19 replies to this topic

[ncg8or]

I appear to be in the same boat as many others here as my scans run for a few seconds, then the program disappears. When I try to re-run or re-name the .exe files, I get the "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." message.

Should I run the Win32kDiag.exe file? I'm running XP Home, SP3.

Thanks for the help!

[miekiemoes]

Hi,

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).




You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro
But not needed to do it manually if you use fr33.exe instead to "unlock" files.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[ncg8or]

Thank you.

I followed the instructions, and ran ComboFix - the 1st time when it finished through the 50 stages it tried to reboot windows. Before I ran this, my desktop was empty and my taskbar was empty and I could only run anything through Task Manager. Anyhow, I re-ran ComboFix a second time and it run just as indicated in the bleepingcomputer link above, and here's the ComboFix.txt log, please let me know where to go from here.

Thanks!

ComboFix 09-09-04.02 - Mike 09/05/2009 11:33.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.310 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\12553594
c:\documents and settings\All Users\Application Data\12553594\12553594
c:\documents and settings\All Users\Application Data\12553594\12553594.exe
c:\documents and settings\All Users\Application Data\12553594\pc12553594ins
c:\documents and settings\Mike\My Documents\ZbThumbnail.info
c:\recycler\S-1-5-21-1417001333-448539723-725345543-1003
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\desktop
c:\windows\Installer\143bbf.msi
c:\windows\Installer\19b0b4ec.msi
c:\windows\Installer\364dd3ad.msp
c:\windows\Installer\e708887.msi
c:\windows\system32\boyimeta.dll
c:\windows\system32\depawehe.dll
c:\windows\system32\drivers\UACllpvxydghd.sys
c:\windows\system32\gavulowe.dll
c:\windows\system32\gazanudu.dll
c:\windows\system32\govegomu.dll
c:\windows\system32\levasilo.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\mirajehi.exe
c:\windows\system32\nitekazu.dll
c:\windows\system32\sumovena.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\UACdhkrhcinwj.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkuktrvocof.dll
c:\windows\system32\UACuhorophctl.dll
c:\windows\system32\UACxcumottqon.dat
c:\windows\system32\waritili.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\wscsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-05 12:13 . 2009-09-05 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarecom
2009-09-03 13:48 . 2009-09-03 13:48 -------- d-----w- c:\program files\Trend Micro
2009-09-03 13:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 13:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:39 . 2009-09-05 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF\LOCALS~1
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF
2009-09-02 22:37 . 2009-09-02 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-09-02 22:14 . 2009-09-02 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarea
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 16:08 . 2009-09-02 16:08 -------- d-----w- c:\program files\Common Files\Scanner
2009-09-02 16:07 . 2009-09-02 16:08 -------- d-----w- c:\program files\CA
2009-09-02 11:06 . 2009-09-02 11:06 17920 ----a-w- C:\osps.exe
2009-09-02 11:06 . 2009-09-02 11:06 19968 ----a-w- C:\xvhu.exe
2009-09-02 11:06 . 2009-09-02 11:06 48640 ----a-w- C:\blyuwrjl.exe
2009-08-24 01:06 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-08-24 01:06 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\MyDSC2
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\Mars
2009-08-24 01:03 . 2005-12-15 21:34 135168 ----a-w- c:\windows\system32\jl_jdct.drv
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\JL2005C
2009-08-24 01:03 . 2007-11-17 19:46 68954 ----a-w- c:\windows\system32\drivers\jl2005c.sys
2009-08-24 01:02 . 2009-08-24 10:53 -------- d-----w- c:\program files\Snap 'n Share
2009-08-13 11:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 15:24 . 2009-09-02 16:54 72388 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-05 15:24 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-05 13:14 . 2009-06-05 13:14 88064 --sha-w- c:\windows\system32\ronigofu.dll
2009-09-05 12:38 . 2008-11-11 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-09-05 01:14 . 2009-06-05 01:14 88576 --sha-w- c:\windows\system32\norupeze.dll
2009-09-03 13:14 . 2009-06-03 13:14 49152 --sha-w- c:\windows\system32\nukavuso.dll
2009-09-03 13:14 . 2009-06-03 13:14 88064 --sha-w- c:\windows\system32\majiriho.dll
2009-09-02 22:06 . 2004-08-07 17:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-02 19:05 . 2004-08-07 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-02 11:13 . 2009-06-02 11:13 166400 --sha-w- c:\windows\system32\nusuzefa.dll
2009-09-02 11:13 . 2009-06-02 11:13 166400 --sha-w- c:\windows\system32\wakozawa.dll
2009-08-29 16:53 . 2007-07-07 14:38 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-25 12:59 . 2008-08-09 18:09 -------- d-----w- c:\program files\FinePixViewer
