\ComboFix.exe"

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

NIRCMD EXEC HIDE PV -d9000 -kf CSCRIPT.EXE

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

PV -kf CSCRIPT.exe PV.*
Killing 'CSCRIPT.exe'
Killing 'PV.*'

IF NOT EXIST AvBlack00 GREP -Fsf AVBlack resident.txt 1>AvBlack00 && (
SED -r "s/\x22//g; s/.*\) //; s/.*(\{.{8}-.{4}-.{4}-.{4}-.{12}\}).*/\1/" AvBlack00 1>AvBlack01
FOR /F "TOKENS=*" %G IN (AvBlack01) DO @CSCRIPT.EXE //NOLOGO //E:VBSCRIPT //T:5 wmi_rem.vbs "%~G"
NIRCMD EXEC HIDE PV -d6000 -kf CSCRIPT.EXE
CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs
PV -kf CSCRIPT.exe PV.*
)

GREP -Fivf AVWhite resident.txt | GREP -E "^(AV|SP): .*enabled\* \(" 1>AVChk && (
SED -r "s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""
)

DragonMaster Jay wrote:

Hi

Please download exeHelper

• Double-click on exeHelper.com to run the fix.
  
• A black window should pop up, press any key to close once the fix is completed.
  
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
  

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Hi

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please run ComboFix as noted above.

I keep getting the warning: Combofix has detected the following real time scanners to be active:
Symantec Antivirus Corporate Edition. Please disable these scanners before clicking OK.

Problem is, I cannot access Symantec. I click on the icon and nothing happens. Should I just run combofix as is? even if symantec is on? because I cannot access symantec to disable.

DragonMaster Jay wrote:

Hi

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Please run ComboFix as noted above.

Yes. ComboFix will disable it anyway. Please go ahead.

ComboFix 09-10-01.05 - Administrator 10/04/2009 8:06.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.839 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\buji.bin
c:\documents and settings\All Users\Application Data\dikiqekyde.reg
c:\documents and settings\All Users\Application Data\kylumyqo._sy
c:\documents and settings\All Users\Application Data\tece._dl
c:\documents and settings\All Users\Application Data\tecezibax.pif
c:\documents and settings\All Users\Application Data\yfyfoj.exe
c:\documents and settings\All Users\Documents\atymu.dl
c:\documents and settings\All Users\Documents\sahukyc.scr
c:\documents and settings\Catherine\Application Data\elixodyg.scr
c:\documents and settings\Catherine\Application Data\igynahe.pif
c:\documents and settings\Catherine\Application Data\jakycakoka.dl
c:\documents and settings\Catherine\Application Data\lizkavd.exe
c:\documents and settings\Catherine\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Application Data\noha.bin
c:\documents and settings\Catherine\Application Data\seres.exe
c:\documents and settings\Catherine\Application Data\svcst.exe
c:\documents and settings\Catherine\Cookies\akyb._dl
c:\documents and settings\Catherine\Cookies\famafu.lib
c:\documents and settings\Catherine\Cookies\idyxo.scr
c:\documents and settings\Catherine\Cookies\ilesi.vbs
c:\documents and settings\Catherine\Cookies\jogulero.dl
c:\documents and settings\Catherine\Cookies\jorenuluh._dl
c:\documents and settings\Catherine\Cookies\liboge.ban
c:\documents and settings\Catherine\Cookies\omulaxita.db
c:\documents and settings\Catherine\Cookies\suhonicufu.db
c:\documents and settings\Catherine\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Local Settings\Application Data\ohiki.pif
c:\documents and settings\Catherine\Local Settings\Application Data\zyhi.dll
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\ivop.db
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\letisavuj._sy
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\yrok.reg
c:\documents and settings\Catherine\My Documents\winlogon.exe
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Catherine\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Malwarebytes' Anti-Malware\mbam.exe
c:\documents and settings\prg22\mbam.exe
C:\p2hhr.bat
c:\program files\Common Files\sywe.bat
c:\program files\Common Files\zuby.ban
c:\windows\afemuroc.bin
c:\windows\Downloaded Program Files\webinst.dll
c:\windows\gike.ban
c:\windows\hujumibi.bat
c:\windows\hyxub.pif
c:\windows\Installer\1d481.msp
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\muwosik._dl
c:\windows\qamuvy.bat
c:\windows\sejuz.reg
c:\windows\svchast.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\cilyjysaz.vbs
c:\windows\system32\critical_warning.html
c:\windows\system32\drivers\gasfkyncaeseee.sys
c:\windows\system32\drivers\gasfkyqxtabvti.sys
c:\windows\system32\gasfkyaaukocsy.dll
c:\windows\system32\gasfkyhtavyxuw.dll
c:\windows\system32\gasfkyjnquujcn.dll
c:\windows\system32\gasfkykbggkfci.dat
c:\windows\system32\gasfkykhmtsoul.dat
c:\windows\system32\gasfkypjoymwte.dll
c:\windows\system32\gasfkyupobonmp.dat
c:\windows\system32\junefare.exe
c:\windows\system32\junovedo.dll
c:\windows\system32\kenamezi.dll
c:\windows\system32\kolubagu.exe
c:\windows\system32\monekuho.dll
c:\windows\system32\muwatibi.dll
c:\windows\system32\newuwiyo.dll
c:\windows\system32\pimimoso.dll
c:\windows\system32\rilonake.dll
c:\windows\system32\sejutedi.dll
c:\windows\system32\sysnet.dat
c:\windows\system32\tipifipo.exe
c:\windows\system32\tycisela.sys
c:\windows\system32\wafiguvu.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wutivoba.exe
c:\windows\system32\zasezara.exe
c:\windows\system32\zzkgj2.dll
c:\windows\weryjakad.ban
c:\windows\ymahu.dl
c:\windows\ymaqaje.vbs
D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyohpxmpnu
-------\Legacy_gasfkyohpxmpnu
-------\Legacy_IPRIP
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_Iprip
-------\Legacy_AntiPol
-------\Service_AntiPol


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 12:12 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-04 00:51 . 2009-10-04 01:47 -------- d--h--w- c:\windows\PIF
2009-10-04 00:39 . 2009-10-04 00:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\5418712380
2009-10-03 05:33 . 2009-10-03 05:33 58 ----a-w- c:\windows\wf4.dat
2009-10-03 05:33 . 2009-10-03 05:33 1 ----a-w- c:\windows\wf3.dat
2009-10-03 05:33 . 2009-10-03 05:33 553472 ----a-w- c:\windows\system32\pump.exe
2009-10-03 05:33 . 2009-10-03 05:33 658944 ----a-w- c:\windows\system32\plugie.dll
2009-10-03 05:10 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\prg22\mbamservice.exe
2009-10-03 05:10 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\prg22\mbamgui.exe
2009-10-03 05:10 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\prg22\zlib.dll
2009-10-03 05:10 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\prg22\ssubtmr6.dll
2009-10-03 05:10 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\prg22\mbamext.dll
2009-10-03 05:10 . 2009-10-03 05:10 -------- d-----w- c:\documents and settings\prg22\Languages
2009-10-03 05:10 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\prg22
2009-10-03 05:10 . 2009-10-03 05:10 9165 ----a-w- c:\documents and settings\prg22\unins000.dat
2009-10-03 05:10 . 2009-10-03 05:08 699216 ----a-w- c:\documents and settings\prg22\unins000.exe
2009-10-03 05:10 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\prg22\mbam.dll
2009-10-02 20:49 . 2009-10-04 01:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-02 20:47 . 2009-10-02 20:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-02 08:17 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamservice.exe
2009-10-02 08:17 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamgui.exe
2009-10-02 08:17 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\zlib.dll
2009-10-02 08:17 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\ssubtmr6.dll
2009-10-02 08:17 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamext.dll
2009-10-02 08:17 . 2009-10-02 20:46 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware\Languages
2009-10-02 08:17 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware
2009-10-02 08:17 . 2009-10-02 20:47 21037 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.dat
2009-10-02 08:17 . 2009-10-02 20:46 699216 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.exe
2009-10-02 08:17 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbam.dll
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 07:40 . 2009-10-02 07:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 07:08 . 2009-10-02 07:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-02 03:10 . 2009-10-02 03:10 -------- d-----w- c:\documents and settings\Catherine\Application Data\7925498587
2009-10-02 03:01 . 2009-10-04 12:16 82944 ----a-w- c:\windows\system32\drivers\e2aede76.sys
2009-10-02 02:59 . 2009-10-04 11:46 0 ----a-r- c:\windows\win32k.sys
2009-10-02 02:58 . 2009-10-02 02:58 17920 ----a-w- C:\qgferewy.exe
2009-10-02 02:58 . 2009-10-02 02:58 45568 ----a-w- C:\hrngen.exe
2009-10-02 02:58 . 2009-10-02 02:58 201200 ----a-w- C:\prdfjhha.exe
2009-09-09 17:17 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 19:55 . 2009-07-02 19:53 38912 --sha-w- c:\windows\system32\biluguki.dll
2009-10-02 19:53 . 2009-07-02 19:53 52736 --sha-w- c:\windows\system32\vuwupajo.dll
2009-10-02 06:05 . 2009-10-02 06:05 17814 ----a-w- c:\documents and settings\Catherine\Application Data\ojikoxun.dat
2009-10-02 03:05 . 2006-12-14 22:10 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-10 08:46 . 2009-08-22 02:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 08:01 . 2006-07-19 23:20 50288 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 07:10 . 2009-08-23 07:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Printer Info Cache
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Image Zone Express
2009-08-13 16:33 . 2009-08-13 16:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 16:32 . 2006-07-15 02:16 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-07-22 21:54 . 2006-07-20 00:00 88 --sh--r- c:\windows\system32\DFC1708291.sys
2006-07-22 21:54 . 2006-07-20 00:00 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-15 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-15 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"HP Software Update"="c:\hp software update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"7925498587"="c:\documents and settings\Catherine\Application Data\7925498587\7925498587.exe" [2009-10-02 1047588]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-15 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-14 24576]
HP Digital Imaging Monitor.lnk - c:\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec AntiVirus\\DefWatch.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [8/28/2009 8:05 PM 102448]
S3 84b9e43c-b74b-42f7-ae60-a4b36d6a424b;84b9e43c-b74b-42f7-ae60-a4b36d6a424b;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxp://regcat.resnet.stonybrook.edu/CAT/CNICAT.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
FF - ProfilePath - c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{5803c4c9-cb57-4b31-9186-89a1bed8ada3} - rilonake.dll
HKCU-Run-Creative Software Update - c:\program files\Creative\Shared Files\Software Update\AutoUpdate.exe
HKCU-Run-mserv - c:\documents and settings\Catherine\Application Data\svcst.exe
HKCU-Run-Login Software 2009 - c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
HKLM-Run-jemokarat - c:\windows\system32\monekuho.dll
HKLM-Run-zalafavoka - junovedo.dll
SharedTaskScheduler-ThreadingModel - (no file)
SharedTaskScheduler-{e96614ed-f87e-4dcb-8b23-ecf073b3eff1} - c:\windows\system32\monekuho.dll
SharedTaskScheduler-{33c85cd0-341a-4c1c-9a89-391a4e27cebe} - c:\windows\system32\monekuho.dll
SSODL-zehevewud-{e96614ed-f87e-4dcb-8b23-ecf073b3eff1} - c:\windows\system32\monekuho.dll
SSODL-mojohifiy-{33c85cd0-341a-4c1c-9a89-391a4e27cebe} - c:\windows\system32\monekuho.dll
AddRemove-Move Networks Player_is1 - c:\documents and settings\Catherine\Application Data\Move Networks\ie_bin\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 08:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\e2aede76]
"ImagePath"="\SystemRoot\System32\drivers\e2aede76.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1044)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5236)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\InstallShield\UpdateService\agent.exe
c:\digital imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\progra~1\Symantec\LIVEUP~1\LUALL.EXE
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-10-04 8:22 - machine was rebooted [Catherine]
ComboFix-quarantined-files.txt 2009-10-04 12:22

