Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

unable to delete file

Started by fatchance, Apr 27 2009 08:17 PM

You cannot reply to this topic
Go to first unread post

12 replies to this topic

#1
fatchance

Posted 27 April 2009 - 08:17 PM

New Member

Members
9 posts

I have run malwarebytes several times and it keeps telling me that it will delete awldwjyh.dat (Rootkit.Agent) on reboot, but it keeps sticking around. Any help will be appreciated.

Thanks,
Phil

Here is the malwarebyte's log:

Malwarebytes' Anti-Malware 1.36
Database version: 2047
Windows 5.1.2600 Service Pack 3

4/27/2009 1:20:01 PM
mbam-log-2009-04-27 (13-20-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 157174
Time elapsed: 1 hour(s), 29 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat (Rootkit.Agent) -> Delete on reboot.

and Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:14 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RockBot] C:\Program Files\rock\rockbot.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...res/ext360.html
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1197392426315
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165438932515
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shc.local
O17 - HKLM\Software\..\Telephony: DomainName = shc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{C69CE68A-3168-4145-B572-20D1B1F126A0}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shc.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.sexyshoes.com/7397x4.jpg
O24 - Desktop Component 1: (no name) - http://www.raintreen...images/G667.jpg

--
End of file - 8515 bytes

#2
negster22

Posted 28 April 2009 - 02:31 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

Close Internet Explorer and any other open browsers
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as cartwheel.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\newyork.exe"

Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
Select the Update tab -> Check for Updates
After MBAM updates, select the Scanner tab.
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please post C:\ComboFix.txt, your antirootkit log (ARK.txt), and a new MBAM log in your next reply.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#3
fatchance

Posted 28 April 2009 - 06:19 PM

New Member

Members
9 posts

negster22, on Apr 27 2009, 08:31 PM, said:

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

Close Internet Explorer and any other open browsers
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Double-click the randonly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the scan is finished (a few seconds, click the Rootkit/Malware tab,and then select the Scan button.
Leave your system completely idle while this longer scan is in progress.
When the scan is done, save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as cartwheel.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.

You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Now, relaunch MBAM by double-clicking newyork.exe in the MBAM folder.
Select the Update tab -> Check for Updates
After MBAM updates, select the Scanner tab.
Select Perform quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

#4
fatchance

Posted 28 April 2009 - 06:27 PM

New Member

Members
9 posts

First off thanks for your help!

Here are the three logs you requested and I added a fourth (I ran malwarebytes again after it asked me to reboot) which shows the same file that cannot be deleted.