2009-08-25 12:58 . 2007-07-07 14:37 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 12:28 . 2008-11-04 01:37 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2009-01-29 14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-06 07:07 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 00:44 . 2009-07-16 00:44 -------- d-----w- c:\program files\Safari
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\program files\iTunes
2009-07-16 00:41 . 2009-07-16 00:41 -------- d-----w- c:\program files\iPod
2009-07-16 00:41 . 2009-04-05 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 00:34 . 2009-07-16 00:33 -------- d-----w- c:\program files\QuickTime
2009-07-12 16:21 . 2004-08-06 07:19 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-07-16 00:29 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-07-16 00:29 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 00:33 . 2006-12-22 22:44 162896 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-26 16:50 . 2004-08-24 00:32 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-06 07:07 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-06 07:07 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-06 07:07 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-06 07:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-06 07:07 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-06 07:07 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-06 07:07 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-06 07:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-06 07:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-06 07:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-06 07:07 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-06 07:13 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-06 07:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-08-17 21:10 . 2008-08-17 21:10 0 ----a-w- c:\program files\temp01
2009-06-03 13:14 . 2009-06-03 13:14 49152 --sha-w- c:\windows\system32\hutikovu.dll
2009-06-03 00:14 . 2009-06-03 00:14 474112 --sha-w- c:\windows\system32\kakekuze.exe
2009-06-03 00:14 . 2009-06-03 00:14 5120 --sha-w- c:\windows\system32\mogeviga.dll
2009-06-03 13:14 . 2009-06-03 13:14 49152 --sha-w- c:\windows\system32\mozifihi.dll
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1033728 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2002-08-29 12:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a5f9335-9e0d-4fe8-bb65-f6ea92bd7fde}]
2009-06-03 13:14 49152 --sha-w- c:\windows\system32\hutikovu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-02-07 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-10-18 1921024]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-10-24 562608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-09-02 177392]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-09-02 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-09-02 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-09-02 14088]
"kihakiwako"="c:\windows\system32\mozifihi.dll" [2009-06-03 49152]
"sebitemuj"="c:\windows\system32\ronigofu.dll" [2009-09-05 88064]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Desktop Application Director 9.LNK - c:\program files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-12-15 225280]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-8-9 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{5264E937-B015-11D2-8C0E-00C04FBBCFF9}\A12970B7.exe [2005-1-27 30720]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-8-16 344064]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - c:\program files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2004-9-4 61440]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{b7aa288d-3726-4dc1-b5b2-ac183e5adf47}"= "c:\windows\system32\ronigofu.dll" [2009-09-05 88064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"butejivef"= {b7aa288d-3726-4dc1-b5b2-ac183e5adf47} - c:\windows\system32\ronigofu.dll [2009-09-05 88064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [10/23/2007 8:09 PM 19376]
S3 gtermddo;gtermddo;\??\c:\docume~1\Mike\LOCALS~1\Temp\gtermddo.sys --> c:\docume~1\Mike\LOCALS~1\Temp\gtermddo.sys [?]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [8/5/2004 8:11 PM 32840]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as Mike at 12 08 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-12553594 - c:\documents and settings\All Users\Application Data\12553594\12553594.exe
SharedTaskScheduler-{edde72d2-0efe-4192-98a3-4605387f807d} - c:\windows\system32\zapujevu.dll
SharedTaskScheduler-{dbaba3c7-5ed4-4135-a1f4-8d93e2a2e211} - c:\windows\system32\zapujevu.dll
SSODL-jogibolet-{edde72d2-0efe-4192-98a3-4605387f807d} - c:\windows\system32\zapujevu.dll
SSODL-zopinebip-{dbaba3c7-5ed4-4135-a1f4-8d93e2a2e211} - c:\windows\system32\zapujevu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://remote.magellancharter.org/NELX.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 11:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2009-09-05 11:45
ComboFix-quarantined-files.txt 2009-09-05 15:45