Pre-Run: 33,255,006,208 bytes free
Post-Run: 33,186,713,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

368 --- E O F --- 2009-09-10 07:07

DragonMaster Jay wrote:

Yes. ComboFix will disable it anyway. Please go ahead.

Hi

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DirLook::
   c:\windows\system32\config\systemprofile\Application Data\5418712380
   c:\documents and settings\Catherine\Application Data\7925498587
   
   FileLook::
   junovedo.dll
   
   File::
   c:\windows\system32\pump.exe
   c:\windows\wf4.dat
   c:\windows\wf3.dat
   c:\windows\system32\plugie.dll
   c:\windows\system32\drivers\e2aede76.sys
   C:\qgferewy.exe
   C:\hrngen.exe
   C:\prdfjhha.exe
   c:\windows\system32\biluguki.dll
   c:\windows\system32\vuwupajo.dll
   c:\documents and settings\Catherine\Application Data\ojikoxun.dat
   c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
   c:\documents and settings\Catherine\Application Data\svcst.exe
   c:\windows\system32\monekuho.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Please download SpiderKill and save it to your Desktop.

• Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  
• Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  
• Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

==

Please include the ComboFix and SpiderKill logs in your next reply.

ComboFix 09-10-04.01 - Catherine 10/04/2009 15:02.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.511 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Catherine\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe"
"c:\documents and settings\Catherine\Application Data\ojikoxun.dat"
"c:\documents and settings\Catherine\Application Data\svcst.exe"
"C:\hrngen.exe"
"C:\prdfjhha.exe"
"C:\qgferewy.exe"
"c:\windows\system32\biluguki.dll"
"c:\windows\system32\drivers\e2aede76.sys"
"c:\windows\system32\monekuho.dll"
"c:\windows\system32\plugie.dll"
"c:\windows\system32\pump.exe"
"c:\windows\system32\vuwupajo.dll"
"c:\windows\wf3.dat"
"c:\windows\wf4.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Catherine\Application Data\ojikoxun.dat
c:\windows\system32\biluguki.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-04 15:42 . 2009-10-04 15:42 -------- d-----w- c:\windows\LastGood
2009-10-04 15:42 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-04 15:42 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-04 15:42 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-04 15:42 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-04 15:42 . 2009-10-04 15:42 -------- d-----w- c:\program files\Avira
2009-10-04 15:42 . 2009-10-04 15:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-04 12:36 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\newv\mbamservice.exe
2009-10-04 12:36 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\newv\mbamgui.exe
2009-10-04 12:36 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\newv\zlib.dll
2009-10-04 12:36 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\newv\ssubtmr6.dll
2009-10-04 12:36 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\newv\mbamext.dll
2009-10-04 12:36 . 2009-09-10 18:53 1312080 ----a-w- c:\documents and settings\newv\mbam.exe
2009-10-04 12:36 . 2009-10-04 12:36 -------- d-----w- c:\documents and settings\newv\Languages
2009-10-04 12:36 . 2009-10-04 12:36 9347 ----a-w- c:\documents and settings\newv\unins000.dat
2009-10-04 12:36 . 2009-10-04 12:36 -------- d-----w- c:\documents and settings\newv
2009-10-04 12:36 . 2009-10-04 12:35 699216 ----a-w- c:\documents and settings\newv\unins000.exe
2009-10-04 12:36 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\newv\mbam.dll
2009-10-04 12:12 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-04 00:51 . 2009-10-04 01:47 -------- d--h--w- c:\windows\PIF
2009-10-03 05:10 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\prg22\mbamservice.exe
2009-10-03 05:10 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\prg22\mbamgui.exe
2009-10-03 05:10 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\prg22\zlib.dll
2009-10-03 05:10 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\prg22\ssubtmr6.dll
2009-10-03 05:10 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\prg22\mbamext.dll
2009-10-03 05:10 . 2009-10-03 05:10 -------- d-----w- c:\documents and settings\prg22\Languages
2009-10-03 05:10 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\prg22
2009-10-03 05:10 . 2009-10-03 05:10 9165 ----a-w- c:\documents and settings\prg22\unins000.dat
2009-10-03 05:10 . 2009-10-03 05:08 699216 ----a-w- c:\documents and settings\prg22\unins000.exe
2009-10-03 05:10 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\prg22\mbam.dll
2009-10-02 20:49 . 2009-10-04 01:27 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-02 20:47 . 2009-10-02 20:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-02 08:17 . 2009-09-10 18:54 269648 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamservice.exe
2009-10-02 08:17 . 2009-09-10 18:54 420176 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamgui.exe
2009-10-02 08:17 . 2009-09-10 18:54 79696 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\zlib.dll
2009-10-02 08:17 . 2009-09-10 18:54 46416 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\ssubtmr6.dll
2009-10-02 08:17 . 2009-09-10 18:53 70992 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbamext.dll
2009-10-02 08:17 . 2009-10-02 20:46 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware\Languages
2009-10-02 08:17 . 2009-10-04 12:12 -------- d-----w- c:\documents and settings\Malwarebytes' Anti-Malware
2009-10-02 08:17 . 2009-10-02 20:47 21037 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.dat
2009-10-02 08:17 . 2009-10-02 20:46 699216 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\unins000.exe
2009-10-02 08:17 . 2009-09-10 18:53 163664 ----a-w- c:\documents and settings\Malwarebytes' Anti-Malware\mbam.dll
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 07:40 . 2009-10-02 07:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-02 07:40 . 2009-10-02 07:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 07:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-02 07:08 . 2009-10-02 07:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-09 17:17 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 15:34 . 2006-07-15 02:32 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-04 15:33 . 2006-07-15 02:32 -------- d-----w- c:\program files\Symantec
2009-10-04 15:33 . 2006-12-14 22:10 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-04 15:33 . 2006-07-15 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-04 13:47 . 2006-07-15 02:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 08:46 . 2009-08-22 02:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-23 08:01 . 2006-07-19 23:20 50288 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 07:10 . 2009-08-23 07:10 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Printer Info Cache
2009-08-14 18:17 . 2007-12-31 15:13 -------- d-----w- c:\documents and settings\Catherine\Application Data\Image Zone Express
2009-08-13 16:33 . 2009-08-13 16:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-13 16:32 . 2006-07-15 02:16 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 17:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-07-22 21:54 . 2006-07-20 00:00 88 --sh--r- c:\windows\system32\DFC1708291.sys
2006-07-22 21:54 . 2006-07-20 00:00 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Catherine\Application Data\7925498587 ----


