Jump to content

Malwarebytes

Please help. Hijackthis dies.

- - - - -
Started by plshlpme, Sep 08 2009 02:32 AM

14 replies to this topic

#1
plshlpme
Posted 08 September 2009 - 02:32 AM

    New Member

  • Members
  • Pip
  • 11 posts
Any help will be greatly appreciated. I have tried to run HiJackThis and MalwareBytes. They both are stopped after a few seconds. Here is my Win32kDiag log.


Log file is located at: C:\Documents and Settings\T\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINXP'...



Found mount point : C:\WINXP\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINXP\Installer\Installer

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINXP\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINXP\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINXP\PIF\PIF

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINXP\pss\system.ini.backup

[1] 2008-06-10 13:24:31 231 C:\WINXP\pss\system.ini.backup ()



Cannot access: C:\WINXP\pss\win.ini.backup

[1] 2009-06-11 00:56:09 629 C:\WINXP\pss\win.ini.backup ()



Cannot access: C:\WINXP\system32\attrib.exe

[1] 2001-08-18 07:00:00 11264 C:\WINXP\$NtServicePackUninstall$\attrib.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:12 12288 C:\WINXP\ServicePackFiles\i386\attrib.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:12 12288 C:\WINXP\system32\attrib.exe ()



Cannot access: C:\WINXP\system32\cscript.exe

[1] 2008-05-07 04:07:23 135168 C:\WINXP\$hf_mig$\KB951978\SP3QFE\cscript.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:48 98304 C:\WINXP\$NtServicePackUninstall$\cscript.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:15 139264 C:\WINXP\$NtUninstallKB951978$\cscript.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:15 139264 C:\WINXP\ServicePackFiles\i386\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\sp3gdr\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\sp3qfe\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\system32\cscript.exe ()

[1] 2008-05-07 04:07:23 135168 C:\WINXP\system32\dllcache\cscript.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\drivers\3a7ad160.sys

[1] 2009-09-07 20:53:32 87884 C:\WINXP\system32\drivers\3a7ad160.sys ()



Cannot access: C:\WINXP\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINXP\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINXP\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINXP\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINXP\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINXP\system32\findstr.exe

[1] 2004-08-04 02:56:49 27136 C:\WINXP\$NtServicePackUninstall$\findstr.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:20 27136 C:\WINXP\ServicePackFiles\i386\findstr.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:20 27136 C:\WINXP\system32\findstr.exe ()



Cannot access: C:\WINXP\system32\ping.exe

[1] 2004-08-04 02:56:55 17920 C:\WINXP\$NtServicePackUninstall$\ping.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:31 17920 C:\WINXP\ServicePackFiles\i386\ping.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:31 17920 C:\WINXP\system32\ping.exe ()



Cannot access: C:\WINXP\system32\route.exe

[1] 2001-08-18 07:00:00 19968 C:\WINXP\system32\dllcache\route.exe (Microsoft Corporation)

[1] 2001-08-18 07:00:00 19968 C:\WINXP\system32\route.exe ()



Cannot access: C:\WINXP\system32\wbem\Logs\FrameWork.log

[1] 2009-08-19 23:04:44 56237 C:\WINXP\system32\wbem\Logs\FrameWork.log ()



Cannot access: C:\WINXP\system32\wbem\Logs\FrameWork.lo_

[1] 2009-08-19 23:04:42 65718 C:\WINXP\system32\wbem\Logs\FrameWork.lo_ ()





Finished!

#2
plshlpme
Posted 08 September 2009 - 03:57 AM

    New Member

  • Members
  • Pip
  • 11 posts
I have a laptop with Windows XP.

#3
LonnyRJ
Posted 12 September 2009 - 05:10 AM

    True Member

  • Experts
  • PipPipPipPip
  • 353 posts
  • Gender:Male
  • Location:pugent sound
Welcome to the forum plshlpme

Go start run copy then paste in the line below and press enter
"%userprofile%\desktop\Win32kDiag.exe" -r -f

Post the log again please.

Next:

Visit the webpage below for instructions for downloading and running ComboFix:
http://www.bleepingc...to-use-combofix
But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it.
Please visit HERE if you don't know how. http://www.bleepingc...opic114351.html

Post combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txt

#4
plshlpme
Posted 13 September 2009 - 05:11 AM

    New Member

  • Members
  • Pip
  • 11 posts
Thanks so much, LonnyRJ! I really appreciate the help!

Here is my Win32kDiag.exe Log and it will be followed by my ComboFix Log.