ComboFix 09-04-27.05 - Rhonda 04/28/2009 11:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.545 [GMT -6:00]
Running from: c:\documents and settings\rhonda\Desktop\cartwheel.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 16:01 . 2009-04-28 16:01 -------- d-----w C:\ark
2009-04-27 20:18 . 2009-04-27 20:18 -------- d-----w c:\program files\Trend Micro
2009-04-27 17:07 . 2009-04-27 18:20 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 00:54 . 2009-04-25 00:54 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 21:20 . 2009-04-24 21:20 -------- d-----w c:\documents and settings\rhonda\Application Data\Malwarebytes
2009-04-24 21:20 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 21:19 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 21:19 . 2009-04-24 21:19 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 21:19 . 2009-04-24 21:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 20:46 . 2009-04-24 20:46 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 18:51 . 2009-04-24 18:51 -------- d-sh--w c:\documents and settings\rhonda\PrivacIE
2009-04-24 18:49 . 2009-04-24 18:49 -------- d-sh--w c:\documents and settings\rhonda\IETldCache
2009-04-24 18:48 . 2009-04-24 18:48 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-24 18:45 . 2009-04-24 18:45 -------- d-----w c:\windows\ie8updates
2009-04-24 18:41 . 2009-04-24 18:44 -------- dc-h--w c:\windows\ie8
2009-04-24 18:40 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-24 18:11 . 2009-04-24 20:33 -------- d-----w c:\documents and settings\rhonda\.housecall6.6
2009-04-24 18:06 . 2009-04-24 18:06 -------- d-----w c:\windows\Sun
2009-04-24 18:06 . 2009-04-24 18:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-24 18:06 . 2009-04-24 18:06 -------- d-----w c:\program files\Java
2009-04-24 17:51 . 2009-04-24 17:51 -------- d-----w c:\documents and settings\NetworkService\Application Data\pvswvxgp
2009-04-24 17:51 . 2009-04-24 17:51 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp
2009-04-24 00:02 . 2009-04-24 00:02 -------- d-----w c:\documents and settings\rhonda\Application Data\pvswvxgp
2009-04-24 00:02 . 2009-04-24 00:02 -------- d-----w c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp
2009-04-16 16:12 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:12 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:12 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 16:12 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:12 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:12 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:12 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:12 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:12 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 16:10 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 23:38 . 2007-02-22 18:10 -------- d-----w c:\program files\DYMO Label
2009-04-23 22:07 . 2006-12-06 02:50 -------- d-----w c:\program files\Compaq
2009-04-20 21:03 . 2006-12-06 21:03 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-28 01:10 . 2009-03-28 01:07 -------- d-----w c:\program files\Teleflora
2009-03-28 01:10 . 2006-12-06 02:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 01:09 . 2009-03-28 01:09 0 ----a-w C:\74.tmp
2009-03-28 01:07 . 2009-03-28 01:07 -------- d-----w c:\program files\Seagate Software
2009-03-19 20:38 . 2009-03-11 02:15 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-11 17:57 . 2006-12-06 16:55 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-11 17:56 . 2006-12-06 16:55 -------- d-----w c:\program files\Symantec
2009-03-11 17:56 . 2009-03-11 17:56 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-11 17:56 . 2009-03-11 17:56 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-11 17:56 . 2009-03-11 17:56 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-11 17:56 . 2009-03-11 17:56 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 10:34 . 2006-06-23 18:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2002-08-29 14:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2002-08-29 14:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2002-08-29 14:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2002-08-29 14:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2002-08-29 14:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2002-08-29 14:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2002-08-29 14:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2002-08-29 14:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2002-08-29 14:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 18:47 . 2008-12-16 01:44 -------- d-----w c:\program files\Citrix
2009-03-06 14:22 . 2002-08-29 14:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-11 18:36 . 2002-11-03 06:33 87271 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-02-09 12:10 . 2002-08-29 14:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 14:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 14:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-08-29 14:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 14:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2002-08-29 14:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 14:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-08-29 14:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_22.05.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 15:56 . 2009-04-28 15:56 16384 c:\windows\Temp\Perflib_Perfdata_308.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RockBot"="c:\program files\rock\rockbot.exe" [2008-06-24 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-11 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-24 148888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 968224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tb2Launch"=2 (0x2)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-03-11 23888]
S0 ywaukocd;ywaukocd;c:\windows\system32\drivers\ywaukocd.sys [2002-08-29 23424]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*Deregistered* - aujasnkj

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fajxrhge

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]

2009-04-27 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Rhonda.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-24 21:32]

2009-04-27 c:\windows\Tasks\Malwarebytes' Scheduled Update for Rhonda.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-04-24 21:32]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
TCP: {C69CE68A-3168-4145-B572-20D1B1F126A0} = 205.171.3.65,205.171.2.65
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 12:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2252)
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-28 12:05
ComboFix-quarantined-files.txt 2009-04-28 18:05
ComboFix2.txt 2009-04-27 22:11

Pre-Run: 44,857,319,424 bytes free
Post-Run: 44,848,103,424 bytes free

196 --- E O F --- 2009-04-22 02:33

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 11:54:00
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 865E03F0 ZwAlertResumeThread
SSDT 865E04D0 ZwAlertThread
SSDT 865DF520 ZwAllocateVirtualMemory
SSDT 86E24910 ZwConnectPort
SSDT 86E21DA0 ZwCreateMutant
SSDT \??\C:\WINDOWS\system32\drivers\mbam.sys (Malwarebytes' Anti-Malware/Malwarebytes Corporation) ZwCreateSection [0xEE5CCFE0]
SSDT 86EDEBF0 ZwCreateThread
SSDT 865F0CB8 ZwFreeVirtualMemory
SSDT 86E21E90 ZwImpersonateAnonymousToken
SSDT 86E21F70 ZwImpersonateThread
SSDT 86E23898 ZwMapViewOfSection
SSDT 86E21CC0 ZwOpenEvent
SSDT 865E82D8 ZwOpenProcessToken
SSDT 865DF728 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF75CB6B0]
SSDT 86E40990 ZwResumeThread
SSDT 865E3D40 ZwSetContextThread
SSDT 865DF7F8 ZwSetInformationProcess
SSDT 865E3C50 ZwSetInformationThread
SSDT 86E3DFD0 ZwSuspendProcess
SSDT 86713C88 ZwSuspendThread
SSDT 86712758 ZwTerminateProcess
SSDT 86713D68 ZwTerminateThread
SSDT 86E9CD28 ZwUnmapViewOfSection
SSDT 865DF450 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 86DD94A0

