10 replies to this topic

[rulerjokes]

I've tried scanning with MBAM but after about 6 or 7 seconds it just closes itself. When I try to go back into it, it says:

"Windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item."

I've also tried HijackThis and it did the same thing.

[rulerjokes]

?? Any ideas ??

[AdvancedSetup]

Hello and Welcome to Malwarebytes.

Please download and run Win32kDiag:

• Download Win32kDiag from any of the following locations and save it to your Desktop.
  
  • Win32kDiag.exe from geekstogo.com
    
  • Win32kDiag.exe from bleepingcomputer.com
    
  • Win32kDiag.exe from rootrepeal.psikotick.com
• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Please let it run for at least an hour without bothering it regardless of what it says. Then post back the log.

[AdvancedSetup]

Please post a status update on this.

Thanks.

[rulerjokes]

just started running it now (writing this from another computer)

[rulerjokes]

Running from: C:\Documents and Settings\emily\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\emily\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB915865\KB915865

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP35.tmp\ZAP35.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46.tmp\ZAP46.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEE.tmp\ZAPEE.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\inf\IEM\0409\0409

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\Download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\SelfUpdate

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2008-04-15 12:30:00 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2008-04-15 12:30:00 10752 C:\WINDOWS\system32\dumprep.exe ()



Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()



Found mount point : C:\WINDOWS\WBEM\WBEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

[AdvancedSetup]

Go to start > run and copy and paste the following command in the field:
"%userprofile%\desktop\win32kdiag.exe" -f -r
This should restore permissions on locked files and remove mountpoints.


Then try to run this.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  
  • Tools->Options->Main tab
    
  • Set to "Always ask me where to Save the files".
• During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  
  
• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
    
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combo-Fix.exe & follow the prompts.
  
• When finished, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[rulerjokes]

ComboFix 09-09-30.05 - emily 01/10/2009 17:03.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.630 [GMT 9.5:30]
Running from: c:\documents and settings\emily\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cmd.exe
c:\documents and settings\All Users\Application Data\Seekapp
c:\program files\Seekapp

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))
.