Log file is located at: C:\Documents and Settings\T\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINXP'...



Found mount point : C:\WINXP\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINXP\ERDNT\ERDNT

Found mount point : C:\WINXP\Installer\Installer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINXP\Installer\Installer

Found mount point : C:\WINXP\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINXP\PCHEALTH\HELPCTR\BATCH\BATCH

Found mount point : C:\WINXP\PCHEALTH\HELPCTR\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINXP\PCHEALTH\HELPCTR\Temp\Temp

Found mount point : C:\WINXP\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINXP\PIF\PIF

Cannot access: C:\WINXP\pss\system.ini.backup

Attempting to restore permissions of : C:\WINXP\pss\system.ini.backup

[1] 2008-06-10 13:24:31 231 C:\WINXP\pss\system.ini.backup ()



Cannot access: C:\WINXP\pss\win.ini.backup

Attempting to restore permissions of : C:\WINXP\pss\win.ini.backup

[1] 2009-06-11 00:56:09 629 C:\WINXP\pss\win.ini.backup ()



Cannot access: C:\WINXP\system32\attrib.exe

Attempting to restore permissions of : C:\WINXP\system32\attrib.exe

[1] 2001-08-18 07:00:00 11264 C:\WINXP\$NtServicePackUninstall$\attrib.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:12 12288 C:\WINXP\ServicePackFiles\i386\attrib.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:12 12288 C:\WINXP\system32\attrib.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\cscript.exe

Attempting to restore permissions of : C:\WINXP\system32\cscript.exe

[1] 2008-05-07 04:07:23 135168 C:\WINXP\$hf_mig$\KB951978\SP3QFE\cscript.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:48 98304 C:\WINXP\$NtServicePackUninstall$\cscript.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:15 139264 C:\WINXP\$NtUninstallKB951978$\cscript.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:15 139264 C:\WINXP\ServicePackFiles\i386\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\sp3gdr\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\sp3qfe\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\system32\cscript.exe (Microsoft Corporation)

[1] 2008-05-07 04:07:23 135168 C:\WINXP\system32\dllcache\cscript.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\drivers\3a7ad160.sys

Attempting to restore permissions of : C:\WINXP\system32\drivers\3a7ad160.sys

[1] 2009-09-12 21:59:03 87884 C:\WINXP\system32\drivers\3a7ad160.sys ()



Cannot access: C:\WINXP\system32\eventlog.dll

Attempting to restore permissions of : C:\WINXP\system32\eventlog.dll

[1] 2004-08-04 02:56:42 55808 C:\WINXP\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINXP\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 61952 C:\WINXP\system32\eventlog.dll ()

[2] 2008-04-13 19:11:53 56320 C:\WINXP\system32\logevent.dll (Microsoft Corporation)



Cannot access: C:\WINXP\system32\findstr.exe

Attempting to restore permissions of : C:\WINXP\system32\findstr.exe

[1] 2004-08-04 02:56:49 27136 C:\WINXP\$NtServicePackUninstall$\findstr.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:20 27136 C:\WINXP\ServicePackFiles\i386\findstr.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:20 27136 C:\WINXP\system32\findstr.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\ping.exe

Attempting to restore permissions of : C:\WINXP\system32\ping.exe

[1] 2004-08-04 02:56:55 17920 C:\WINXP\$NtServicePackUninstall$\ping.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:31 17920 C:\WINXP\ServicePackFiles\i386\ping.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:31 17920 C:\WINXP\system32\ping.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\route.exe

Attempting to restore permissions of : C:\WINXP\system32\route.exe

[1] 2001-08-18 07:00:00 19968 C:\WINXP\system32\dllcache\route.exe (Microsoft Corporation)

[1] 2001-08-18 07:00:00 19968 C:\WINXP\system32\route.exe (Microsoft Corporation)



Cannot access: C:\WINXP\system32\wbem\Logs\FrameWork.log

Attempting to restore permissions of : C:\WINXP\system32\wbem\Logs\FrameWork.log

[1] 2009-08-19 23:04:44 56237 C:\WINXP\system32\wbem\Logs\FrameWork.log ()



Cannot access: C:\WINXP\system32\wbem\Logs\FrameWork.lo_

Attempting to restore permissions of : C:\WINXP\system32\wbem\Logs\FrameWork.lo_

[1] 2009-08-19 23:04:42 65718 C:\WINXP\system32\wbem\Logs\FrameWork.lo_ ()





Finished!