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01179315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01254832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0136E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0136DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0136DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0136DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0136DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0136E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0136DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 01179315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0124DBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 0124DD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 01254832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 011B1CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 0136E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 0136DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 0136DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 0136DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 0136DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 0136E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 0136DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3624] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0125488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\internet explorer\iexplore.exe[3624] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [009418FD] C:\Program Files\internet explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 3

4/28/2009 12:14:43 PM
mbam-log-2009-04-28 (12-14-43).txt

Scan type: Quick Scan
Objects scanned: 93887
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Dxdiag.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat (Rootkit.Agent) -> Delete on reboot.

RAN AFTER REBOOT

Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 3

4/28/2009 12:24:58 PM
mbam-log-2009-04-28 (12-24-58).txt

Scan type: Quick Scan
Objects scanned: 93797
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat (Rootkit.Agent) -> Delete on reboot.

#5
negster22

Posted 29 April 2009 - 04:20 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

You're welcome!

A couple questions first -

Is this a program that you intentionally installed and are familiar with?:
[RockBot] C:\Program Files\rock\rockbot.exe

This indicates you ran Combofix twice:
ComboFix2.txt 2009-04-27 22:11

Why was it necessary to run Combofix more than once?

We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.
Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::

Folder::
c:\documents and settings\NetworkService\Application Data\pvswvxgp
c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp
c:\documents and settings\rhonda\Application Data\pvswvxgp
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp

File::
C:\74.tmp
c:\windows\system32\drivers\ywaukocd.sys
C:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat

Driver::
ywaukocd
aujasnkj
Legacy_ywaukocd
Legacy_aujasnkj

NetSvcs::
fajxrhge

Now, disable your Norton Antivirus active protection and any script blocking programs you may have running, such as Norton Script Blocking.

Posted Image

Referring to the picture above, drag CFScript.txt into the renamed ComboFix.exe (cartwheel.exe on your desktop)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes (C:\Combofix.txt).

Relaunch Malwarebytes' Anti-Malware (MBAM)

Click the Update tab and Check for Updates- then wait for MBAM to update
Click the Scanner tab, and select Perform Quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results.
Please post the results in your next reply.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#6
fatchance

Posted 29 April 2009 - 04:45 PM

New Member

Members
9 posts

negster22, on Apr 28 2009, 10:20 PM, said:

KillAll::

Folder::
c:\documents and settings\NetworkService\Application Data\pvswvxgp
c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp
c:\documents and settings\rhonda\Application Data\pvswvxgp
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp

File::
C:\74.tmp
c:\windows\system32\drivers\ywaukocd.sys
C:\Documents and Settings\rhonda\Local Settings\Temp\awldwjyh.dat

Driver::
ywaukocd
aujasnkj
Legacy_ywaukocd
Legacy_aujasnkj

NetSvcs::
fajxrhge

Now, disable your Norton Antivirus active protection and any script blocking programs you may have running, such as Norton Script Blocking.

Posted Image

Click the Update tab and Check for Updates- then wait for MBAM to update
Click the Scanner tab, and select Perform Quick scan, then click Scan.
When the scan is complete, click OK -> Show Results to view the scan results.
Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
When the scan is done, a log will open in Notepad with the scan results.
Please post the results in your next reply.

#7
fatchance

Posted 29 April 2009 - 04:49 PM

New Member

Members
9 posts

I think you got it! I really appreciate all your help.

To answer your question, Rockbot is ok, it is part of a pos management program.