Pre-Run: 40,489,160,704 bytes free
Post-Run: 40,456,548,352 bytes free

279 --- E O F --- 2009-08-26 12:27

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
C:\osps.exe
C:\xvhu.exe
C:\blyuwrjl.exe
Collect::[8]
c:\windows\system32\mozifihi.dll
c:\windows\system32\hutikovu.dll
c:\windows\system32\kakekuze.exe
c:\windows\system32\mogeviga.dll
c:\windows\system32\mozifihi.dll
c:\windows\system32\ronigofu.dll
c:\windows\system32\norupeze.dll
c:\windows\system32\nukavuso.dll
c:\windows\system32\majiriho.dll
c:\windows\system32\nusuzefa.dll
c:\windows\system32\wakozawa.dll
Driver::
gtermddo
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a5f9335-9e0d-4fe8-bb65-f6ea92bd7fde}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kihakiwako"=-
"sebitemuj"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{b7aa288d-3726-4dc1-b5b2-ac183e5adf47}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"butejivef"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[ncg8or]

Thanks, I created the CFScript text file, and I assume the last line is supposed to be:

"butejivef"=-

However, I can't open Windows Explorer so I'm not sure what to use to drag the CFScript into ComboFix.exe file, suggestions?

Also, once I get through that step, do I run the ComboFix file again completely before accessing the http://www.bleepingc...e.php?channel=8 link? I'm not sure of the order I"m supposed to do these two steps.

[miekiemoes]

Quote

I created the CFScript text file, and I assume the last line is supposed to be:

"butejivef"=-

Yes

To drag..

You can do this via taskmanager as well though.
Click the first tab, new task and there you get a browse button.
There browse to where you have created the cfscript (assuming it's in the same place as Combofix) and you can drag there.

Or via taskmanager > new task > run and run the following command. (also assuming you saved CFScript.txt in the desktop folder where Combofix is located):


"%Userprofile%\Desktop\Combofix /CFScript.txt"

Quote

Also, once I get through that step, do I run the ComboFix file again completely before accessing the http://www.bleepingc...e.php?channel=8 link? I'm not sure of the order I"m supposed to do these two steps.

Running Combofix with the cfscript will generate the C:\Qoobox\Quarantine\[8]-Submit_date_time.zip file for you, so no need to re-run Combofix afterdwards once again

[ncg8or]

Ok, looks like it did everything it was supposed to (although I did have to run ComboFix twice again as it re-booted windows after the 1st run like it did the 1st time I ran it). I've succesrully submitted the file to the bleepingcomputer link you gave me, and here's the newest ComboFix log file. Thanks again, and let me know what's next!

ComboFix 09-09-04.02 - Mike 09/05/2009 12:47.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.216 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\blyuwrjl.exe
C:\osps.exe
c:\windows\system32\hutikovu.dll
c:\windows\system32\kakekuze.exe
c:\windows\system32\majiriho.dll
c:\windows\system32\mogeviga.dll
c:\windows\system32\mozifihi.dll
c:\windows\system32\norupeze.dll
c:\windows\system32\nukavuso.dll
c:\windows\system32\nusuzefa.dll
c:\windows\system32\ronigofu.dll
c:\windows\system32\wakozawa.dll
C:\xvhu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GTERMDDO
-------\Service_gtermddo