---- Directory of c:\windows\system32\config\systemprofile\Application Data\5418712380 ----

2009-10-04 00:39 . 2009-10-04 00:39 302 ----a-w- c:\windows\system32\config\systemprofile\Application Data\5418712380\5418712380.bat
2009-10-04 00:39 . 2009-10-04 00:40 1689 ----a-w- c:\windows\system32\config\systemprofile\Application Data\5418712380\5418712380.cfg


((((((((((((((((((((((((((((( SnapShot@2009-10-04_12.15.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-10-04 15:25 . 2009-10-04 15:25 16384 c:\windows\temp\Perflib_Perfdata_6d4.dat
+ 2009-10-04 15:42 . 2009-05-11 14:12 28520 c:\windows\system32\drivers\ssmdrv.sys
+ 2009-10-04 13:36 . 2009-10-04 13:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-07-19 21:04 . 2009-10-04 11:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-07-19 21:04 . 2009-10-04 13:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-04 13:36 . 2009-10-04 13:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-10-04 15:41 . 2009-10-04 15:41 228352 c:\windows\Installer\6cef6.msi
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-15 169984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-07-15 98304]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"HP Software Update"="c:\hp software update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 148888]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Malwarebytes Anti-Malware (reboot)"="c:\documents and settings\newv\mbam.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2006-9-15 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-7-14 24576]
HP Digital Imaging Monitor.lnk - c:\digital imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/4/2009 11:42 AM 108289]
S1 e2aede76;e2aede76;c:\windows\system32\drivers\e2aede76.sys --> c:\windows\system32\drivers\e2aede76.sys [?]
S3 84b9e43c-b74b-42f7-ae60-a4b36d6a424b;84b9e43c-b74b-42f7-ae60-a4b36d6a424b;\??\e:\cds300\cds300.dll --> e:\cds300\cds300.dll [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - SSMDRV
*Deregistered* - NAVENG
*Deregistered* - NAVEX15
*Deregistered* - SAVRT
*Deregistered* - SAVRTPEL
*Deregistered* - SPBBCDrv
*Deregistered* - SymEvent
*Deregistered* - SYMREDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} - hxxp://regcat.resnet.stonybrook.edu/CAT/CNICAT.cab
DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} - hxxp://pdc.resnet.stonybrook.edu/sav/webinst.cab
FF - ProfilePath - c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\documents and settings\Catherine\Application Data\Mozilla\Firefox\Profiles\5osujfiv.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-04 15:08
ComboFix-quarantined-files.txt 2009-10-04 19:07
ComboFix2.txt 2009-10-04 12:22

Pre-Run: 33,261,740,032 bytes free
Post-Run: 33,228,898,304 bytes free

270 --- E O F --- 2009-09-10 07:07

DragonMaster Jay wrote:

Hi

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DirLook::
   c:\windows\system32\config\systemprofile\Application Data\5418712380
   c:\documents and settings\Catherine\Application Data\7925498587
   
   FileLook::
   junovedo.dll
   
   File::
   c:\windows\system32\pump.exe
   c:\windows\wf4.dat
   c:\windows\wf3.dat
   c:\windows\system32\plugie.dll
   c:\windows\system32\drivers\e2aede76.sys
   C:\qgferewy.exe
   C:\hrngen.exe
   C:\prdfjhha.exe
   c:\windows\system32\biluguki.dll
   c:\windows\system32\vuwupajo.dll
   c:\documents and settings\Catherine\Application Data\ojikoxun.dat
   c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
   c:\documents and settings\Catherine\Application Data\svcst.exe
   c:\windows\system32\monekuho.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Please download SpiderKill and save it to your Desktop.

• Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  
• Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  
• Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

==

Please include the ComboFix and SpiderKill logs in your next reply.

SpiderKill by DragonMaster Jay ( Oct 2009 )


Microsoft Windows XP [Version 5.1.2600]