2009-09-26 03:11 . 2009-09-26 03:11 -------- d-----w- c:\program files\Trend Micro
2009-09-26 01:47 . 2009-09-26 01:53 -------- d-----w- c:\documents and settings\emily\Application Data\MalwareRemovalBot
2009-09-24 09:36 . 2009-09-24 09:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-24 09:36 . 2009-10-01 07:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-24 09:36 . 2009-09-24 09:36 -------- d-----w- c:\documents and settings\emily\Application Data\SUPERAntiSpyware.com
2009-09-24 09:30 . 2009-09-24 09:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-24 07:55 . 2009-10-01 03:47 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-24 07:53 . 2009-09-26 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-23 08:15 . 2009-09-23 08:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-23 07:31 . 2009-09-23 07:31 -------- d-----w- c:\documents and settings\emily\Application Data\Malwarebytes
2009-09-23 07:31 . 2009-09-10 05:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-23 07:31 . 2009-09-23 07:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-23 07:31 . 2009-09-10 05:23 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-23 07:31 . 2009-09-26 02:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 09:18 . 2009-09-22 09:18 -------- d-----w- c:\documents and settings\emily\Local Settings\Application Data\Mozilla
2009-09-20 04:12 . 2009-10-01 07:03 0 ----a-r- c:\windows\win32k.sys
2009-09-19 06:46 . 2009-09-19 06:46 201472 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-19 06:45 . 2009-09-19 06:45 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-19 06:44 . 2009-09-19 06:44 -------- d-----w- c:\program files\Reference Assemblies
2009-09-19 06:43 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-19 06:43 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-19 06:43 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-19 06:43 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-19 06:43 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-19 06:43 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-19 06:43 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-19 06:43 . 2009-09-19 06:44 -------- d-----w- C:\7cc1eb96e864f0cb1302d62aee
2009-09-06 08:01 . 2009-09-06 08:01 -------- d-----w- c:\program files\Pcsx2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-01 07:47 . 2009-05-29 14:13 22904864 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-01 07:44 . 2009-05-29 14:13 270272 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-23 06:10 . 2009-05-29 14:18 -------- d-----w- c:\program files\AVG
2009-09-22 08:12 . 2008-08-15 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-19 08:38 . 2009-05-29 06:24 98648 ----a-w- c:\documents and settings\emily\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 06:54 . 2009-06-20 02:33 -------- d-----w- c:\program files\Java
2009-09-19 06:45 . 2009-05-29 08:05 -------- d-----w- c:\program files\MSBuild
2009-08-29 23:05 . 2009-08-28 07:35 -------- d-----w- c:\documents and settings\emily\Application Data\codeblocks
2009-08-16 08:10 . 2009-08-16 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-08-16 08:08 . 2009-08-16 08:08 148736 ----a-w- c:\documents and settings\All Users\Application Data\hpe4.dll
2009-08-16 08:07 . 2009-06-09 05:15 -------- d-----w- c:\program files\Sony Ericsson
2009-08-16 08:07 . 2008-08-15 18:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-31 05:53 . 2009-07-22 06:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2006-10-09 10:18 . 2009-05-30 12:06 3498312 ----a-w- c:\program files\BSLITEINSTALL.exe
2006-05-03 09:06 . 2009-06-09 12:53 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-06-09 12:53 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-06-09 12:53 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-29 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-06-23 434176]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-15 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-05-29 24064]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-08 919016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-29 1261336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-5-29 110592]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-5 114688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 05:51 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-29 14:19 10520 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [29/05/2009 11:48 PM 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [15/09/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [15/09/2009 11:42 AM 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/05/2009 11:48 PM 231704]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [16/08/2009 5:39 PM 27632]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [16/08/2009 5:37 PM 90112]
S3 Allofte;Allofte; [x]
S3 GoogleDesktopManager-080708-050100;Google Desktop Manager 5.7.808.7150;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [30/05/2009 6:43 AM 24064]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [29/05/2009 3:54 PM 96856]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [9/06/2009 2:47 PM 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [9/06/2009 2:47 PM 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [9/06/2009 2:47 PM 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [9/06/2009 2:47 PM 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [9/06/2009 2:47 PM 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [9/06/2009 2:47 PM 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [9/06/2009 2:47 PM 109736]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [15/09/2009 11:42 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-09-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:04]
.
.
------- Supplementary Scan -------
.
mStart Page =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AlcoholAutomount - c:\documents and settings\emily\My Documents\Lachy\Fable\Alcohol 120%\Alcohol 120\axcmd.exe
HKCU-Run-MalwareRemovalBot - c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-Fable TLC Application Suite - c:\documents and settings\emily\My Documents\Lachy\Fable\Modding Utilities\FableTLCMod\uninstall.exe
AddRemove-FableTLCMod - Albion Explorer - c:\documents and settings\emily\My Documents\Lachy\Fable\Modding Utilities\Albion Explorer\AlbionExplorer\Albion Explorer - Uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-01 17:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(816)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\igfxext.exe
c:\docume~1\emily\LOCALS~1\temp\RtkBtMnt.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-10-01 17:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-01 07:52

Pre-Run: 79,041,871,872 bytes free
Post-Run: 78,910,164,992 bytes free

215

[AdvancedSetup]

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A356E26F-F64B-8F5D-7C18E49D604F2F76}\{6A54AA76-7D92-69B0-4B2831BB70973615}\{981C58D8-528B-1766-742A6B252CC7665F}*]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

STEP 03
RootRepeal - Rootkit Detector
[indent]

Close ALL applications and as many items in the task tray that will stop and exit.

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

STEP 04
Please temporarily disable your current Anti-Virus in order to run this Online AV scanner.
Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the activex control to install
  
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  
• Click Start
  
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
  
• Click Scan
  
• Wait for the scan to finish
  
• Re-enable your Anvirisus software.
  
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

[AdvancedSetup]

Please post a status update on this.

Thanks.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.