ComboFix 09-09-12.08 - T 09/12/2009 23:30.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.159 [GMT -5:00]
Running from: c:\documents and settings\T\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_IsRes.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_IsUser.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_ISUSER1.DLL
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_setup.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\Common.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTCABEX.DLL
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTDeInst.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTUIXtra.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\isrt.dll
c:\docume~1\T\LOCALS~1\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\SetSoftSize.dll
c:\docume~1\T\LOCALS~1\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\_IsRes.dll
c:\docume~1\T\LOCALS~1\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\_Isuser.dll
c:\docume~1\T\LOCALS~1\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\isrt.dll
c:\docume~1\T\LOCALS~1\Temp\{65AB0AE6-99D3-4A9F-869D-CE8A930C465E}\_Setup.dll
c:\docume~1\T\LOCALS~1\Temp\{65AB0AE6-99D3-4A9F-869D-CE8A930C465E}\ISSetup.dll
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_IsRes.dll
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_ISUSER.DLL
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_setup.dll
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\Common.dll
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\CTCabEx.DLL
c:\docume~1\T\LOCALS~1\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\isrt.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\Aux_Logging.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\dgfl.sys
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\EamEvents.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpGUIFramework.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpLauncherDll.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpSrv.exe
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\gdiplus.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\MFC71u.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\msvcp71.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\msvcr71.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginBackup.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginContentAuditing.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginSDK.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginZClient.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\S2\S2DevControl.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\S2\u3dapi10.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\T5\T5DevControl.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\XKeyDeviceControl.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\XkeyDialog.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ZSysClientComm.dll
c:\docume~1\T\LOCALS~1\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ZSysEnrollClient.dll
c:\docume~1\T\LOCALS~1\Temp\lsass.exe
c:\docume~1\T\LOCALS~1\Temp\svchost.exe
c:\docume~1\T\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\app\shared\data\photoshow_express_setup.exe
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\boot_strap\simple_jpeg.dll
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\boot_strap\Walgreens PhotoShow Express CD.exe
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Walgreens PhotoShow Express CD.exe
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\budapi.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Dirapi.dll
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\DirectSound.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\FileIo.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Flash Asset.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Font Asset.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Font Xtra.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Iml32.dll
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\INetURL.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\JPEG Agent.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\MacroMix.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Mix Services.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\NetFile.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\NetLingo.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\PhotoFinishingII.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\PNG Import Export.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Popup.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Proj.dll
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Simple Star Imaging.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Text Asset.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\TextXtra.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\vList.x32