********************Drivers list********************


Volume in drive C has no label.
Volume Serial Number is 00B2-148C

Directory of C:\Windows\System32\Drivers

10/04/2009 03:04 PM .
10/04/2009 03:04 PM ..
07/14/2006 09:57 PM 6,140 1028_Dell_INS_I6400.mrk
04/13/2008 02:46 PM 53,376 1394bus.sys
08/17/2001 02:52 PM 23,552 ABP480N5.SYS
04/13/2008 02:36 PM 187,776 acpi.sys
08/04/2004 06:00 AM 11,648 acpiec.sys
08/17/2001 03:07 PM 101,888 adpu160m.sys
04/13/2008 08:11 PM 4,255 adv01nt5.dll
04/13/2008 08:11 PM 3,967 adv02nt5.dll
04/13/2008 08:11 PM 3,615 adv05nt5.dll
04/13/2008 08:11 PM 3,647 adv07nt5.dll
04/13/2008 08:11 PM 3,135 adv08nt5.dll
04/13/2008 08:11 PM 3,711 adv09nt5.dll
04/13/2008 08:11 PM 3,775 adv11nt5.dll
04/13/2008 12:39 PM 142,592 aec.sys
07/14/2006 10:19 PM 21,275 AegisP.sys
08/14/2008 06:04 AM 138,496 afd.sys
04/13/2008 02:36 PM 42,368 agp440.sys
04/13/2008 02:36 PM 44,928 agpcpq.sys
08/17/2001 02:52 PM 12,800 aha154x.sys
08/17/2001 03:07 PM 55,168 aic78u2.sys
08/17/2001 03:07 PM 56,960 aic78xx.sys
08/17/2001 02:51 PM 5,248 aliide.sys
04/13/2008 02:36 PM 42,752 alim1541.sys
04/13/2008 02:36 PM 43,008 amdagp.sys
04/13/2008 02:31 PM 37,376 amdk6.sys
04/13/2008 02:31 PM 37,760 amdk7.sys
08/17/2001 02:52 PM 12,032 amsint.sys
04/13/2008 02:51 PM 60,800 arp1394.sys
08/17/2001 02:52 PM 26,496 asc.sys
08/17/2001 02:52 PM 22,400 asc3350p.sys
08/17/2001 02:51 PM 14,848 asc3550.sys
07/14/2006 10:29 PM 8,552 asctrm.sys
04/13/2008 02:57 PM 14,336 asyncmac.sys
04/13/2008 02:40 PM 96,512 atapi.sys
08/03/2004 10:29 PM 56,623 ati1btxx.sys
08/03/2004 10:29 PM 11,615 ati1mdxx.sys
08/03/2004 10:29 PM 12,047 ati1pdxx.sys
08/03/2004 10:29 PM 30,671 ati1raxx.sys
08/03/2004 10:29 PM 63,663 ati1rvxx.sys
08/03/2004 10:29 PM 26,367 ati1snxx.sys
08/03/2004 10:29 PM 21,343 ati1ttxx.sys
08/03/2004 10:29 PM 36,463 ati1tuxx.sys
08/03/2004 10:29 PM 29,455 ati1xbxx.sys
08/03/2004 10:29 PM 34,735 ati1xsxx.sys
02/16/2006 12:02 AM 40,960 ati2erec.dll
08/03/2004 10:29 PM 327,040 ati2mtaa.sys
02/16/2006 12:39 AM 1,421,312 ati2mtag.sys
08/03/2004 10:29 PM 57,856 atinbtxx.sys
08/03/2004 10:29 PM 13,824 atinmdxx.sys
08/03/2004 10:29 PM 14,336 atinpdxx.sys
08/03/2004 10:29 PM 52,224 atinraxx.sys
08/03/2004 10:29 PM 104,960 atinrvxx.sys
08/03/2004 10:29 PM 28,672 atinsnxx.sys
08/03/2004 10:29 PM 13,824 atinttxx.sys
08/03/2004 10:29 PM 73,216 atintuxx.sys
08/03/2004 10:29 PM 31,744 atinxbxx.sys
08/03/2004 10:29 PM 63,488 atinxsxx.sys
10/11/2005 10:05 PM 1,114,674 ativcaxx.cpa
10/11/2005 10:05 PM 929 ativcaxx.vp
06/08/2005 01:45 AM 58,560 ativckxx.vp
07/17/2004 11:36 AM 64,352 ativmc20.cod
02/16/2006 12:58 AM 25,568 ativvpxx.vp
04/13/2008 02:51 PM 59,904 atmarpc.sys
08/04/2004 06:00 AM 31,360 atmepvc.sys
04/13/2008 02:51 PM 55,808 atmlane.sys
08/04/2004 06:00 AM 352,256 atmuni.sys
04/13/2008 08:11 PM 21,183 atv01nt5.dll
04/13/2008 08:11 PM 11,359 atv02nt5.dll
04/13/2008 08:11 PM 25,471 atv04nt5.dll
04/13/2008 08:11 PM 14,143 atv06nt5.dll
04/13/2008 08:11 PM 17,279 atv10nt5.dll
08/17/2001 02:59 PM 3,072 audstub.sys
02/13/2009 12:17 PM 45,416 avgntdd.sys
07/28/2009 04:33 PM 55,656 avgntflt.sys
02/13/2009 12:29 PM 22,360 avgntmgr.sys
03/30/2009 10:33 AM 96,104 avipbb.sys
04/13/2008 02:36 PM 14,208 battc.sys
08/05/2005 10:32 AM 45,312 bcm4sbxp.sys
08/04/2004 06:00 AM 4,224 beep.sys
04/13/2008 02:53 PM 71,552 bridge.sys
04/13/2008 02:46 PM 17,024 bthenum.sys
04/13/2008 02:46 PM 37,888 bthmodem.sys
04/13/2008 02:51 PM 101,120 bthpan.sys
06/13/2008 07:05 AM 272,128 bthport.sys
04/13/2008 02:46 PM 36,480 bthprint.sys
04/13/2008 02:46 PM 18,944 bthusb.sys
08/17/2001 02:52 PM 13,952 cbidf2k.sys
08/17/2001 02:52 PM 7,680 cd20xrnt.sys
08/04/2004 06:00 AM 18,688 cdaudio.sys
04/13/2008 03:14 PM 63,744 cdfs.sys
04/13/2008 02:40 PM 62,976 cdrom.sys
04/13/2008 08:11 PM 15,423 ch7xxnt5.dll
08/04/2004 06:00 AM 262,528 cinemst2.sys
04/13/2008 03:16 PM 49,536 classpnp.sys
04/13/2008 02:36 PM 13,952 cmbatt.sys
08/17/2001 02:51 PM 6,656 cmdide.sys
04/13/2008 02:36 PM 10,240 compbatt.sys
08/17/2001 02:52 PM 14,976 cpqarray.sys
08/04/2004 06:00 AM 11,776 cpqdap01.sys
04/13/2008 02:31 PM 36,736 crusoe.sys
07/17/2004 10:55 PM 129,045 cxthsfs2.cty
08/17/2001 02:52 PM 179,584 dac2w2k.sys
08/17/2001 02:52 PM 14,720 dac960nt.sys
08/08/2005 10:10 PM 133,972 del1028.cty
08/10/2004 01:52 PM disdn
04/13/2008 02:40 PM 36,352 disk.sys
04/13/2008 02:40 PM 14,208 diskdump.sys
04/13/2008 02:44 PM 799,744 dmboot.sys
04/13/2008 02:44 PM 153,344 dmio.sys
08/04/2004 06:00 AM 5,888 dmload.sys
04/13/2008 02:45 PM 52,864 dmusic.sys
08/17/2001 03:07 PM 20,192 dpti2o.sys
04/13/2008 02:45 PM 60,160 drmk.sys
04/13/2008 02:45 PM 2,944 drmkaud.sys
12/01/2004 04:22 AM 87,488 drvmcdb.sys
11/23/2004 03:56 AM 40,480 drvnddm.sys
04/09/2001 07:17 PM 39,096 DW90USB.SYS
08/04/2004 06:00 AM 10,496 dxapi.sys
04/13/2008 02:38 PM 71,168 dxg.sys
08/04/2004 06:00 AM 3,328 dxgthk.sys
08/17/2001 01:12 PM 117,760 e100b325.sys
08/17/2001 02:46 PM 6,400 enum1394.sys
10/04/2009 08:14 AM etc
04/13/2008 03:14 PM 143,744 fastfat.sys
04/13/2008 02:40 PM 27,392 fdc.sys
04/13/2008 02:33 PM 44,544 fips.sys
04/13/2008 02:40 PM 20,480 flpydisk.sys
04/13/2008 02:32 PM 129,792 fltmgr.sys
08/04/2004 06:00 AM 12,160 fsvga.sys
08/04/2004 06:00 AM 7,936 fs_rec.sys
08/17/2001 02:52 PM 125,056 ftdisk.sys
04/13/2008 02:36 PM 46,464 gagp30kx.sys
08/04/2004 06:00 AM 3,440,660 gm.dls
08/04/2004 06:00 AM 646 gmreadme.txt
04/13/2008 12:36 PM 144,384 hdaudbus.sys
08/12/2004 06:45 PM 113,664 Hdaudio.sys
04/13/2008 02:46 PM 25,600 hidbth.sys
04/13/2008 02:45 PM 36,864 hidclass.sys
04/13/2008 02:45 PM 19,200 hidir.sys
04/13/2008 02:45 PM 24,960 hidparse.sys
04/13/2008 02:45 PM 10,368 hidusb.sys
08/17/2001 03:07 PM 25,952 hpn.sys
01/31/2006 08:48 PM 49,664 HPZid412.sys
01/31/2006 08:48 PM 16,496 HPZipr12.sys
10/21/2005 07:52 PM 21,568 HPZius12.sys
08/03/2004 10:41 PM 220,032 hsfbs2s2.sys
08/03/2004 10:41 PM 685,056 hsfcxts2.sys
08/03/2004 10:41 PM 1,041,536 hsfdpsp2.sys
07/21/2005 09:01 PM 201,600 HSFHWAZL.sys
07/21/2005 09:01 PM 717,952 HSF_CNXT.sys
07/21/2005 09:02 PM 1,035,008 HSF_DPV.sys
04/13/2008 02:53 PM 264,832 http.sys
04/13/2008 02:41 PM 8,576 i2omgmt.sys
04/13/2008 02:41 PM 18,560 i2omp.sys
04/13/2008 03:18 PM 52,480 i8042prt.sys
04/13/2008 02:40 PM 42,112 imapi.sys
08/17/2001 02:52 PM 16,000 ini910u.sys
04/13/2008 02:40 PM 5,504 intelide.sys
04/13/2008 02:31 PM 36,352 intelppm.sys
04/13/2008 02:53 PM 36,608 ip6fw.sys
08/04/2004 06:00 AM 32,896 ipfltdrv.sys
04/13/2008 02:57 PM 20,864 ipinip.sys
04/13/2008 02:57 PM 152,832 ipnat.sys
04/13/2008 03:19 PM 75,264 ipsec.sys
04/13/2008 02:54 PM 11,264 irenum.sys
04/13/2008 02:36 PM 37,248 isapnp.sys
04/13/2008 02:39 PM 24,576 kbdclass.sys
04/13/2008 02:45 PM 172,416 kmixer.sys
04/13/2008 03:16 PM 141,056 ks.sys
06/24/2009 07:18 AM 92,928 ksecdd.sys
09/10/2009 02:53 PM 19,160 mbam.sys
09/10/2009 02:54 PM 38,224 mbamswissarmy.sys
08/04/2004 06:00 AM 7,680 mcd.sys
03/16/2004 09:04 PM 13,059 mdmxsdk.sys