Here are the logs you requested:

ComboFix 09-04-29.01 - Rhonda 04/29/2009 10:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.495 [GMT -6:00]
Running from: c:\documents and settings\rhonda\Desktop\cartwheel.exe
Command switches used :: c:\documents and settings\rhonda\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
* Created a new restore point

FILE ::
C:\74.tmp
c:\documents and settings\rhonda\Local Settings\Temp\awldwjyh.dat
c:\windows\system32\drivers\ywaukocd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\74.tmp
c:\documents and settings\NetworkService\Application Data\pvswvxgp
c:\documents and settings\NetworkService\Application Data\pvswvxgp\profiles.ini
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\cert8.db
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\key3.db
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\prefs.js
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\secmod.db
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\pvswvxgp\Profiles\ux6gslqy.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp
c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp\Profiles\ux6gslqy.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\pvswvxgp\Profiles\ux6gslqy.default\XPC.mfl
c:\documents and settings\rhonda\Application Data\pvswvxgp
c:\documents and settings\rhonda\Application Data\pvswvxgp\profiles.ini
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\cert8.db
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\compatibility.ini
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\compreg.dat
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\cookies.sqlite
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\formhistory.sqlite
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\key3.db
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\localstore.rdf
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\permissions.sqlite
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\places.sqlite-journal
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\places.sqlite
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\pluginreg.dat
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\prefs.js
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\secmod.db
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\webappsstore.sqlite
c:\documents and settings\rhonda\Application Data\pvswvxgp\Profiles\xwx3ieot.default\xpti.dat
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp\Profiles\xwx3ieot.default\OfflineCache\index.sqlite
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp\Profiles\xwx3ieot.default\urlclassifier3.sqlite
c:\documents and settings\rhonda\Local Settings\Application Data\pvswvxgp\Profiles\xwx3ieot.default\XPC.mfl
c:\documents and settings\rhonda\Local Settings\Temp\awldwjyh.dat
c:\windows\system32\drivers\ywaukocd.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AUJASNKJ
-------\Legacy_YWAUKOCD
-------\Service_ywaukocd

