7 replies to this topic

[turnerb]

Hi,

I just posted the following to the general forum and got a reply to post to the HijackThis Logs forum. I will paste the original message here again as I already tried to run hijackthis, malewarebytes and combofix but none of them will open.

Thanks!

Hello,

I have used this forum before with great success for my fiancee's laptop and now my pc is having issues. I currently run eset smart security and use malwarebytes to scan weekly. Just today, however, a nasty little program called Windows Antivirus Pro found its way into my pc. After trying to get rid of it using malwarebytes and eset I restarted the computer and very bad things started to happen. Everytime I click on any .exe file the following message shows up:

16 bit MS-DOS Subsystem
C:\WINDOWS\system32\desot.exe
SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers. Virtual Device Driver format in the registry is invalid. Choose 'Close' to terminate the application.

-Also, behind it, a DOS prompt window opens.

Clicking on ignore or close causes both windows to go away.

I have tried installing combofix and hijackthis in order to prep logs for you, but once downloaded they will not open.The above message just shows up again.
I have tried running malwarebytes in safemode, but the same above message shows up.

Also, I cannot get regedit, regdt32, msconfig or cmd to function from the RUN feature.
I found the Windows Antivirus Pro program files on my C: drive and deleted them.
Oddly enough (Although I'm sure there's a perfectly rational explanation unbeknownst to me) Internet Explorer will run.


I am fairly competent when it comes to computers and, as I have said, I have used Combofix and HijackThis before, but I can't get any .exe to open.

Please help me!

[sjpritch25]

Welcome to Malwarebytes !!!!


We need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.
  
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
  
• Save both reports to your desktop.
  
• The instructions here ask you to attach the Attach.txt.
  
  
  
• Instead of attaching, please copy/past both logs into your next reply.
  
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

[turnerb]

Hello,

I tried to download, save and run the DDS program, but the same 16 bit MS-DOS system error pops up...

...Also this message pops up: The NTVDM CPR has encountered an illegal instruction
CS:00cf IP:0514 OP:ff ff 00 00 98 Choose close to terminate the application.

Please let me know if you come up with anything. Thanks.

sjpritch25, on Aug 2 2009, 08:26 AM, said:

Welcome to Malwarebytes !!!!


We need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.
  
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
  
• Save both reports to your desktop.
  
• The instructions here ask you to attach the Attach.txt.
  
  
  
• Instead of attaching, please copy/past both logs into your next reply.
  
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

[sjpritch25]

Download UnHookExec.inf to your Desktop.
Right-Click on UnHookExec.inf and click on Install.


Try running dds again and let me know. Thanks

[turnerb]

Hello,

I got DDS to work and ran the scans you asked. Here are the results:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/29/2006 11:59:26 PM
System Uptime: 8/2/2009 9:51:11 AM (7 hours ago)

Motherboard: http://www.abit.com.tw/ | | AN7 (nVidia-nForce2)
Processor: AMD Athlon™ | Socket A | 2079/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 4.437 GiB free.
D: is CDROM ()
G: is FIXED (NTFS) - 34 GiB total, 34.407 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

6200
6200_Help
6200Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
Age of Empires III
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
Bingo Card Creator 2.51
Bonjour
BufferChm
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
CueTour
DesignPro 5.4 Limited Edition
Destinations
Director
Diskeeper Professional Premier Edition
DocProc
DocumentViewer
ESET Smart Security
Fax
Google Toolbar for Internet Explorer
GTA San Andreas
Guild Wars
Home Antivirus 2010
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Driver Diagnostics
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Drivers
NvMixer
PanoStandAlone
PhotoGallery
PokerStars.net
PowerDVD
ProductContext
QFolder
QuickTime
Readme
RealPlayer
RegSupreme 1.3
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SkinsHP1
TomTom HOME 2.6.4.1641
TomTom HOME Visual Studio Merge Modules
TrayApp
Unload
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Media Player
WebFldrs XP
WebReg
Winamp (remove only)
Windows Antivirus Pro
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows XP Service Pack 3
winqfx16bit
WinZip 12.0

==== Event Viewer Messages From Past Week ========

8/2/2009 4:16:38 PM, error: Service Control Manager [7016] - The AntipyPro_12 service has reported an invalid current state 0.
8/1/2009 9:55:35 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/1/2009 9:55:32 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/31/2009 9:05:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
7/31/2009 9:04:10 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\beep.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
7/27/2009 7:00:54 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