04/13/2008 02:36 PM 63,744 mf.sys
08/04/2004 06:00 AM 4,224 mnmdd.sys
04/13/2008 03:00 PM 30,080 modem.sys
04/13/2008 02:39 PM 23,040 mouclass.sys
08/17/2001 01:48 PM 12,160 mouhid.sys
04/13/2008 02:39 PM 42,368 mountmgr.sys
08/17/2001 02:52 PM 17,280 mraid35x.sys
04/13/2008 02:32 PM 180,608 mrxdav.sys
10/24/2008 07:21 AM 455,296 mrxsmb.sys
04/13/2008 02:32 PM 19,072 msfs.sys
04/13/2008 02:56 PM 35,072 msgpc.sys
04/13/2008 02:39 PM 7,552 mskssrv.sys
04/13/2008 02:39 PM 5,376 mspclock.sys
04/13/2008 02:39 PM 4,992 mspqm.sys
04/13/2008 02:36 PM 15,488 mssmbios.sys
08/03/2004 10:41 PM 126,686 mtlmnt5.sys
08/03/2004 10:41 PM 1,309,184 mtlstrm.sys
08/03/2004 10:29 PM 452,736 mtxparhm.sys
04/13/2008 03:17 PM 105,344 mup.sys
04/13/2008 02:43 PM 12,672 mutohpen.sys
04/13/2008 03:20 PM 182,656 ndis.sys
04/13/2008 02:57 PM 10,112 ndistapi.sys
04/13/2008 02:55 PM 14,592 ndisuio.sys
04/13/2008 03:20 PM 91,520 ndiswan.sys
04/13/2008 02:57 PM 40,576 ndproxy.sys
04/13/2008 02:56 PM 34,688 netbios.sys
04/13/2008 03:21 PM 162,816 netbt.sys
07/17/2004 11:35 AM 67,866 netwlan5.img
04/13/2008 02:51 PM 61,824 nic1394.sys
08/04/2004 06:00 AM 12,032 nikedrv.sys
04/13/2008 02:53 PM 40,320 nmnt.sys
04/13/2008 02:32 PM 30,848 npfs.sys
04/13/2008 03:15 PM 574,976 ntfs.sys
08/03/2004 10:41 PM 180,360 ntmtlfax.sys
08/04/2004 06:00 AM 2,944 null.sys
08/03/2004 11:29 PM 1,897,408 nv4_mini.sys
08/04/2004 06:00 AM 12,416 nwlnkflt.sys
08/04/2004 06:00 AM 32,512 nwlnkfwd.sys
04/13/2008 02:56 PM 88,320 nwlnkipx.sys
08/04/2004 06:00 AM 63,232 nwlnknb.sys
08/04/2004 06:00 AM 55,936 nwlnkspx.sys
04/13/2008 02:46 PM 61,696 ohci1394.sys
02/13/2004 10:46 AM 17,153 omci.sys
08/04/2004 06:00 AM 3,456 oprghdlr.sys
04/13/2008 02:31 PM 42,752 p3.sys
04/13/2008 02:40 PM 80,128 parport.sys
04/13/2008 02:40 PM 19,712 partmgr.sys
08/04/2004 06:00 AM 6,784 parvdm.sys
04/13/2008 02:36 PM 68,224 pci.sys
08/17/2001 02:51 PM 3,328 pciide.sys
04/13/2008 02:40 PM 24,960 pciidex.sys
04/13/2008 02:36 PM 120,192 pcmcia.sys
08/17/2001 03:07 PM 27,296 perc2.sys
08/17/2001 03:07 PM 5,504 perc2hib.sys
04/13/2008 03:19 PM 146,048 portcls.sys
04/13/2008 02:31 PM 35,840 processr.sys
04/13/2008 02:56 PM 69,120 psched.sys
08/04/2004 06:00 AM 17,792 ptilink.sys
04/25/2005 03:03 AM 20,640 pxhelp20.sys
08/17/2001 02:52 PM 40,320 ql1080.sys
08/17/2001 02:52 PM 33,152 ql10wnt.sys
08/17/2001 02:52 PM 45,312 ql12160.sys
08/17/2001 02:52 PM 40,448 ql1240.sys
08/17/2001 02:52 PM 49,024 ql1280.sys
08/04/2004 06:00 AM 8,832 rasacd.sys
04/13/2008 03:19 PM 51,328 rasl2tp.sys
04/13/2008 02:57 PM 41,472 raspppoe.sys
04/13/2008 03:19 PM 48,384 raspptp.sys
08/04/2004 06:00 AM 16,512 raspti.sys
08/04/2004 06:00 AM 34,432 rawwan.sys
04/13/2008 03:28 PM 175,744 rdbss.sys
08/04/2004 06:00 AM 4,224 rdpcdd.sys
04/13/2008 02:32 PM 196,224 rdpdr.sys
04/13/2008 08:13 PM 139,656 rdpwd.sys
08/03/2004 10:41 PM 13,776 recagent.sys
04/13/2008 02:40 PM 57,600 redbook.sys
04/13/2008 02:46 PM 59,136 rfcomm.sys
10/14/2005 09:40 AM 28,544 rimmptsk.sys
10/14/2005 09:40 AM 51,328 rimsptsk.sys
08/04/2004 06:00 AM 12,032 rio8drv.sys
08/04/2004 06:00 AM 12,032 riodrv.sys
10/14/2005 09:40 AM 307,968 rixdptsk.sys
05/08/2008 10:02 AM 203,136 rmcast.sys
04/13/2008 02:56 PM 30,592 rndismp.sys
04/13/2008 02:56 PM 30,592 rndismpx.sys
08/04/2004 06:00 AM 5,888 rootmdm.sys
12/28/2005 02:22 PM 13,568 s24trans.sys
08/03/2004 10:29 PM 166,912 s3gnbm.sys
04/13/2008 02:40 PM 96,384 scsiport.sys
04/13/2008 02:36 PM 79,232 sdbus.sys
07/14/2005 08:32 PM 40,576 sdcplh.sys
11/13/2007 06:25 AM 20,480 secdrv.sys
04/13/2008 02:40 PM 15,744 serenum.sys
04/13/2008 03:15 PM 64,512 serial.sys
04/13/2008 02:40 PM 11,904 sffdisk.sys
04/13/2008 02:40 PM 10,240 sffp_mmc.sys
04/13/2008 02:40 PM 11,008 sffp_sd.sys
04/13/2008 02:40 PM 11,392 sfloppy.sys
04/13/2008 08:12 PM 3,901 siint5.dll
04/13/2008 02:36 PM 40,960 sisagp.sys
08/03/2004 10:41 PM 129,535 slnt7554.sys
08/03/2004 10:41 PM 404,990 slntamr.sys
08/03/2004 10:41 PM 95,424 slnthal.sys
08/03/2004 10:41 PM 13,240 slwdmsup.sys
04/13/2008 02:36 PM 5,888 smbali.sys
08/04/2004 06:00 AM 14,592 smclib.sys
04/13/2008 02:46 PM 25,344 sonydcam.sys
08/17/2001 03:07 PM 19,072 sparrow.sys
04/13/2008 02:45 PM 6,272 splitter.sys
04/13/2008 02:36 PM 73,472 sr.sys
12/11/2008 06:57 AM 333,952 srv.sys
07/14/2004 12:29 PM 5,627 sscdbhk5.sys
05/11/2009 10:12 AM 28,520 ssmdrv.sys
07/14/2004 12:28 PM 23,545 ssrtln.sys
03/24/2006 05:34 PM 1,156,648 sthda.sys
04/13/2008 02:45 PM 49,408 stream.sys
04/13/2008 02:39 PM 4,352 swenum.sys
04/13/2008 02:45 PM 56,576 swmidi.sys
08/17/2001 03:07 PM 16,256 symc810.sys
08/17/2001 03:07 PM 32,640 symc8xx.sys
08/17/2001 03:07 PM 28,384 sym_hi.sys
08/17/2001 03:07 PM 30,688 sym_u3.sys
03/08/2006 12:35 PM 191,872 SynTP.sys
04/13/2008 03:15 PM 60,800 sysaudio.sys
04/13/2008 02:40 PM 14,976 tape.sys
06/20/2008 07:51 AM 361,600 tcpip.sys
06/20/2008 07:08 AM 225,856 tcpip6.sys
04/13/2008 03:00 PM 19,072 tdi.sys
04/13/2008 08:13 PM 12,040 tdpipe.sys
04/13/2008 08:13 PM 21,896 tdtcp.sys
04/13/2008 08:13 PM 40,840 termdd.sys
09/15/2008 04:09 PM 102,664 tmcomm.sys
08/04/2004 06:00 AM 51,712 tosdvd.sys
08/17/2001 02:51 PM 4,992 toside.sys
08/04/2004 06:00 AM 21,376 tsbvcap.sys
04/13/2008 02:56 PM 12,288 tunmp.sys
04/13/2008 02:36 PM 44,672 uagp35.sys
04/13/2008 02:32 PM 66,048 udfs.sys
08/17/2001 02:52 PM 36,736 ultra.sys
12/07/2006 01:18 AM UMDF
04/13/2008 02:39 PM 384,768 update.sys
04/13/2008 02:56 PM 12,800 usb8023.sys
04/13/2008 02:56 PM 12,800 usb8023x.sys
04/13/2008 02:45 PM 25,600 usbcamd.sys
04/13/2008 02:45 PM 25,728 usbcamd2.sys
04/13/2008 02:45 PM 32,128 usbccgp.sys
08/04/2004 06:00 AM 4,736 usbd.sys
04/13/2008 02:45 PM 30,208 usbehci.sys
04/13/2008 02:45 PM 59,520 usbhub.sys
04/13/2008 02:45 PM 15,872 usbintel.sys
04/13/2008 02:45 PM 143,872 usbport.sys
04/13/2008 02:47 PM 25,856 usbprint.sys
04/13/2008 02:45 PM 15,104 usbscan.sys
04/13/2008 02:45 PM 26,368 usbstor.sys
04/13/2008 02:45 PM 20,608 usbuhci.sys
04/13/2008 02:46 PM 121,984 usbvideo.sys
04/13/2008 08:12 PM 11,325 vchnt5.dll
08/04/2004 06:00 AM 58,112 vdmindvd.sys
04/13/2008 02:44 PM 20,992 vga.sys
04/13/2008 02:36 PM 42,240 viaagp.sys
04/13/2008 02:40 PM 5,376 viaide.sys
04/13/2008 02:44 PM 81,664 videoprt.sys
12/15/2003 06:22 PM 38,448 VNUSB.sys
04/13/2008 02:41 PM 52,352 volsnap.sys
12/04/2005 10:55 AM 1,428,096 w39n51.sys
04/13/2008 02:43 PM 14,208 wacompen.sys
08/03/2004 10:29 PM 11,807 wadv07nt.sys
08/03/2004 10:29 PM 11,295 wadv08nt.sys
08/03/2004 10:29 PM 11,871 wadv09nt.sys
08/03/2004 10:29 PM 11,935 wadv11nt.sys
04/13/2008 02:57 PM 34,560 wanarp.sys
08/03/2004 10:29 PM 22,271 watv06nt.sys
08/03/2004 10:29 PM 25,471 watv10nt.sys
04/13/2008 03:17 PM 83,072 wdmaud.sys
04/13/2008 02:36 PM 8,832 wmiacpi.sys
08/04/2004 06:00 AM 4,352 wmilib.sys
10/18/2006 09:00 PM 38,528 wpdusb.sys
08/04/2004 06:00 AM 12,032 ws2ifsl.sys
09/28/2006 07:55 PM 77,568 WudfPf.sys
09/28/2006 08:00 PM 82,944 WudfRd.sys
351 File(s) 35,552,551 bytes