c:\docume~1\T\LOCALS~1\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\WheelMouse.x32
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_IsRes.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_IsUser.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_ISUSER1.DLL
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\_setup.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\Common.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTCABEX.DLL
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTDeInst.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\CTUIXtra.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\isrt.dll
c:\documents and settings\T\Local Settings\Temp\{0E820D83-92F1-423C-808C-8F80BFE021B0}\{F6691488-C717-4FBA-8079-7BE021EC8BE9}\SetSoftSize.dll
c:\documents and settings\T\Local Settings\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\_IsRes.dll
c:\documents and settings\T\Local Settings\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\_Isuser.dll
c:\documents and settings\T\Local Settings\Temp\{45EBDA59-D33B-433A-956E-B2F236468B56}\isrt.dll
c:\documents and settings\T\Local Settings\Temp\{65AB0AE6-99D3-4A9F-869D-CE8A930C465E}\_Setup.dll
c:\documents and settings\T\Local Settings\Temp\{65AB0AE6-99D3-4A9F-869D-CE8A930C465E}\ISSetup.dll
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_IsRes.dll
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_ISUSER.DLL
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\_setup.dll
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\Common.dll
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\CTCabEx.DLL
c:\documents and settings\T\Local Settings\Temp\{7F6D5CC1-E2A2-4F4E-9EC6-A54787F3A576}\{9A0A6339-A014-4371-BD9D-4C6375EAF3C0}\isrt.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\Aux_Logging.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\dgfl.sys
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\EamEvents.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpGUIFramework.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpLauncherDll.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ExmpSrv.exe
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\gdiplus.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\MFC71u.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\msvcp71.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\msvcr71.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginBackup.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginContentAuditing.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginSDK.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\PluginZClient.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\S2\S2DevControl.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\S2\u3dapi10.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\SDK\T5\T5DevControl.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\XKeyDeviceControl.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\XkeyDialog.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ZSysClientComm.dll
c:\documents and settings\T\Local Settings\Temp\{A12647A7-59A4-497c-90B0-45C455CBDE53}\0f90f37060e189e1\V2SubFolder\ZSysEnrollClient.dll
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\app\shared\data\photoshow_express_setup.exe
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\boot_strap\simple_jpeg.dll
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\boot_strap\Walgreens PhotoShow Express CD.exe
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Walgreens PhotoShow Express CD.exe
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\budapi.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Dirapi.dll
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\DirectSound.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\FileIo.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Flash Asset.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Font Asset.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Font Xtra.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Iml32.dll
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\INetURL.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\JPEG Agent.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\MacroMix.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Mix Services.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\NetFile.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\NetLingo.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\PhotoFinishingII.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\PNG Import Export.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Popup.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Proj.dll