==== End Of File ===========================


DDS (Ver_09-07-30.01) - NTFSx86
Run by BEN at 16:17:25.67 on Sun 08/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.634 [GMT -4:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\svchast.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
svchost
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\BEN\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: ICQSys (IE PlugIn): {f54af7de-6038-4026-8433-cc30e3f17212} - c:\windows\system32\dddesot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SYS32DLL] SYS32DLL
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Windows System Recover!] c:\docume~1\ben\locals~1\temp\system.exe
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [braviax] braviax.exe
dRun: [minix32] c:\windows\system32\minix32.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-system: DisableRegistryTools = 0
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183486234593
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://www.tseweb.nyackschools.com/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
AppInit_DLLs: cru629.dat
LSA: Notification Packages = scecli c:\windows\system32\negonuze.dll

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-1-12 102528]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-2 124832]
R2 AntipPro2009_12;AntipyPro_12;c:\windows\svchast.exe [2009-8-1 176128]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-6-3 92008]
S2 AdobeActiveFileMonitor6.0AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0AdobeActiveFileMonitor6.0Alerter;c:\windows\temp\ff7.tmp service --> c:\windows\temp\FF7.tmp service [?]
S2 AdobeActiveFileMonitor6.0Alerter;Adobe Active File Monitor V6 AdobeActiveFileMonitor6.0Alerter;c:\windows\temp\2c9.tmp run --> c:\windows\temp\2C9.tmp run [?]
S3 AC2003;AC2003;c:\windows\system32\drivers\AC2003.sys [2008-7-24 3584]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-6-29 66048]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-21 38496]
S3 Memctl;Memctl;c:\program files\abit\abit uguru\MEMCTL.SYS [2004-7-5 4047]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-08-01 12:13 <DIR> --d----- c:\documents and settings\ben\.housecall6.6
2009-08-01 11:15 <DIR> --d----- c:\program files\winqfx16bit
2009-08-01 09:48 4 a------- c:\windows\system32\bincd32.dat
2009-08-01 09:48 36 a------- c:\windows\system32\sysnet.dat
2009-08-01 09:48 176,128 a------- c:\windows\svchast.exe
2009-08-01 09:48 64 a------- c:\windows\ppp4.dat
2009-08-01 09:48 9 a------- c:\windows\system32\bennuar.old
2009-08-01 09:48 1 a------- c:\windows\ppp3.dat
2009-08-01 09:48 827,392 a------- c:\windows\system32\dddesot.dll
2009-08-01 09:48 4,096 a------- c:\windows\system32\desot.exe
2009-08-01 09:47 9,216 a------- c:\windows\braviax.exe
2009-08-01 09:46 88,064 a------- C:\knvpd.exe
2009-08-01 09:45 89,088 a------- C:\dqxlergn.exe
2009-08-01 09:45 9,216 a------- c:\windows\system32\braviax.exe
2009-07-31 17:34 19,858 a------- c:\windows\system32\tipaly.sys
2009-07-31 17:34 19,677 a------- c:\docume~1\alluse~1.win\applic~1\wynoqi.pif
2009-07-31 17:34 19,216 a------- c:\windows\system32\zikovi.dll
2009-07-31 17:34 17,573 a------- c:\windows\ucopiv.exe
2009-07-31 17:34 17,573 a------- c:\program files\common files\gosaxibo.exe
2009-07-31 17:34 17,210 a------- c:\docume~1\ben\applic~1\iqehe.dat
2009-07-31 17:34 15,848 a------- c:\windows\hoqutana.bat
2009-07-31 17:34 14,344 a------- c:\windows\usux.sys
2009-07-31 17:34 13,875 a------- c:\program files\common files\zihyn.dll
2009-07-31 17:34 12,287 a------- c:\windows\system32\fogi.dat
2009-07-31 17:34 12,121 a------- c:\windows\idude.dl
2009-07-31 17:34 10,704 a------- c:\windows\onigypa.pif
2009-07-31 17:27 44,544 a------- C:\lype.exe
2009-07-31 17:27 28,160 a------- C:\ncca.exe
2009-07-31 17:27 231,424 a------- C:\blbweld.exe
2009-07-31 17:27 154,632 a------- C:\winantivsetup.exe
2009-07-31 17:27 2 a------- C:\-866657421
2009-07-31 17:26 19,456 a------- C:\jeooxqma.exe
2009-07-31 17:26 69,640 -------- C:\abgcty.exe
2009-07-31 17:26 20,480 a------- C:\cpakfja.exe
2009-07-31 17:26 69,640 a------- C:\njeoahhq.exe
2009-07-31 17:26 10,240 a------- C:\phdtsk.exe
2009-07-15 09:04 <DIR> --d----- c:\docume~1\ben\applic~1\ESET
2009-07-08 13:30 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\96971396
2009-07-08 13:30 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\16961404