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 16:01 . 2009-04-28 16:01 -------- d-----w C:\ark
2009-04-27 20:18 . 2009-04-27 20:18 -------- d-----w c:\program files\Trend Micro
2009-04-27 17:07 . 2009-04-27 18:20 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-25 00:54 . 2009-04-25 00:54 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-24 21:20 . 2009-04-24 21:20 -------- d-----w c:\documents and settings\rhonda\Application Data\Malwarebytes
2009-04-24 21:20 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 21:19 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 21:19 . 2009-04-24 21:19 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-24 21:19 . 2009-04-28 18:07 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 20:46 . 2009-04-24 20:46 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 18:51 . 2009-04-24 18:51 -------- d-sh--w c:\documents and settings\rhonda\PrivacIE
2009-04-24 18:49 . 2009-04-24 18:49 -------- d-sh--w c:\documents and settings\rhonda\IETldCache
2009-04-24 18:48 . 2009-04-24 18:48 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-24 18:45 . 2009-04-24 18:45 -------- d-----w c:\windows\ie8updates
2009-04-24 18:41 . 2009-04-24 18:44 -------- dc-h--w c:\windows\ie8
2009-04-24 18:40 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-24 18:11 . 2009-04-24 20:33 -------- d-----w c:\documents and settings\rhonda\.housecall6.6
2009-04-24 18:06 . 2009-04-24 18:06 -------- d-----w c:\windows\Sun
2009-04-24 18:06 . 2009-04-24 18:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-24 18:06 . 2009-04-24 18:06 -------- d-----w c:\program files\Java
2009-04-16 16:12 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 16:12 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 16:12 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 16:12 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 16:12 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 16:12 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 16:12 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 16:12 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 16:12 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 16:10 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 16:10 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 16:27 . 2002-08-29 14:00 23424 ----a-w c:\windows\system32\drivers\ftepuvhv.sys
2009-04-29 01:15 . 2007-02-22 18:10 -------- d-----w c:\program files\DYMO Label
2009-04-28 23:04 . 2006-12-24 20:35 -------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-04-23 22:07 . 2006-12-06 02:50 -------- d-----w c:\program files\Compaq
2009-04-20 21:03 . 2006-12-06 21:03 -------- d-----w c:\program files\Symantec AntiVirus
2009-03-28 01:10 . 2009-03-28 01:07 -------- d-----w c:\program files\Teleflora
2009-03-28 01:10 . 2006-12-06 02:46 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 01:07 . 2009-03-28 01:07 -------- d-----w c:\program files\Seagate Software
2009-03-19 20:38 . 2009-03-11 02:15 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-11 17:57 . 2006-12-06 16:55 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-11 17:56 . 2006-12-06 16:55 -------- d-----w c:\program files\Symantec
2009-03-11 17:56 . 2009-03-11 17:56 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-03-11 17:56 . 2009-03-11 17:56 60800 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-03-11 17:56 . 2009-03-11 17:56 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-11 17:56 . 2009-03-11 17:56 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-08 10:34 . 2006-06-23 18:33 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 . 2002-08-29 14:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:33 . 2002-08-29 14:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 . 2002-08-29 14:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:32 . 2002-08-29 14:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 . 2002-08-29 14:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:31 . 2002-08-29 14:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 10:31 . 2002-08-29 14:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 10:31 . 2002-08-29 14:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 10:22 . 2002-08-29 14:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 18:47 . 2008-12-16 01:44 -------- d-----w c:\program files\Citrix
2009-03-06 14:22 . 2002-08-29 14:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-11 18:36 . 2002-11-03 06:33 87271 ----a-w c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-02-09 12:10 . 2002-08-29 14:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-07-26 04:31 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-08-29 14:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-08-29 14:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-08-29 14:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 01:02 . 2002-08-29 01:04 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-08-29 14:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2002-08-29 14:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-08-29 14:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2002-08-29 14:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_22.05.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-29 16:32 . 2009-04-29 16:32 16384 c:\windows\temp\Perflib_Perfdata_298.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2002-11-03 06:44 . 2009-04-24 22:56 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2002-11-03 06:44 . 2009-04-28 15:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-12-24 20:40 . 2006-12-27 18:11 40960 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 40960 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut6_1B72F66FEC97454396CC50F63093FE70_1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut37_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut37_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut33_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut33_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut32_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut32_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 45056 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 45056 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut30_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 45056 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut29_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 45056 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut29_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_2.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_2.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 65536 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1_1.exe
+ 2006-12-19 16:36 . 2006-04-12 18:11 244543 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter251\acpdfui251.dll
+ 2006-12-19 16:36 . 2006-04-12 18:11 401693 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter251\acpdf251.dll
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut91_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut9_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut81_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut8_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut71_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut7_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut51_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut5_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut41_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut40_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut40_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut4_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut39_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut39_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut34_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut34_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut31_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut3_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut28_6C2287199EDD4CAA8285D3095F51E522.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut27_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut26_6C2287199EDD4CAA8285D3095F51E522.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut25_6C2287199EDD4CAA8285D3095F51E522.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut241_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut24_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut21_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut201_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut20_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut2_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut19_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut181_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut18_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut171_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut17_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut161_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut16_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut151_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut15_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut131_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut13_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut121_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut12_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut111_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut11_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:08 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut101_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut10_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\NewShortcut1_1B72F66FEC97454396CC50F63093FE70.exe
+ 2006-12-24 20:40 . 2009-04-28 23:07 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1.exe
- 2006-12-24 20:40 . 2006-12-27 18:11 450560 c:\windows\Installer\{71EEA108-09C9-4D81-8FA2-D48C70681242}\_7AE715922BD74E0E938522AC3FDACFB1.exe
+ 2006-08-09 00:33 . 2006-08-09 00:33 350448 c:\windows\Installer\$PatchCache$\Managed\801AEE179C9018D4F82A4DC807862124\17.0.4001\awApi4.dll
+ 2006-12-19 16:36 . 2006-04-12 17:11 1933312 c:\windows\system32\spool\drivers\w32x86\amyuni_amyunidocumentconverter251\cdintf251.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"RockBot"="c:\program files\rock\rockbot.exe" [2008-06-24 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-09-20 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-03-11 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-24 148888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-3-18 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tb2Launch"=2 (0x2)
"ose"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-03-11 23888]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-11 101936]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - YWAUKOCD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fajxrhge

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
TCP: {C69CE68A-3168-4145-B572-20D1B1F126A0} = 205.171.3.65,205.171.2.65
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 10:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(392)
c:\windows\system32\ieframe.dll
c:\windows\system32\msls31.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-29 10:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 16:42
ComboFix2.txt 2009-04-28 18:05
ComboFix3.txt 2009-04-27 22:11

Pre-Run: 44,592,644,096 bytes free
Post-Run: 44,596,330,496 bytes free

367 --- E O F --- 2009-04-22 02:33

Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 5.1.2600 Service Pack 3

4/29/2009 10:53:11 AM
mbam-log-2009-04-29 (10-53-11).txt

Scan type: Quick Scan
Objects scanned: 94291
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8
negster22

Posted 30 April 2009 - 03:27 AM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

The file MBAM kept flagging is gone, but unfortunately you are still infected.