Directory of C:\Windows\System32\Drivers\disdn

08/10/2004 01:52 PM .
08/10/2004 01:52 PM ..
0 File(s) 0 bytes

Directory of C:\Windows\System32\Drivers\etc

10/04/2009 08:14 AM .
10/04/2009 08:14 AM ..
10/04/2009 08:14 AM 27 hosts
08/04/2004 06:00 AM 3,683 lmhosts.sam
08/04/2004 06:00 AM 407 networks
08/04/2004 06:00 AM 799 protocol
08/04/2004 06:00 AM 1,540 quotes
08/04/2004 06:00 AM 7,116 services
6 File(s) 13,572 bytes

Directory of C:\Windows\System32\Drivers\UMDF

12/07/2006 01:18 AM .
12/07/2006 01:18 AM ..
10/18/2006 10:47 PM 671,232 wpdmtpdr.dll
1 File(s) 671,232 bytes

Total Files Listed:
358 File(s) 36,237,355 bytes
11 Dir(s) 33,256,189,952 bytes free


***********************Hidden Drivers********************
Volume in drive C has no label.
Volume Serial Number is 00B2-148C

Directory of C:\Windows\System32\Drivers



*********************Processes*******************


PROCESS PID PRIO PATH
smss.exe 952 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 1000 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 1028 High C:\WINDOWS\system32\winlogon.exe
services.exe 1076 Normal C:\WINDOWS\system32\services.exe
lsass.exe 1088 Normal C:\WINDOWS\system32\lsass.exe
Ati2evxx.exe 1268 Normal C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe 1300 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1368 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1536 Normal C:\WINDOWS\System32\svchost.exe
svchost.exe 1576 Normal C:\WINDOWS\system32\svchost.exe
EvtEng.exe 1720 Normal C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
S24EvMon.exe 1800 Normal C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
Ati2evxx.exe 1820 Normal C:\WINDOWS\system32\Ati2evxx.exe
WLKeeper.exe 1940 Normal C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe 2044 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 392 Normal C:\WINDOWS\system32\svchost.exe
spoolsv.exe 852 Normal C:\WINDOWS\system32\spoolsv.exe
svchost.exe 280 Normal C:\WINDOWS\system32\svchost.exe
RegSrvc.exe 1040 Normal C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
tcpsvcs.exe 1512 Normal C:\WINDOWS\system32\tcpsvcs.exe
snmp.exe 1748 Normal C:\WINDOWS\System32\snmp.exe
svchost.exe 1848 Normal C:\WINDOWS\system32\svchost.exe
CALMAIN.exe 2536 Normal C:\Program Files\Canon\CAL\CALMAIN.exe
alg.exe 3592 Normal C:\WINDOWS\System32\alg.exe
ZCfgSvc.exe 2660 Normal C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
ifrmewrk.exe 2748 Normal C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
stsystra.exe 2828 Normal C:\WINDOWS\stsystra.exe
SynTPEnh.exe 2912 Normal C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
cli.exe 3036 Normal C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
DVDLauncher.exe 3044 Normal C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
tfswctrl.exe 2312 Normal C:\WINDOWS\system32\dla\tfswctrl.exe
issch.exe 3096 Normal C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
HPWuSchd2.exe 2808 Normal C:\HP Software Update\HPWuSchd2.exe
Dot1XCfg.exe 3308 Normal C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
aim.exe 3692 Normal C:\Program Files\AIM\aim.exe
DSAgnt.exe 2844 Below Normal C:\Program Files\DellSupport\DSAgnt.exe
ctfmon.exe 3492 Normal C:\WINDOWS\system32\ctfmon.exe
DevDtct2.exe 660 High C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
DLG.exe 2736 Normal C:\Program Files\Digital Line Detect\DLG.exe
hpqtra08.exe 3704 Normal C:\Digital Imaging\bin\hpqtra08.exe
hpqSTE08.exe 824 Normal C:\Digital Imaging\bin\hpqSTE08.exe
cli.exe 2416 Normal C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
avguard.exe 3676 Normal C:\Program Files\Avira\AntiVir Desktop\avguard.exe
sched.exe 720 Normal C:\Program Files\Avira\AntiVir Desktop\sched.exe
avgnt.exe 868 Normal C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
explorer.exe 2340 Normal C:\WINDOWS\explorer.exe
notepad.exe 3108 Normal C:\WINDOWS\system32\notepad.exe
firefox.exe 3532 Normal C:\Mozilla Firefox\firefox.exe
cmd.exe 1992 Normal C:\WINDOWS\system32\cmd.exe
processes.exe 4012 Normal C:\Documents and Settings\Catherine\Desktop\SpiderKill\processes.exe


