34 replies to this topic

[Chuck Q]

Hello, i am infected with Windows Police Pro, and Security Tool malware programs, i removed all the files from them that i could find but malwarebytes still wont run. It will run briefly after i install it, then shut down quickly. Then if i try to run it again it says it cant find the .exe file. I'm at my wits end with this thing, can anyone please help me fix this?

[Perplexus]

Hello and Welcome to Malwarebytes.

------------------
Step 1:
------------------

• Download OTL by OldTimer to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

------------------
Step 2:
------------------

Download RootRepeal from one of the following locations:

• Location 1 (Zip File)
  
• Location 2 (Zip File)
  
• Location 3 (RAR File)
  
• Location 4 (Zip File)
  
• Location 5 (RAR File)

Unzip it to your Desktop.

• Double click RootRepeal.exe to start the program
  
• Click on the Report tab at the bottom of the program window
  
• Click the Scan button
  
• In the Select Scan dialog, check:
  
  
  • Drivers
    
  • Files
    
  • Processes
    
  • SSDT
    
  • Stealth Objects
    
  • Hidden Services
    
  • Shadow SSDT
• Click the OK button
  
• In the next dialog, select all drives showing
  
• Click OK to start the scan
  [indent]Note: The scan can take some time. DO NOT run any other programs while the scan is running[/indent]
  
• When the scan is complete, the Save Report button will become available
  
• Click this and save the report to your Desktop as RootRepeal.txt
  
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
  
• Under the reply panel is the Attachments Panel
  
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

------------------
Step 3:
------------------

Please post back with the following:

• OTL.txt
  
• Extras.txt
  
• RootRepeal.txt

[Chuck Q]

Ok, neither will run with the computer running normally, so i scanned in safe mode, and even then only root repeal would work, here is the log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/22 01:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7DA7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C39000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF760D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF8B0B000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF8003000 Size: 61440 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf85afe22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8590cdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8590ece

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf85b0610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf85b08c4

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf85aeb14

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf85b0d30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf85b00e2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8590982

==EOF==

[Perplexus]

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. It can take awhile so please be patient

[Chuck Q]

installed and tried to run, same result as the other 2. The window for the scan comes up but closes right away. Ran it in safe mode instead. I attached the log.

Also every time i click a link to download one of the scan programs, a small IE window opens and closes before the download box shows up, not sure if that means anything but i dont remember seeing it before.

Attached Files

•  Win32kDiag.txt   7.23K   27 downloads

[Perplexus]

I will be out of pocket for the weekend, but if I get a chance, I'll check in.

In the future, please do not attach the logs, but post them unless instructed to do otherwise

The log you posted is not complete. The program can take very long pauses and you have to wait it out. When it's complete, it will ask you to exit the DOS window and the log should have "Finished" at the bottom.

Please run it again.

[Chuck Q]

My bad, heres the complete one:


Running from: C:\Documents and Settings\Kellies.KELLIE\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Kellies.KELLIE\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Indices\Indices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85ea9e216393783c9ef11731dd1cea2d\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9540cfdb30eb58666192ecded02fce06\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 08:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-10 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\Temp\slu19ec.tmp\slu19ec.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu1f2c.tmp\slu1f2c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu22c3.tmp\slu22c3.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu271e.tmp\slu271e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2b07.tmp\slu2b07.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu2d31.tmp\slu2d31.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3122.tmp\slu3122.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3154.tmp\slu3154.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu316c.tmp\slu316c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu32c.tmp\slu32c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu346a.tmp\slu346a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu356b.tmp\slu356b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu375e.tmp\slu375e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3a7e.tmp\slu3a7e.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3aac.tmp\slu3aac.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu3b0c.tmp\slu3b0c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu402c.tmp\slu402c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu40d8.tmp\slu40d8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu40f7.tmp\slu40f7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu41b.tmp\slu41b.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4377.tmp\slu4377.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu44ec.tmp\slu44ec.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu46b0.tmp\slu46b0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu47ad.tmp\slu47ad.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4b4d.tmp\slu4b4d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4cfc.tmp\slu4cfc.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu4e56.tmp\slu4e56.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu511d.tmp\slu511d.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu54a1.tmp\slu54a1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu56dd.tmp\slu56dd.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu57cb.tmp\slu57cb.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu589a.tmp\slu589a.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5995.tmp\slu5995.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5a2f.tmp\slu5a2f.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5c41.tmp\slu5c41.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5cb7.tmp\slu5cb7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu5ea9.tmp\slu5ea9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu62e2.tmp\slu62e2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu6e5c.tmp\slu6e5c.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu71e8.tmp\slu71e8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu782.tmp\slu782.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu7bb7.tmp\slu7bb7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu818.tmp\slu818.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slu89.tmp\slu89.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slubfb.tmp\slubfb.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slucaf.tmp\slucaf.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slud5.tmp\slud5.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slud75.tmp\slud75.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\slufe7.tmp\slufe7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

[Perplexus]

------------------
Step 1:
------------------

We need to create a clean copy of the file we are going to replace.