Please disable any script or registry blocking programs you may have running, such as Norton scriptblocking.

Download The Avenger by Swandog46:
http://swandog46.gee...r2/download.php

Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to launch Avenger.
Click OK.
Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Drivers to delete:
ftepuvhv
Legacy_ftepuvhv
YWAUKOCD
Legacy_YWAUKOCD
AUJASNKJ
Legacy_AUJASNKJ
fajxrhge

Files to delete:
c:\windows\system32\drivers\ftepuvhv.sys
c:\windows\system32\drivers\ywaukocd.sys
c:\windows\system32\drivers\aujasnkj.sys
c:\windows\system32\fajxrhge.dll

Click the Execute button.
You will be prompted with "Are you sure you want to execute the current script?"
Click "Yes"
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click "Yes".
Your PC will reboot.
After your PC has completed the necessary reboot, a log should automatically open.
If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
Please post the Avenger log, along with a new HijackThis log in your next reply.

After Avenger reboots, immediately run a Combofix scan and then post both the Avenger (C:\Avenger.txt) and Combofix (C:\Combofix.txt) reports.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#9
fatchance

Posted 30 April 2009 - 10:07 PM

New Member

Members
9 posts

negster22, on Apr 29 2009, 09:27 PM, said:

Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to launch Avenger.
Click OK.
Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Drivers to delete:
ftepuvhv
Legacy_ftepuvhv
YWAUKOCD
Legacy_YWAUKOCD
AUJASNKJ
Legacy_AUJASNKJ
fajxrhge

Files to delete:
c:\windows\system32\drivers\ftepuvhv.sys
c:\windows\system32\drivers\ywaukocd.sys
c:\windows\system32\drivers\aujasnkj.sys
c:\windows\system32\fajxrhge.dll

Click the Execute button.
You will be prompted with "Are you sure you want to execute the current script?"
Click "Yes"
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click "Yes".
Your PC will reboot.
After your PC has completed the necessary reboot, a log should automatically open.
If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
Please post the Avenger log, along with a new HijackThis log in your next reply.

After Avenger reboots, immediately run a Combofix scan and then post both the Avenger (C:\Avenger.txt) and Combofix (C:\Combofix.txt) reports.

#10
fatchance

Posted 30 April 2009 - 10:09 PM

New Member

Members
9 posts

Boy, you are full of good news!

Here you go, and again, thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:59 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://protopage.com/rhondaspeck
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RockBot] C:\Program Files\rock\rockbot.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1197392426315
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1165438932515
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk...ows-i586-jc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = shc.local
O17 - HKLM\Software\..\Telephony: DomainName = shc.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{C69CE68A-3168-4145-B572-20D1B1F126A0}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = shc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = shc.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.sexyshoes.com/7397x4.jpg
O24 - Desktop Component 1: (no name) - http://www.raintreen...images/G667.jpg

--
End of file - 7322 bytes

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ftepuvhv" not found!
Deletion of driver "ftepuvhv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_ftepuvhv" not found!
Deletion of driver "Legacy_ftepuvhv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\YWAUKOCD" not found!
Deletion of driver "YWAUKOCD" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_YWAUKOCD" not found!
Deletion of driver "Legacy_YWAUKOCD" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\AUJASNKJ" not found!
Deletion of driver "AUJASNKJ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

#11
negster22

Posted 30 April 2009 - 10:13 PM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

That is not the whole Avenger Log. Can you please post the entire thing the most important part is missing.

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

#12
fatchance

Posted 01 May 2009 - 08:01 PM

New Member

Members
9 posts

Sorry about that. I tried to re-open the advenger log, but it said it was password protected, so I re-ran it.