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-05 12:13 . 2009-09-05 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarecom
2009-09-03 13:48 . 2009-09-03 13:48 -------- d-----w- c:\program files\Trend Micro
2009-09-03 13:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 13:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:39 . 2009-09-05 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF\LOCALS~1
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF
2009-09-02 22:37 . 2009-09-02 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-09-02 22:14 . 2009-09-02 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarea
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 16:08 . 2009-09-02 16:08 -------- d-----w- c:\program files\Common Files\Scanner
2009-09-02 16:07 . 2009-09-02 16:08 -------- d-----w- c:\program files\CA
2009-08-24 01:06 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-08-24 01:06 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\MyDSC2
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\Mars
2009-08-24 01:03 . 2005-12-15 21:34 135168 ----a-w- c:\windows\system32\jl_jdct.drv
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\JL2005C
2009-08-24 01:03 . 2007-11-17 19:46 68954 ----a-w- c:\windows\system32\drivers\jl2005c.sys
2009-08-24 01:02 . 2009-08-24 10:53 -------- d-----w- c:\program files\Snap 'n Share
2009-08-13 11:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 16:39 . 2009-09-02 16:54 72388 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-05 12:38 . 2008-11-11 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-09-02 22:06 . 2004-08-07 17:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-02 19:05 . 2004-08-07 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 16:53 . 2007-07-07 14:38 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-25 12:59 . 2008-08-09 18:09 -------- d-----w- c:\program files\FinePixViewer
2009-08-25 12:58 . 2007-07-07 14:37 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 12:28 . 2008-11-04 01:37 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2009-01-29 14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-06 07:07 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 00:44 . 2009-07-16 00:44 -------- d-----w- c:\program files\Safari
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\program files\iTunes
2009-07-16 00:41 . 2009-07-16 00:41 -------- d-----w- c:\program files\iPod
2009-07-16 00:41 . 2009-04-05 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 00:34 . 2009-07-16 00:33 -------- d-----w- c:\program files\QuickTime
2009-07-12 16:21 . 2004-08-06 07:19 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-07-16 00:29 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-07-16 00:29 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 00:33 . 2006-12-22 22:44 162896 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-26 16:50 . 2004-08-24 00:32 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-06 07:07 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-06 07:07 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-06 07:07 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-06 07:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-06 07:07 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-06 07:07 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-06 07:07 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-06 07:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-06 07:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-06 07:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-06 07:07 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-06 07:13 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-06 07:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-08-17 21:10 . 2008-08-17 21:10 0 ----a-w- c:\program files\temp01
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1033728 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2002-08-29 12:00 1004032 A82B28BFC2E4455FE43022A498C0EF0A c:\windows\$NtUninstallKB820291$\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-02-07 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-10-18 1921024]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-10-24 562608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-09-02 177392]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-09-02 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-09-02 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-09-02 14088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Desktop Application Director 9.LNK - c:\program files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-12-15 225280]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-8-9 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{5264E937-B015-11D2-8C0E-00C04FBBCFF9}\A12970B7.exe [2005-1-27 30720]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-8-16 344064]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - c:\program files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2004-9-4 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [10/23/2007 8:09 PM 19376]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [8/5/2004 8:11 PM 32840]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as Mike at 12 08 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://remote.magellancharter.org/NELX.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 12:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2009-09-05 12:59
ComboFix-quarantined-files.txt 2009-09-05 16:59
ComboFix2.txt 2009-09-05 15:45

Pre-Run: 40,455,299,072 bytes free
Post-Run: 40,424,534,016 bytes free

235 --- E O F --- 2009-08-26 12:27
Upload was successful

[miekiemoes]

Hi,

Does your explorer run now?
Because according to Combofix, it can't read the file (can't read hash), which means it's probably corrupted.
If your explorer still won't load, please rename the file C:\Windows\explorer.exe to explorer.corrupt
Then COPY the file c:\windows\ServicePackFiles\i386\explorer.exe to C:\Windows
Reboot.

Let me know if that solved the not loading explorer issue.