Module information for 'explorer.exe'(2340)
MODULE BASE SIZE PATH
explorer.exe 1000000 1044480 C:\WINDOWS\explorer.exe 6.00.2900.5512 (xpsp.080413-2105) Windows Explorer
ntdll.dll 7c900000 729088 C:\WINDOWS\system32\ntdll.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) NT Layer DLL
kernel32.dll 7c800000 1007616 C:\WINDOWS\system32\kernel32.dll 5.1.2600.5781 (xpsp_sp3_gdr.090321-1317) Windows NT BASE API Client DLL
ADVAPI32.dll 77dd0000 634880 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234) Advanced Windows 32 Base API
RPCRT4.dll 77e70000 598016 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.5795 (xpsp_sp3_gdr.090415-1241) Remote Procedure Call Runtime
Secur32.dll 77fe0000 69632 C:\WINDOWS\system32\Secur32.dll 5.1.2600.5834 (xpsp_sp3_gdr.090624-1305) Security Support Provider Interface
BROWSEUI.dll 75f80000 1036288 C:\WINDOWS\system32\BROWSEUI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
GDI32.dll 77f10000 299008 C:\WINDOWS\system32\GDI32.dll 5.1.2600.5698 (xpsp_sp3_gdr.081022-1932) GDI Client DLL
USER32.dll 7e410000 593920 C:\WINDOWS\system32\USER32.dll 5.1.2600.5512 (xpsp.080413-2105) Windows XP USER API Client DLL
msvcrt.dll 77c10000 360448 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.5512 (xpsp.080413-2111) Windows NT CRT DLL
ole32.dll 774e0000 1298432 C:\WINDOWS\system32\ole32.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft OLE for Windows
SHLWAPI.dll 77f60000 483328 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Light-weight Utility Library
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 5.1.2600.5512 5.1.2600.5512
SHDOCVW.dll 7e290000 1511424 C:\WINDOWS\system32\SHDOCVW.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Doc Object and Control Library
CRYPT32.dll 77a80000 610304 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.5512 (xpsp.080413-2113) Crypto API32
MSASN1.dll 77b20000 73728 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.5512 (xpsp.080413-0852) ASN.1 Runtime APIs
CRYPTUI.dll 754d0000 524288 C:\WINDOWS\system32\CRYPTUI.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust UI Provider
NETAPI32.dll 5b860000 348160 C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.5694 (xpsp_sp3_gdr.081015-1312) Net Win32 API DLL
VERSION.dll 77c00000 32768 C:\WINDOWS\system32\VERSION.dll 5.1.2600.5512 (xpsp.080413-2105) Version Checking and File Installation Libraries
WININET.dll 3d930000 851968 C:\WINDOWS\system32\WININET.dll 7.00.6000.16876 (vista_gdr.090625-2339) Internet Extensions for Win32
Normaliz.dll 400000 36864 C:\WINDOWS\system32\Normaliz.dll 6.0.5441.0 (winmain(wmbla).060628-1735) Unicode Normalization DLL
iertutil.dll 3dfd0000 282624 C:\WINDOWS\system32\iertutil.dll 7.00.6000.16876 (vista_gdr.090625-2339) Run time utility for Internet Explorer
WINTRUST.dll 76c30000 188416 C:\WINDOWS\system32\WINTRUST.dll 5.131.2600.5512 (xpsp.080413-2113) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 163840 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.5512 (xpsp.080413-2105) Windows NT Image Helper
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.5512 (xpsp.080413-2113) Win32 LDAP API DLL
SHELL32.dll 7c9c0000 8482816 C:\WINDOWS\system32\SHELL32.dll 6.00.2900.5622 (xpsp_sp3_gdr.080617-1319) Windows Shell Common Dll
UxTheme.dll 5ad70000 229376 C:\WINDOWS\system32\UxTheme.dll 6.00.2900.5512 (xpsp.080413-2105) Microsoft UxTheme Library
ShimEng.dll 5cb70000 155648 C:\WINDOWS\system32\ShimEng.dll 5.1.2600.5512 (xpsp.080413-2105) Shim Engine DLL
AcGenral.DLL 6f880000 1875968 C:\WINDOWS\AppPatch\AcGenral.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows Compatibility DLL
WINMM.dll 76b40000 184320 C:\WINDOWS\system32\WINMM.dll 5.1.2600.5512 (xpsp.080413-0845) MCI API DLL
MSACM32.dll 77be0000 86016 C:\WINDOWS\system32\MSACM32.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft ACM Audio Filter
USERENV.dll 769c0000 737280 C:\WINDOWS\system32\USERENV.dll 5.1.2600.5512 (xpsp.080413-2113) Userenv
IMM32.DLL 76390000 118784 C:\WINDOWS\system32\IMM32.DLL 5.1.2600.5512 (xpsp.080413-2105) Windows XP IMM32 API Client DLL
comctl32.dll 773d0000 1060864 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll 6.0 (xpsp.080413-2105) User Experience Controls Library
comctl32.dll 5d090000 630784 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp.080413-2105) Common Controls Library
MSCTF.dll 74720000 311296 C:\WINDOWS\system32\MSCTF.dll 5.1.2600.5512 (xpsp.080413-2105) MSCTF Server DLL
msctfime.ime 755c0000 188416 C:\WINDOWS\system32\msctfime.ime 5.1.2600.5512 (xpsp.080413-2105) Microsoft Text Frame Work Service IME
appHelp.dll 77b40000 139264 C:\WINDOWS\system32\appHelp.dll 5.1.2600.5512 (xpsp.080413-2105) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 520192 C:\WINDOWS\system32\CLBCATQ.DLL 2001.12.4414.700 2001.12.4414.700
COMRes.dll 77050000 806912 C:\WINDOWS\system32\COMRes.dll 2001.12.4414.700 2001.12.4414.700
themeui.dll 5ba60000 462848 C:\WINDOWS\system32\themeui.dll 6.00.2900.5512 (xpsp.080413-2105) Windows Theme API
MSIMG32.dll 76380000 20480 C:\WINDOWS\system32\MSIMG32.dll 5.1.2600.5512 (xpsp.080413-2105) GDIEXT Client DLL
xpsp2res.dll 13a0000 2904064 C:\WINDOWS\system32\xpsp2res.dll 5.1.2600.5512 (xpsp.080413-2113) Service Pack 2 Messages
ACTXPRXY.DLL 71d40000 110592 C:\WINDOWS\system32\ACTXPRXY.DLL 6.00.2900.5512 (xpsp.080413-2113) ActiveX Interface Marshaling Library
wmpband.dll 13420000 106496 C:\PROGRA~1\WINDOW~2\wmpband.dll 11.0.5721.5145 (WMP_11.061018-2006) Windows Media Player Deskband
MPR.dll 71b20000 73728 C:\WINDOWS\system32\MPR.dll 5.1.2600.5512 (xpsp.080413-0852) Multiple Provider Router DLL
SAMLIB.dll 71bf0000 77824 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.5512 (xpsp.080413-2113) SAM Library DLL
LINKINFO.dll 76980000 32768 C:\WINDOWS\system32\LINKINFO.dll 5.1.2600.5512 (xpsp.080413-2105) Windows Volume Tracking
ntshrui.dll 76990000 151552 C:\WINDOWS\system32\ntshrui.dll 5.1.2600.5512 (xpsp.080413-2105) Shell extensions for sharing
ATL.DLL 76b20000 69632 C:\WINDOWS\system32\ATL.DLL 3.05.2284 ATL Module for Windows XP (Unicode)
ieframe.dll 3e1c0000 6082560 C:\WINDOWS\system32\ieframe.dll 7.00.6000.16890 (vista_gdr.090717-2341) Internet Explorer
PSAPI.DLL 76bf0000 45056 C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.5512 (xpsp.080413-2105) Process Status Helper
msi.dll 7d1e0000 2867200 C:\WINDOWS\system32\msi.dll 3.1.4001.5512 Windows Installer
SETUPAPI.dll 77920000 995328 C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Setup API
NETSHELL.dll 76400000 1724416 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.5512 (xpsp.080413-0852) Network Connections Shell
credui.dll 76c00000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.5512 (xpsp.080413-2113) Credential Manager User Interface
dot3api.dll 478c0000 40960 C:\WINDOWS\system32\dot3api.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 Autoconfiguration API
rtutils.dll 76e80000 57344 C:\WINDOWS\system32\rtutils.dll 5.1.2600.5512 (xpsp.080413-0852) Routing Utilities
dot3dlg.dll 736d0000 24576 C:\WINDOWS\system32\dot3dlg.dll 5.1.2600.5512 (xpsp.080413-0852) 802.3 UI Helper
OneX.DLL 5dca0000 163840 C:\WINDOWS\system32\OneX.DLL 5.1.2600.5512 (xpsp.080413-0852) IEEE 802.1X supplicant library
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\system32\WTSAPI32.dll 5.1.2600.5512 (xpsp.080413-2111) Windows Terminal Server SDK APIs
WINSTA.dll 76360000 65536 C:\WINDOWS\system32\WINSTA.dll 5.1.2600.5512 (xpsp.080413-2111) Winstation Library
eappcfg.dll 745b0000 139264 C:\WINDOWS\system32\eappcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Eap Peer Config
MSVCP60.dll 76080000 413696 C:\WINDOWS\system32\MSVCP60.dll 6.02.3104.0 Microsoft (R) C++ Runtime Library
eappprxy.dll 5dcd0000 57344 C:\WINDOWS\system32\eappprxy.dll 5.1.2600.5512 (xpsp.080413-0852) Microsoft EAPHost Peer Client DLL
iphlpapi.dll 76d60000 102400 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.5512 (xpsp.080413-0852) IP Helper API
WS2_32.dll 71ab0000 94208 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Socket 2.0 Helper for Windows NT
urlmon.dll 78130000 1208320 C:\WINDOWS\system32\urlmon.dll 7.00.6000.16876 (vista_gdr.090625-2339) OLE32 Extensions for Win32
MLANG.dll 75cf0000 593920 C:\WINDOWS\system32\MLANG.dll 6.00.2900.5512 (xpsp.080413-2105) Multi Language Support DLL
wdmaud.drv 72d20000 36864 C:\WINDOWS\system32\wdmaud.drv 5.1.2600.5512 (xpsp.080413-2108) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\system32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
midimap.dll 77bd0000 28672 C:\WINDOWS\system32\midimap.dll 5.1.2600.5512 (xpsp.080413-0845) Microsoft MIDI Mapper
webcheck.dll 42e40000 245760 C:\WINDOWS\system32\webcheck.dll 7.00.6000.16876 (vista_gdr.090625-2339) Web Site Monitor
stobject.dll 76280000 135168 C:\WINDOWS\system32\stobject.dll 5.1.2600.5512 (xpsp.080413-2105) Systray shell service object
BatMeter.dll 74af0000 40960 C:\WINDOWS\system32\BatMeter.dll 6.00.2900.5512 (xpsp.080413-2105) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 32768 C:\WINDOWS\system32\POWRPROF.dll 6.00.2900.5512 (xpsp.080413-2105) Power Profile Helper DLL
WPDShServiceObj.dll 164a0000 143360 C:\WINDOWS\system32\WPDShServiceObj.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device Shell Service Object
WINHTTP.dll 4d4f0000 364544 C:\WINDOWS\system32\WINHTTP.dll 5.1.2600.5727 (xpsp_sp3_gdr.081215-1359) Windows HTTP Services
cscui.dll 77a20000 344064 C:\WINDOWS\system32\cscui.dll 5.1.2600.5512 (xpsp.080413-2105) Client Side Caching UI
CSCDLL.dll 76600000 118784 C:\WINDOWS\system32\CSCDLL.dll 5.1.2600.5512 (xpsp.080413-2111) Offline Network Agent
mydocs.dll 72410000 106496 C:\WINDOWS\system32\mydocs.dll 6.00.2900.5512 (xpsp.080413-2105) My Documents Folder UI
upnpui.dll 5af80000 249856 C:\WINDOWS\system32\upnpui.dll 5.1.2600.5512 (xpsp.080413-0852) UPNP Tray Monitor and Folder
upnp.dll 76de0000 147456 C:\WINDOWS\system32\upnp.dll 5.1.2600.5512 (xpsp.080413-0852) Universal Plug and Play API
SSDPAPI.dll 74f00000 49152 C:\WINDOWS\system32\SSDPAPI.dll 5.1.2600.5512 (xpsp.080413-0852) SSDP Client API DLL
hnetcfg.dll 662b0000 360448 C:\WINDOWS\system32\hnetcfg.dll 5.1.2600.5512 (xpsp.080413-0852) Home Networking Configuration Manager
mswsock.dll 71a50000 258048 C:\WINDOWS\system32\mswsock.dll 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.5512 (xpsp.080413-0852) Windows Sockets Helper DLL
PortableDeviceTypes.dll 109c0000 180224 C:\WINDOWS\system32\PortableDeviceTypes.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device (Parameter) Types Component
PortableDeviceApi.dll 10930000 299008 C:\WINDOWS\system32\PortableDeviceApi.dll 5.2.5721.5145 (WMP_11.061018-2006) Windows Portable Device API Components
WZCSAPI.DLL 73030000 65536 C:\WINDOWS\system32\WZCSAPI.DLL 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration service API
wzcdlg.dll 5df10000 393216 C:\WINDOWS\system32\wzcdlg.dll 5.1.2600.5512 (xpsp.080413-0852) Wireless Zero Configuration Service UI
drprov.dll 75f60000 28672 C:\WINDOWS\System32\drprov.dll 5.1.2600.5512 (xpsp.080413-2111) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 57344 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.5512 (xpsp.080413-2108) Microsoft Lan Manager
NETUI0.dll 71cd0000 94208 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 262144 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.5512 (xpsp.080413-2108) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 28672 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.5512 (xpsp.080413-2113) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 40960 C:\WINDOWS\System32\davclnt.dll 5.1.2600.5512 (xpsp.080413-2111) Web DAV Client DLL
mbamext.dll 10000000 73728 C:\Documents and Settings\newv\mbamext.dll 1, 2, 0, 0 Malwarebytes' Anti-Malware
shlext.dll 3070000 311296 C:\Program Files\Avira\AntiVir Desktop\shlext.dll 9.00.00.04 AntiVirus context menu
WINSPOOL.DRV 73000000 155648 C:\WINDOWS\system32\WINSPOOL.DRV 5.1.2600.5512 (xpsp.080413-0852) Windows Spooler Driver
PDFShell.dll 31c0000 372736 C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll 8.1.0.0 PDF Shell Extension
MSVCR80.dll 3220000 634880 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll 8.00.50727.163 Microsoft C Runtime Library
rsaenh.dll 68000000 221184 C:\WINDOWS\system32\rsaenh.dll 5.1.2600.5507 (xpsp.080318-1711) Microsoft Enhanced Cryptographic Provider
browselc.dll 71600000 73728 C:\WINDOWS\system32\browselc.dll 6.00.2900.5512 (xpsp.080413-2105) Shell Browser UI Library
zipfldr.dll 73380000 356352 C:\WINDOWS\system32\zipfldr.dll 6.00.2900.5512 (xpsp.080413-2105) Compressed (zipped) Folders
DUSER.dll 6c1b0000 315392 C:\WINDOWS\system32\DUSER.dll 5.1.2600.5512 (xpsp.080413-2105) Windows DirectUser Engine
MSISIP.DLL 605f0000 28672 C:\WINDOWS\system32\MSISIP.DLL 3.1.4001.5512 MSI Signature SIP Provider
wshext.dll 7dfa0000 90112 C:\WINDOWS\system32\wshext.dll 5.7.0.18066 Microsoft (R) Shell Extension for Windows script Host
MCPS.DLL 36d30000 110592 C:\PROGRA~1\MICROS~4\OFFICE11\MCPS.DLL 11.0.8164 Media Catalog Proxy/Stub