==================== Find3M ====================

2009-06-24 08:49 15,646 a------- c:\windows\st_1245866265.exe
2009-06-23 19:42 15,646 a------- c:\windows\st_1245819031.exe
2009-06-23 19:42 15,646 a------- c:\windows\st_1245800605.exe
2009-06-23 09:48 15,646 a------- c:\windows\st_1245783381.exe
2009-06-23 09:48 15,646 a------- c:\windows\st_1245764955.exe
2009-06-22 08:49 15,646 a------- c:\windows\st_1245693438.exe
2009-06-22 08:49 15,646 a------- c:\windows\st_1245675011.exe
2009-06-21 16:20 15,646 a------- c:\windows\st_1245615664.exe
2009-06-21 06:48 14,774 a------- c:\windows\st_1245599766.exe
2009-06-13 20:38 15,776 a------- c:\windows\st_1244939934.exe
2009-06-13 16:17 15,776 a------- c:\windows\st_1244924290.exe
2009-06-12 06:40 15,776 a------- c:\windows\st_1244821724.exe
2009-06-12 06:40 15,776 a------- c:\windows\st_1244803297.exe
2009-06-11 20:36 15,776 a------- c:\windows\st_1244785479.exe
2009-06-11 16:08 15,776 a------- c:\windows\st_1244769346.exe
2009-06-11 16:07 15,776 a------- c:\windows\st_1244750918.exe
2009-06-11 06:37 15,808 a------- c:\windows\st_1244735092.exe
2009-06-11 06:37 15,808 a------- c:\windows\st_1244716661.exe
2009-06-11 06:12 15,776 a------- c:\windows\st_1244733595.exe
2009-06-11 06:12 14,904 a------- c:\windows\st_1244715167.exe
2009-06-10 16:24 15,776 a------- c:\windows\st_1244683915.exe
2009-06-10 07:17 16,396 a------- c:\windows\st_1244651104.exe
2009-06-10 07:17 15,808 a------- c:\windows\st_1244632669.exe
2009-06-10 06:30 15,776 a------- c:\windows\st_1244629858.exe
2009-06-09 19:35 16,080 a------- c:\windows\st_1244609019.exe
2009-06-09 19:35 15,776 a------- c:\windows\st_1244590589.exe
2009-06-09 11:03 16,364 a------- c:\windows\st_1244578255.exe
2009-06-09 06:57 15,776 a------- c:\windows\st_1244563536.exe
2009-06-09 06:57 15,776 a------- c:\windows\st_1244545107.exe
2009-06-08 09:38 16,364 a------- c:\windows\st_1244486781.exe
2009-06-07 21:25 15,492 a------- c:\windows\st_1244442817.exe
2009-06-07 16:05 15,808 a------- c:\windows\st_1244423565.exe
2009-06-07 06:38 15,492 a------- c:\windows\st_1244389564.exe
2009-06-06 16:29 15,808 a------- c:\windows\st_1244338617.exe
2009-06-06 06:35 14,904 a------- c:\windows\st_1244284546.exe
2009-06-05 16:15 14,316 a------- c:\windows\st_1244251394.exe
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 06:27 14,316 a------- c:\windows\st_1244216093.exe
2009-06-01 09:30 12,856 a------- c:\windows\st_1243881513.exe
2009-05-31 15:49 13,444 a------- c:\windows\st_1243817804.exe
2009-05-31 15:48 14,904 a------- c:\windows\st_1243799376.exe
0000-00-00 00:00 0 a--sh--- c:\windows\system32\negonuze.dll

============= FINISH: 16:18:49.89 ===============



Thanks again very much for your help!

[sjpritch25]

Download Combofix from this webpage: http://www.bleepingc...to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

[turnerb]

I was able to send the combofix and hijackthis logs to a friend of mine in IT. He was able to talk me through the rest. That UnHookExec setup worked like a charm! Thank you so much for your help. I appreciate it.

[sjpritch25]

Okay