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ftepuvhv" not found!
Deletion of driver "ftepuvhv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_ftepuvhv" not found!
Deletion of driver "Legacy_ftepuvhv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\YWAUKOCD" not found!
Deletion of driver "YWAUKOCD" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_YWAUKOCD" not found!
Deletion of driver "Legacy_YWAUKOCD" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\AUJASNKJ" not found!
Deletion of driver "AUJASNKJ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_AUJASNKJ" not found!
Deletion of driver "Legacy_AUJASNKJ" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\fajxrhge" not found!
Deletion of driver "fajxrhge" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\drivers\ftepuvhv.sys" not found!
Deletion of file "c:\windows\system32\drivers\ftepuvhv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\drivers\ywaukocd.sys" not found!
Deletion of file "c:\windows\system32\drivers\ywaukocd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\drivers\aujasnkj.sys" not found!
Deletion of file "c:\windows\system32\drivers\aujasnkj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "c:\windows\system32\fajxrhge.dll" not found!
Deletion of file "c:\windows\system32\fajxrhge.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

#13
negster22

Posted 01 May 2009 - 10:08 PM

Elite Member

Experts
1,130 posts

Location:Westchester County, NY

Quote

Sorry about that. I tried to re-open the advenger log, but it said it was password protected, so I re-ran it.

What's password protected is the Avenger.zip file because that contains the threats that were removed.

C:\Avenger.txt is not password protected.

Anyway, running it a second time does not help because if it worked properly the threats would no longer be in the places I specified.

Can you please visit this submission webpage

1. In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:
http://www.malwarebytes.org/forums/index.p...f=7&t=14767

2. Next, copy and paste the following bolded text into the "Browse to the file you want to submit:" box:
C:\avenger\backup.zip

3. Then click 'Send File'

Repeat the same procedure above (steps 2 & 3) for any backup<date>.ZIP files in the Avenger (there should be one more).

Now, please delete Combofix on your desktop. Download a new renamed copy again, run Combofix, and then post the new C:\Combofix.txt log.
__________________

Microsoft MVP - Consumer Security 2006 - 2011

BITS n PC's Blog

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes

unable to delete file

#1
fatchance

Posted 27 April 2009 - 08:17 PM

#2
negster22

Posted 28 April 2009 - 02:31 AM

#3
fatchance

Posted 28 April 2009 - 06:19 PM

#4
fatchance

Posted 28 April 2009 - 06:27 PM

#5
negster22

Posted 29 April 2009 - 04:20 AM

#6
fatchance

Posted 29 April 2009 - 04:45 PM

#7
fatchance

Posted 29 April 2009 - 04:49 PM

#8
negster22

Posted 30 April 2009 - 03:27 AM

#9
fatchance

Posted 30 April 2009 - 10:07 PM

#10
fatchance

Posted 30 April 2009 - 10:09 PM

#11
negster22

Posted 30 April 2009 - 10:13 PM

#12
fatchance

Posted 01 May 2009 - 08:01 PM

#13
negster22

Posted 01 May 2009 - 10:08 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

Malwarebytes

unable to delete file

#1 fatchance Posted 27 April 2009 - 08:17 PM

#2 negster22 Posted 28 April 2009 - 02:31 AM

#3 fatchance Posted 28 April 2009 - 06:19 PM

#4 fatchance Posted 28 April 2009 - 06:27 PM

#5 negster22 Posted 29 April 2009 - 04:20 AM

#6 fatchance Posted 29 April 2009 - 04:45 PM

#7 fatchance Posted 29 April 2009 - 04:49 PM

#8 negster22 Posted 30 April 2009 - 03:27 AM

#9 fatchance Posted 30 April 2009 - 10:07 PM

#10 fatchance Posted 30 April 2009 - 10:09 PM

#11 negster22 Posted 30 April 2009 - 10:13 PM

#12 fatchance Posted 01 May 2009 - 08:01 PM

#13 negster22 Posted 01 May 2009 - 10:08 PM

1 user(s) are reading this topic

Products

About

Partners

Follow Us

#1
fatchance

Posted 27 April 2009 - 08:17 PM

#2
negster22

Posted 28 April 2009 - 02:31 AM

#3
fatchance

Posted 28 April 2009 - 06:19 PM

#4
fatchance

Posted 28 April 2009 - 06:27 PM

#5
negster22

Posted 29 April 2009 - 04:20 AM

#6
fatchance

Posted 29 April 2009 - 04:45 PM

#7
fatchance

Posted 29 April 2009 - 04:49 PM

#8
negster22

Posted 30 April 2009 - 03:27 AM

#9
fatchance

Posted 30 April 2009 - 10:07 PM

#10
fatchance

Posted 30 April 2009 - 10:09 PM

#11
negster22

Posted 30 April 2009 - 10:13 PM

#12
fatchance

Posted 01 May 2009 - 08:01 PM

#13
negster22

Posted 01 May 2009 - 10:08 PM