[ncg8or]

miekiemoes, on Sep 5 2009, 01:23 PM, said:

Hi,

Does your explorer run now?
Because according to Combofix, it can't read the file (can't read hash), which means it's probably corrupted.
If your explorer still won't load, please rename the file C:\Windows\explorer.exe to explorer.corrupt
Then COPY the file c:\windows\ServicePackFiles\i386\explorer.exe to C:\Windows
Reboot.

Let me know if that solved the not loading explorer issue.

Ok, the explorer.exe file in c:\windows\ won't run as it is giving me the "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." error message, and I can't rename it either (same reason I suppose).

However, I copied the explorer.exe file from c:\windows\ServicePackFiles\i386\ and renamed it as "explorer.com.exe" and it's running, so I now have explorer!

[miekiemoes]

Good to hear

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[ncg8or]

miekiemoes, on Sep 5 2009, 01:44 PM, said:

Good to hear

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Hmmm...when I re-booted, I still had an empty desktop and nothing in the task bar, so I can't go to start > run. Can I get there from the Task Manager?

[miekiemoes]

That's strange...
I wonder if your CA is interfering here..

What happens if you use fr33.exe on it? So drag the C:\Windows\explorer.exe into fr33.exe

Can you, just to be on the safe side, redownload Combofix and scan with it again?

[ncg8or]

miekiemoes, on Sep 5 2009, 02:00 PM, said:

That's strange...
I wonder if your CA is interfering here..

What happens if you use fr33.exe on it? So drag the C:\Windows\explorer.exe into fr33.exe

Can you, just to be on the safe side, redownload Combofix and scan with it again?

I deleted the CA AV program, and turned off the firewall so I'm not sure about that. Dragging the fr33.exe file gives me the same access error.

I'll re-run a fresh download of ComboFix.

[ncg8or]

Ok, here's the log from the latest run:

ComboFix 09-09-04.02 - Mike 09/05/2009 14:15.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.257 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-09-05 17:31 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.com.exe
2009-09-05 17:26 . 2009-09-05 17:26 136382 ----a-w- c:\windows\fr33.exe
2009-09-05 12:13 . 2009-09-05 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarecom
2009-09-03 13:48 . 2009-09-03 13:48 -------- d-----w- c:\program files\Trend Micro
2009-09-03 13:39 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 13:39 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:39 . 2009-09-05 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF\LOCALS~1
2009-09-02 23:09 . 2009-09-02 23:09 -------- d-----w- c:\documents and settings\ADMINI~1~OFF
2009-09-02 22:37 . 2009-09-02 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-09-02 22:14 . 2009-09-02 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malwarea
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\Mike\Application Data\Malwarebytes
2009-09-02 22:06 . 2009-09-02 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-02 16:08 . 2009-09-02 16:08 -------- d-----w- c:\program files\Common Files\Scanner
2009-09-02 16:07 . 2009-09-02 16:08 -------- d-----w- c:\program files\CA
2009-08-24 01:06 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-08-24 01:06 . 2008-04-14 00:12 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\MyDSC2
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\Mars
2009-08-24 01:03 . 2005-12-15 21:34 135168 ----a-w- c:\windows\system32\jl_jdct.drv
2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\JL2005C
2009-08-24 01:03 . 2007-11-17 19:46 68954 ----a-w- c:\windows\system32\drivers\jl2005c.sys
2009-08-24 01:02 . 2009-08-24 10:53 -------- d-----w- c:\program files\Snap 'n Share
2009-08-13 11:21 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 16:39 . 2009-09-02 16:54 72388 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-09-05 16:39 . 2009-09-02 16:54 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-09-05 12:38 . 2008-11-11 23:42 -------- d-----w- c:\documents and settings\All Users\Application Data\CA
2009-09-02 22:06 . 2004-08-07 17:25 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-02 19:05 . 2004-08-07 17:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 16:53 . 2007-07-07 14:38 -------- d-----w- c:\documents and settings\Mike\Application Data\LimeWire
2009-08-25 12:59 . 2008-08-09 18:09 -------- d-----w- c:\program files\FinePixViewer
2009-08-25 12:58 . 2007-07-07 14:37 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 12:28 . 2008-11-04 01:37 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 09:23 . 2009-01-29 14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-06 07:07 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 00:44 . 2009-07-16 00:44 -------- d-----w- c:\program files\Safari
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-16 00:41 . 2009-07-16 00:40 -------- d-----w- c:\program files\iTunes
2009-07-16 00:41 . 2009-07-16 00:41 -------- d-----w- c:\program files\iPod
2009-07-16 00:41 . 2009-04-05 21:52 -------- d-----w- c:\program files\Common Files\Apple
2009-07-16 00:34 . 2009-07-16 00:33 -------- d-----w- c:\program files\QuickTime
2009-07-12 16:21 . 2004-08-06 07:19 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 16:16 . 2009-07-16 00:29 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-07-09 16:16 . 2009-07-16 00:29 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-07-07 00:33 . 2006-12-22 22:44 162896 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-06-26 16:50 . 2004-08-24 00:32 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-06 07:07 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-06 07:07 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-06 07:07 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-06 07:07 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-06 07:07 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-06 07:07 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-06 07:07 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-06 07:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-06 07:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-06 07:07 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-06 07:07 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-06 07:13 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-06 07:07 132096 ----a-w- c:\windows\system32\wkssvc.dll
2008-08-17 21:10 . 2008-08-17 21:10 0 ----a-w- c:\program files\temp01
.