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Simple Star Imaging.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\Text Asset.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\TextXtra.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\vList.x32
c:\documents and settings\T\Local Settings\Temp\Walgreens PhotoShow Express CD 3_0_0 0177\Xtras\WheelMouse.x32
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Tameika Fitcheard.NACOLE1\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
c:\documents and settings\Tameika Fitcheard.NACOLE1\Start Menu\Programs\Startup\.protected
c:\program files\akl
c:\program files\akl\akl.dll
c:\program files\akl\akl.exe
c:\program files\akl\uninstall.exe
c:\program files\akl\unsetup.exe
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
c:\program files\ShoppingReport\Uninst.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\recycler\S-1-5-21-1476188286-350268461-795575519-1007
c:\recycler\S-1-5-21-2571602407-2431583817-120927757-4425
c:\recycler\S-1-5-21-2912900655-6621150374-860191970-8287
c:\recycler\S-1-5-21-7963035592-3947321155-220268959-2052
c:\recycler\S-1-5-21-8691002165-0107945261-353920239-9164
c:\recycler\S-1-5-21-9864862927-4355431319-578062348-0018
c:\windows\Installer\120bcc5.msi
c:\windows\Installer\13ef78.msi
c:\windows\Installer\15445c.msi
c:\windows\Installer\1599f.msp
c:\windows\Installer\16b475.msi
c:\windows\Installer\16b605.msi
c:\windows\Installer\17a3e8.msi
c:\windows\Installer\17a3f0.msi
c:\windows\Installer\17a3f8.msi
c:\windows\Installer\17a401.msi
c:\windows\Installer\17a406.msi
c:\windows\Installer\17a40d.msi
c:\windows\Installer\17a43b.msi
c:\windows\Installer\17a444.msi
c:\windows\Installer\17a449.msi
c:\windows\Installer\17a44e.msi
c:\windows\Installer\17a458.msi
c:\windows\Installer\17a45d.msi
c:\windows\Installer\17a462.msi
c:\windows\Installer\1c733f.msi
c:\windows\Installer\1c8dc4.msi
c:\windows\Installer\1c8dfe.msi
c:\windows\Installer\1e910d3.msi
c:\windows\Installer\2a2c4.msi
c:\windows\Installer\33ed3.msi
c:\windows\Installer\352cb.msp
c:\windows\Installer\35cae.msp
c:\windows\Installer\3e13f.msp
c:\windows\Installer\434db.msi
c:\windows\Installer\490e7a.msp
c:\windows\Installer\50c4.msi
c:\windows\Installer\69bbc6.msp
c:\windows\Installer\7506.msi
c:\windows\Installer\8902.msi
c:\windows\Installer\8908.msi
c:\windows\Installer\a641c.msi
c:\windows\Installer\a9f3.msi
c:\windows\Installer\aa09.msi
c:\windows\Installer\aa0d.msi
c:\windows\Installer\aa11.msi
c:\windows\Installer\aa15.msi
c:\windows\Installer\aa19.msi
c:\windows\Installer\aa1d.msi
c:\windows\Installer\aa21.msi
c:\windows\Installer\aa25.msi
c:\windows\Installer\aa29.msi
c:\windows\Installer\aa2d.msi
c:\windows\Installer\aa31.msi
c:\windows\Installer\aa35.msi
c:\windows\Installer\aa39.msi
c:\windows\Installer\aa3d.msi
c:\windows\Installer\aa44.msi
c:\windows\Installer\aa4b.msi
c:\windows\Installer\aa52.msi
c:\windows\Installer\aa59.msi
c:\windows\Installer\aa60.msi
c:\windows\Installer\aa67.msi
c:\windows\Installer\aa79.msi
c:\windows\Installer\b5968.msi
c:\windows\Installer\b60bc.msi
c:\windows\Installer\b60c1.msi
c:\windows\Installer\b60d6.msi
c:\windows\Installer\bd431.msi
c:\windows\Installer\db134.msi
c:\winxp\msa.exe
c:\winxp\ppp3.dat
c:\winxp\ppp4.dat
c:\winxp\system32\bennuar.old
c:\winxp\system32\dddesot.dll
c:\winxp\system32\desote.exe
c:\winxp\system32\drivers\3a7ad160.sys
c:\winxp\system32\drivers\kbiwkmvmhkotqy.sys
c:\winxp\system32\drivers\rotscxrdstlgjx.sys
c:\winxp\system32\drivers\rotscxxudewqwi.sys
c:\winxp\system32\images
c:\winxp\system32\images\i1.gif
c:\winxp\system32\images\i2.gif
c:\winxp\system32\images\i3.gif
c:\winxp\system32\images\j1.gif
c:\winxp\system32\images\j2.gif
c:\winxp\system32\images\j3.gif
c:\winxp\system32\images\jj1.gif
c:\winxp\system32\images\jj2.gif
c:\winxp\system32\images\jj3.gif
c:\winxp\system32\images\l1.gif
c:\winxp\system32\images\l2.gif
c:\winxp\system32\images\l3.gif
c:\winxp\system32\images\pix.gif
c:\winxp\system32\images\t1.gif
c:\winxp\system32\images\t2.gif
c:\winxp\system32\images\up1.gif
c:\winxp\system32\images\up2.gif
c:\winxp\system32\images\w1.gif
c:\winxp\system32\images\w11.gif
c:\winxp\system32\images\w2.gif
c:\winxp\system32\images\w3.gif
c:\winxp\system32\images\w3.jpg
c:\winxp\system32\images\wt1.gif
c:\winxp\system32\images\wt2.gif
c:\winxp\system32\images\wt3.gif
c:\winxp\system32\kbiwkmbpogsbbn.dll
c:\winxp\system32\kbiwkmtasvfvko.dat
c:\winxp\system32\kbiwkmtqjlrjxo.dll
c:\winxp\system32\kbiwkmxwmevche.dat
c:\winxp\system32\rotscxalnknfrx.dat
c:\winxp\system32\rotscxawoixwow.dll
c:\winxp\system32\rotscxkymenhct.dll
c:\winxp\system32\rotscxltewccqf.dll
c:\winxp\system32\rotscxombijfyi.dll
c:\winxp\system32\rotscxtkgypyre.dat
c:\winxp\system32\rotscxxgnbvpuy.dat
c:\winxp\system32\sonhelp.htm
c:\winxp\system32\sysnet.dat
c:\winxp\system32\wbem\proquota.exe
c:\winxp\system32\winhelper.dll
c:\winxp\system32\wispex.html