******************************************
EOF

DragonMaster Jay wrote:

Hi

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DirLook::
   c:\windows\system32\config\systemprofile\Application Data\5418712380
   c:\documents and settings\Catherine\Application Data\7925498587
   
   FileLook::
   junovedo.dll
   
   File::
   c:\windows\system32\pump.exe
   c:\windows\wf4.dat
   c:\windows\wf3.dat
   c:\windows\system32\plugie.dll
   c:\windows\system32\drivers\e2aede76.sys
   C:\qgferewy.exe
   C:\hrngen.exe
   C:\prdfjhha.exe
   c:\windows\system32\biluguki.dll
   c:\windows\system32\vuwupajo.dll
   c:\documents and settings\Catherine\Application Data\ojikoxun.dat
   c:\docume~1\CATHER~1\LOCALS~1\Temp\c5eoy.exe
   c:\documents and settings\Catherine\Application Data\svcst.exe
   c:\windows\system32\monekuho.dll
   

4. Save this as CFscript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFscript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Please download SpiderKill and save it to your Desktop.

• Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  
• Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  
• Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

==

Please include the ComboFix and SpiderKill logs in your next reply.

Hi

I noticed quite a few system changes from your last log to this log. From this point on you should NOT make further changes to your computer, unless advised by a Tech Staff member or a moderator, nor should you continue to ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the log you already posted.

From this point on, the Tech Staff Team, administrators, and moderators; should be the only members that you take advice from, until they have verified your log as clean.

Please uninstall all Malwarebytes' Anti-Malware from Control Panel > Add or Remove Programs.

Then, it needs to be re-downloaded. The install location must be C:\Program Files\Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Okay, gotcha.


Malwarebytes' Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 3

10/4/2009 5:19:10 PM
mbam-log-2009-10-04 (17-19-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 157955
Time elapsed: 45 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\biluguki.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001451.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001532.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0001554.sys (Worm.Agent) -> Quarantined and deleted successfully.

DragonMaster Jay wrote:

Hi

I noticed quite a few system changes from your last log to this log. From this point on you should NOT make further changes to your computer, unless advised by a Tech Staff member or a moderator, nor should you continue to ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the log you already posted.

From this point on, the Tech Staff Team, administrators, and moderators; should be the only members that you take advice from, until they have verified your log as clean.

Please uninstall all Malwarebytes' Anti-Malware from Control Panel > Add or Remove Programs.

Then, it needs to be re-downloaded. The install location must be C:\Program Files\Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Please include the Security Check and the F-Secure logs in your next reply. Also, tell me how your computer is running.

Scanning Report
Sunday, October 4, 2009 21:39:59 - 22:31:16

Computer name: CAT
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\
9 malware found
TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Trojan.Vundo.GMM (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000115.DLL (Renamed)

Backdoor.Generic.95440 (virus)

* C:\DOCUMENTS AND SETTINGS\CATHERINE\APPLICATION DATA\MOVE NETWORKS\MOVEMEDIAPLAYER_07076007.EXE (Renamed & Submitted)

Statistics
Scanned:

* Files: 52421
* System: 3521
* Not scanned: 9

Actions:

* Disinfected: 7
* Renamed: 2
* Deleted: 0
* Not cleaned: 0
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\HELPSVC.EXE
* C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPC32.EXE
* C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DOSCAN.EXE

DragonMaster Jay wrote:

Hi

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Please include the Security Check and the F-Secure logs in your next reply. Also, tell me how your computer is running.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 13
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
CATHER~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fsgk32.exe
CATHER~1 LOCALS~1 Temp OnlineScanner\Anti-Virus\fssm32.exe
CATHER~1 LOCALS~1 Temp fsonlinescanner.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

DragonMaster Jay wrote:

Hi

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Please include the Security Check and the F-Secure logs in your next reply. Also, tell me how your computer is running.

Hi, Computer seems to be running normally. Why is that the Malwarebytes did not detect the infections that the F-secure detected? I thought my computer was clean after the Malwarebytes scan...

Should I still create a restore point now? Or is my computer still infected?

Thanks!

DragonMaster Jay wrote:

Hi

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction Here for installation.
  
• Accept the License Agreement.
  
• Once the ActiveX installs,Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE

You now have a clean restore point, to get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do some calculation and the display a dialogue box with TABS
  
• Select the More Options Tab.
  
• At the bottom will be a system restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done
  

==

Please include the Security Check and the F-Secure logs in your next reply. Also, tell me how your computer is running.

Hi

One of the infections detected by F-Secure was a false positive (Move Media Player), and I will be reporting that to them immediately. That is not a true infection. The other infection by F-Secure was something in System Restore. Also, cookies are not actually malware, but some scanners think they are.

That is why I needed you to delete all restore points and create a new one. Go ahead with that.

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Hi again, so, I created a new system restore and deleted the old points. So, this means the infections are totally gone and I'm good to go, yeah?

Also, should I keep combofix and spiderkill on my desktop or should I delete those?

Thanks!

DragonMaster Jay wrote:

Hi

One of the infections detected by F-Secure was a false positive (Move Media Player), and I will be reporting that to them immediately. That is not a true infection. The other infection by F-Secure was something in System Restore. Also, cookies are not actually malware, but some scanners think they are.

That is why I needed you to delete all restore points and create a new one. Go ahead with that.

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Last edited by brownie1212 on 5th October 2009, 3:39 am; edited 1 time in total (Reason for editing : left out info)

Hi

Delete SpiderKill, please. Then do the following to uninstall ComboFix:

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /u

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  
• Notice: sometimes ComboFix will not uninstall if it was renamed. If it will not uninstall then delete the following items: ComboFix icon on Desktop, and the folder C:\Qoobox

Hi,

for some reason, after deleting the extra copies of malwarebytes application, I cannot access the malwarebytes logs after scanning. Error msg would appear when I try to open the log stating "you may not have permission to access the specified item."
If I do a search for C:\Documents and Settings\Catherine\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs then the logs are found and I can view it using notepad.

Hi

This is because the original install location was not correct. Whenever you install Malwarebytes, it is normal to install it to C:\Program Files\Malwarebytes' Anti-Malware. The location you had it installed in to was incorrect, so when ComboFix went to clean your computer, it had damaged your current installation of Malwarebytes. Uninstalling any previous versions, then installing a new version allowed Malwarebytes to work again.

To the point, Malwarebytes does not know those logs, because it is a fresh installation.