((((((((((((((((((((((((((((( SnapShot@2009-09-05_15.42.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-05 17:30 . 2008-04-14 00:12 1033728 c:\windows\ServicePackFiles\i386\explorera.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-02-07 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-10-18 1921024]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2007-10-24 562608]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-09-02 177392]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2009-09-02 173296]
"capfupgrade"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2009-09-02 259312]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-09-02 14088]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Desktop Application Director 9.LNK - c:\program files\Corel\WordPerfect Office 2000\programs\dad9.exe [2004-12-15 225280]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-8-9 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Microsoft Works Calendar Reminders.lnk - c:\windows\Installer\{5264E937-B015-11D2-8C0E-00C04FBBCFF9}\A12970B7.exe [2005-1-27 30720]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-8-16 344064]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - c:\program files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2004-9-4 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Corel Registration.lnk
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL 9.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 9.LNK
backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorelCENTRAL Alarms.LNK]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL Alarms.LNK
backup=c:\windows\pss\CorelCENTRAL Alarms.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpsvc.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [10/23/2007 8:09 PM 19376]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [8/5/2004 8:11 PM 32840]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
.
Contents of the 'Scheduled Tasks' folder

2009-06-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as Mike at 12 08 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} - hxxp://www.riffinteractive.com/setup/RiffLick.cab
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://remote.magellancharter.org/NELX.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 14:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-09-05 14:28
ComboFix-quarantined-files.txt 2009-09-05 18:28
ComboFix2.txt 2009-09-05 17:02
ComboFix3.txt 2009-09-05 15:45

Pre-Run: 40,410,669,056 bytes free
Post-Run: 40,386,916,352 bytes free

212 --- E O F --- 2009-08-26 12:27

[ncg8or]

Ok, I re-booted after the ComboFix scan and my desktop has reappeared! I'll uninstall ComboFix next per your instructions.

[miekiemoes]

Combofix doesn't have issues with reading the file now though..

BTW: + 2009-09-05 17:30 . 2008-04-14 00:12 1033728 c:\windows\ServicePackFiles\i386\explorera.exe

It looks like you renamed the backup as well there. Please rename that one back to explorer.exe
The previous one, it looks like you named it to c:\windows\explorer.com.exe
I assume there's still an explorer.exe in the Windows folder as well there?

Quote

Dragging the fr33.exe file gives me the same access error.

You don't need to drag the fr33.exe, you need to drag C:\Windows\explorer.exe into fr33.exe

[miekiemoes]

Ignore my post.. I see you already posted in between and everything works again for you now

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[ncg8or]

Thanks so much...I'm back in business again! Been spending some time cleaning up the hard drive per the suggestions on your website, hopefully I won't have to return here but will refer you to my friends.

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.