c:\winxp\system32\proquota.exe was missing
Restored copy from - c:\winxp\ServicePackFiles\i386\proquota.exe

Infected copy of c:\winxp\system32\eventlog.dll was found and disinfected
Restored copy from - c:\winxp\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmkjoxrfla
-------\Legacy_kbiwkmkjoxrfla
-------\Service_rotscxrpfpfulp
-------\Legacy_rotscxrpfpfulp
-------\Service_rotscxxhxiqhtp
-------\Legacy_rotscxxhxiqhtp
-------\Legacy_antippro2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_antippro2009_100
-------\Service_3a7ad160


((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 04:49 . 2008-04-14 00:12 50176 -c--a-w- c:\winxp\system32\dllcache\proquota.exe
2009-09-13 04:49 . 2008-04-14 00:12 50176 ----a-w- c:\winxp\system32\proquota.exe
2009-08-26 13:01 . 2009-08-26 13:01 -------- d-----w- c:\program files\Trend Micro
2009-08-26 11:29 . 2009-08-26 11:29 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-08-26 04:36 . 2009-08-26 04:37 -------- d-----w- C:\Combo-Fix
2009-08-26 03:51 . 2009-08-26 03:51 0 ----a-w- c:\documents and settings\T\settings.dat
2009-08-26 01:20 . 2009-08-26 01:20 -------- d-----w- C:\RootkitRevealer
2009-08-25 04:38 . 2009-08-25 04:38 -------- d-----w- c:\documents and settings\T\Application Data\Malwarebytes
2009-08-25 03:01 . 2009-08-25 03:01 -------- d-----w- C:\ProcessExplorer
2009-08-24 05:30 . 2009-08-24 05:30 -------- d-----w- c:\documents and settings\T\Application Data\AVG8
2009-08-19 05:23 . 2009-08-19 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-19 05:22 . 2009-08-19 05:22 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-08-19 04:37 . 2009-08-19 04:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-08-19 04:18 . 2009-09-04 13:11 -------- d--h--w- c:\winxp\PIF
2009-08-19 04:10 . 2009-08-19 04:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-19 04:10 . 2009-08-19 04:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-18 01:26 . 2009-09-13 02:25 -------- d-----w- c:\winxp\Installer
2009-08-16 03:22 . 2009-08-16 03:22 -------- d-sh--w- c:\winxp\system32\config\systemprofile\IETldCache
2009-08-16 03:06 . 2009-08-16 03:06 71168 ----a-w- c:\winxp\system32\drivers\bdwprppbvfwbdute.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 04:50 . 2008-06-11 11:17 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-20 04:21 . 2005-09-21 11:27 -------- d-----w- c:\program files\Dl_cats
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\T\Application Data\IObit
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\program files\IObit
2009-08-11 03:33 . 2007-10-19 01:11 -------- d-----w- c:\program files\Yahoo!
2009-08-11 03:07 . 2007-03-10 01:38 -------- d-----w- c:\program files\Google
2009-07-03 17:09 . 2001-08-18 12:00 915456 ----a-w- c:\winxp\system32\wininet.dll
2009-06-16 14:36 . 2001-08-18 12:00 81920 ----a-w- c:\winxp\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-18 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\winxp\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DLBTCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-06-26 114688]
"igfxtray"="c:\winxp\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\winxp\system32\igfxpers.exe" [2006-06-06 118784]

c:\documents and settings\T\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-10-18 1787184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [4/1/2009 1:33 PM 101936]
S3 PQKDJZUJZAP;PQKDJZUJZAP;c:\docume~1\T\LOCALS~1\Temp\PQKDJZUJZAP.exe --> c:\docume~1\T\LOCALS~1\Temp\PQKDJZUJZAP.exe [?]
S3 tsuliiobfpvnq;TSULIIOBFPVNQ;c:\docume~1\T\LOCALS~1\Temp\TSULIIOBFPVNQ.exe --> c:\docume~1\T\LOCALS~1\Temp\TSULIIOBFPVNQ.exe [?]
S3 UROVOB;UROVOB;c:\docume~1\T\LOCALS~1\Temp\UROVOB.exe --> c:\docume~1\T\LOCALS~1\Temp\UROVOB.exe [?]
S3 vkclavo;VKCLAVO;c:\docume~1\T\LOCALS~1\Temp\VKCLAVO.exe --> c:\docume~1\T\LOCALS~1\Temp\VKCLAVO.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winxp\system32\rundll32.exe" "c:\winxp\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
.
- - - - ORPHANS REMOVED - - - -

BHO-{76dc0b63-1533-4ba9-8be8-d59eb676fa02} - c:\winxp\system32\dddesot.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 23:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2356)
c:\winxp\system32\WININET.dll
c:\winxp\system32\ieframe.dll
c:\winxp\system32\mshtml.dll
c:\winxp\system32\msls31.dll
c:\winxp\system32\webcheck.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
c:\winxp\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\winxp\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-13 0:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-13 05:00

Pre-Run: 17,467,953,152 bytes free
Post-Run: 17,558,728,704 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

454 --- E O F --- 2009-07-29 01:02

#5
LonnyRJ
Posted 14 September 2009 - 01:37 AM

    True Member

  • Experts
  • PipPipPipPip
  • 353 posts
  • Gender:Male
  • Location:pugent sound
Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents
of the code box below into a new text file. (dont include the word code)
Save it as file name: cfscript.txt
driver::
PQKDJZUJZAP
tsuliiobfpvnq
UROVOB
vkclavo
file::
c:\winxp\system32\drivers\bdwprppbvfwbdute.sys
C:\Documents and Settings\T\Desktop\Win32kDiag.exe
C:\Documents and Settings\T\Desktop\Win32kDiag.txt
killall::

http://users.pandora.be/bluepatchy/miekiem...es/CFScript.gif
As in the picture above drag and drop cfscript.txt onto combofix.exe
when it is finished a text will open, post it.

Any questions ?
Are there any current problems ?

#6
plshlpme
Posted 14 September 2009 - 04:23 AM

    New Member

  • Members
  • Pip
  • 11 posts
After running ComboFix, everything seemed to be working much better.

I did download and run, HiJackThis just to see if it would run and it did.

I will complete the steps and post the output.

#7
plshlpme
Posted 14 September 2009 - 05:03 AM

    New Member

  • Members
  • Pip
  • 11 posts
Here is the ComboFix log.

ComboFix 09-09-12.08 - T 09/13/2009 23:30.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.145 [GMT -5:00]
Running from: c:\documents and settings\T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\T\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\documents and settings\T\Desktop\Win32kDiag.exe"
"c:\documents and settings\T\Desktop\Win32kDiag.txt"
"c:\winxp\system32\drivers\bdwprppbvfwbdute.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\T\Desktop\Win32kDiag.exe
c:\documents and settings\T\Desktop\Win32kDiag.txt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PQKDJZUJZAP
-------\Legacy_tsuliiobfpvnq
-------\Legacy_UROVOB
-------\Legacy_vkclavo
-------\Service_PQKDJZUJZAP
-------\Service_tsuliiobfpvnq
-------\Service_UROVOB
-------\Service_vkclavo


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-13 11:49 . 2009-09-10 19:54 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
2009-09-13 11:49 . 2009-09-10 19:53 19160 ----a-w- c:\winxp\system32\drivers\mbam.sys
2009-09-13 11:49 . 2009-09-13 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 05:22 . 2009-09-13 05:22 -------- d-----w- c:\program files\Trend Micro
2009-09-13 04:49 . 2008-04-14 00:12 50176 -c--a-w- c:\winxp\system32\dllcache\proquota.exe
2009-09-13 04:49 . 2008-04-14 00:12 50176 ----a-w- c:\winxp\system32\proquota.exe
2009-08-26 11:29 . 2009-08-26 11:29 0 ----a-w- c:\documents and settings\Administrator\settings.dat
2009-08-26 03:51 . 2009-08-26 03:51 0 ----a-w- c:\documents and settings\T\settings.dat
2009-08-25 04:38 . 2009-08-25 04:38 -------- d-----w- c:\documents and settings\T\Application Data\Malwarebytes
2009-08-24 05:30 . 2009-08-24 05:30 -------- d-----w- c:\documents and settings\T\Application Data\AVG8
2009-08-19 05:23 . 2009-08-19 05:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-08-19 05:22 . 2009-08-19 05:22 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2009-08-19 04:37 . 2009-08-19 04:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\IObit
2009-08-19 04:18 . 2009-09-04 13:11 -------- d--h--w- c:\winxp\PIF
2009-08-19 04:10 . 2009-08-19 04:10 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-19 04:10 . 2009-08-19 04:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-08-18 01:26 . 2009-09-13 02:25 -------- d-----w- c:\winxp\Installer
2009-08-16 03:22 . 2009-08-16 03:22 -------- d-sh--w- c:\winxp\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 04:48 . 2008-06-11 11:17 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-20 04:21 . 2005-09-21 11:27 -------- d-----w- c:\program files\Dl_cats
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\documents and settings\T\Application Data\IObit
2009-08-11 04:23 . 2009-08-11 04:23 -------- d-----w- c:\program files\IObit
2009-08-11 03:33 . 2007-10-19 01:11 -------- d-----w- c:\program files\Yahoo!
2009-08-11 03:07 . 2007-03-10 01:38 -------- d-----w- c:\program files\Google
2009-07-03 17:09 . 2001-08-18 12:00 915456 ------w- c:\winxp\system32\wininet.dll
2009-06-16 14:36 . 2001-08-18 12:00 81920 ----a-w- c:\winxp\system32\fontsub.dll
2009-06-16 14:36 . 2001-08-18 12:00 119808 ----a-w- c:\winxp\system32\t2embed.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-13_04.53.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-14 04:50 . 2009-09-14 04:50 16384 c:\winxp\temp\Perflib_Perfdata_220.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]
"DLBTCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-05 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-06-26 53248]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-06-26 114688]
"igfxtray"="c:\winxp\system32\igfxtray.exe" [2006-06-06 94208]
"igfxhkcmd"="c:\winxp\system32\hkcmd.exe" [2006-06-06 77824]
"igfxpers"="c:\winxp\system32\igfxpers.exe" [2006-06-06 118784]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\T\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-10-18 1787184]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 1:40 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [9/13/2009 12:10 AM 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winxp\system32\rundll32.exe" "c:\winxp\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 23:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3772)
c:\winxp\system32\WININET.dll
c:\winxp\system32\ieframe.dll
c:\winxp\system32\webcheck.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-14 23:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 04:59
ComboFix2.txt 2009-09-13 05:00

Pre-Run: 17,521,451,008 bytes free
Post-Run: 17,496,006,656 bytes free

154 --- E O F --- 2009-07-29 01:02

#8
LonnyRJ
Posted 14 September 2009 - 06:03 AM

    True Member

  • Experts
  • PipPipPipPip
  • 353 posts
  • Gender:Male
  • Location:pugent sound
Are recieving any access denied message for your programs ?

Download and run gmer (download exe button) from here >
http://www.gmer.net/#files
Double click GMER. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...
click on NO, then use the following settings for a more complete scan..

In the right panel, you will see several boxes that have been checked.
Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
save the log to a handy location close gmer and post that log.

Post or attach this log to
C:\Qoobox\Add-Remove Programs.txt

#9
plshlpme
Posted 14 September 2009 - 01:11 PM

    New Member

  • Members
  • Pip
  • 11 posts
No, I am not getting any access denied when running programs now. I have been able to get on the net without any issues. I had an issue trying to disable Norton, but that has been resolved too. The laptop is functioning much better.

I will run Gmer when I return home this evening.

Thanks again for you help.

#10
plshlpme
Posted 15 September 2009 - 05:36 AM

    New Member

  • Members
  • Pip
  • 11 posts
It looks like this scan is going to take a long time. I will post the log tomorrow.

#11
plshlpme
Posted 16 September 2009 - 01:44 AM

    New Member

  • Members
  • Pip
  • 11 posts
Here is the gmer log.

GMER 1.0.15.15086 - http://www.gmer.net
Rootkit scan 2009-09-15 20:38:32
Windows 5.1.2600 Service Pack 3
Running: d0wjgs6m.exe; Driver: C:\DOCUME~1\T\LOCALS~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT 8269D1C8 ZwAlertResumeThread
SSDT 826DB278 ZwAlertThread
SSDT 82731110 ZwAllocateVirtualMemory
SSDT 827E4F98 ZwConnectPort
SSDT 82718130 ZwCreateMutant
SSDT 827200F0 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAAF31CC0]
SSDT 826CF270 ZwFreeVirtualMemory
SSDT 828F43F8 ZwImpersonateAnonymousToken
SSDT 8266D2F0 ZwImpersonateThread
SSDT 8266C0A8 ZwMapViewOfSection
SSDT 829837F8 ZwOpenEvent
SSDT 8276F100 ZwOpenProcessToken
SSDT 826CF120 ZwOpenThreadToken
SSDT 82887D58 ZwQueryValueKey
SSDT 827340F8 ZwResumeThread
SSDT 826AB0C8 ZwSetContextThread
SSDT 826C25C8 ZwSetInformationProcess
SSDT 828A9110 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAAF31F20]
SSDT 827633E0 ZwSuspendProcess
SSDT 8261AB18 ZwSuspendThread
SSDT 8271F100 ZwTerminateProcess
SSDT 827300B8 ZwTerminateThread
SSDT 826F1B80 ZwUnmapViewOfSection
SSDT 8267DE30 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

#12
plshlpme
Posted 16 September 2009 - 01:47 AM

    New Member

  • Members
  • Pip
  • 11 posts
Here is the ComboFix Add/Remove Programs file.

Also, I didn't get an error from Gmer about finding any rootkits.

Attached Files


#13
LonnyRJ
Posted 16 September 2009 - 04:09 AM

    True Member

  • Experts
  • PipPipPipPip
  • 353 posts
  • Gender:Male
  • Location:pugent sound
Looks good
You can uninstall the old version of sun's java.
Java™ 6 Update 7

You can also remove gmer if you like

Go start run copy then type in the line below and press enter to uninstall combofix
Combofix /u
the space between x and / is nessesary

Think Prevention: Put in place a good hosts file
http://www.mvps.org/...p2002/hosts.htm
Repeat that proccess about once or even twice a month

To help avoid reinfection see "So how did I get infected in the first place?" http://www.malwarebytes.org/forums/index.p...65&hl=place?

Note: Make sure your programs are up to date - older versions may contain Security Leaks.
To find out what programs need to be updated, run the Secunia Software Inspector Scan.
http://secunia.com/software_inspector/


Post back in a few days to confirm your PC is still ok

#14
plshlpme
Posted 16 September 2009 - 04:14 AM

    New Member

  • Members
  • Pip
  • 11 posts
Will do. Thanks again for all of your help!

I will also follow your suggested steps.

#15
plshlpme
Posted 23 September 2009 - 03:49 AM

    New Member

  • Members
  • Pip
  • 11 posts
Just wanted to let you know that the laptop seems to be working just fine.

You may close this thread.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us