Open notepad and copy/paste the text in the code box below into it.

@echo off
copy C:\WINDOWS\system32\logevent.dll c:\eventlog.dll
Exit

Click File > Save As... and in the dropdown box for Save as type select All Files
Then in the File name box type copy.bat and hit Save

This will create a batch file name copy.bat on your desktop.

Double click copy.bat to run it. You may see a black box appear, this is normal.

------------------
Step 2:
------------------

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
  
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
  
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  
• Click on Execute
  
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.

------------------
Step 3:
------------------

Click on Start->Run, and copy-paste the following command into the "Open:" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

------------------
Step 4:
------------------

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  
  
  
  Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
  Click on Yes, to continue scanning for malware.
  
  
• When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

------------------
Step 5:
------------------

Please post back with the following:

• How your machine is running
  
• c:\avenger.txt
  
• Win32kDiag.txt
  
• C:\ComboFix.txt

[Perplexus]

How did that go? Still need assistance?

[Chuck Q]

avenger.txt:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[Chuck Q]

Running from: C:\Documents and Settings\Kellies.KELLIE\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Kellies.KELLIE\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\CABS\CABS

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\Install\Install

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\Indices\Indices

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Indices\Indices

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85ea9e216393783c9ef11731dd1cea2d\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85ea9e216393783c9ef11731dd1cea2d\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9540cfdb30eb58666192ecded02fce06\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9540cfdb30eb58666192ecded02fce06\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\critical_warning.html

Attempting to restore permissions of : C:\WINDOWS\system32\critical_warning.html

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\Temp\slu19ec.tmp\slu19ec.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu19ec.tmp\slu19ec.tmp

Found mount point : C:\WINDOWS\Temp\slu1f2c.tmp\slu1f2c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu1f2c.tmp\slu1f2c.tmp

Found mount point : C:\WINDOWS\Temp\slu22c3.tmp\slu22c3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu22c3.tmp\slu22c3.tmp

Found mount point : C:\WINDOWS\Temp\slu271e.tmp\slu271e.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu271e.tmp\slu271e.tmp

Found mount point : C:\WINDOWS\Temp\slu2b07.tmp\slu2b07.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2b07.tmp\slu2b07.tmp

Found mount point : C:\WINDOWS\Temp\slu2d31.tmp\slu2d31.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu2d31.tmp\slu2d31.tmp

Found mount point : C:\WINDOWS\Temp\slu3122.tmp\slu3122.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3122.tmp\slu3122.tmp

Found mount point : C:\WINDOWS\Temp\slu3154.tmp\slu3154.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3154.tmp\slu3154.tmp

Found mount point : C:\WINDOWS\Temp\slu316c.tmp\slu316c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu316c.tmp\slu316c.tmp

Found mount point : C:\WINDOWS\Temp\slu32c.tmp\slu32c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu32c.tmp\slu32c.tmp

Found mount point : C:\WINDOWS\Temp\slu346a.tmp\slu346a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu346a.tmp\slu346a.tmp

Found mount point : C:\WINDOWS\Temp\slu356b.tmp\slu356b.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu356b.tmp\slu356b.tmp

Found mount point : C:\WINDOWS\Temp\slu375e.tmp\slu375e.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu375e.tmp\slu375e.tmp

Found mount point : C:\WINDOWS\Temp\slu3a7e.tmp\slu3a7e.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3a7e.tmp\slu3a7e.tmp

Found mount point : C:\WINDOWS\Temp\slu3aac.tmp\slu3aac.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3aac.tmp\slu3aac.tmp

Found mount point : C:\WINDOWS\Temp\slu3b0c.tmp\slu3b0c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu3b0c.tmp\slu3b0c.tmp

Found mount point : C:\WINDOWS\Temp\slu402c.tmp\slu402c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu402c.tmp\slu402c.tmp

Found mount point : C:\WINDOWS\Temp\slu40d8.tmp\slu40d8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu40d8.tmp\slu40d8.tmp

Found mount point : C:\WINDOWS\Temp\slu40f7.tmp\slu40f7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu40f7.tmp\slu40f7.tmp

Found mount point : C:\WINDOWS\Temp\slu41b.tmp\slu41b.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu41b.tmp\slu41b.tmp

Found mount point : C:\WINDOWS\Temp\slu4377.tmp\slu4377.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu4377.tmp\slu4377.tmp

Found mount point : C:\WINDOWS\Temp\slu44ec.tmp\slu44ec.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu44ec.tmp\slu44ec.tmp

Found mount point : C:\WINDOWS\Temp\slu46b0.tmp\slu46b0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu46b0.tmp\slu46b0.tmp

Found mount point : C:\WINDOWS\Temp\slu47ad.tmp\slu47ad.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu47ad.tmp\slu47ad.tmp

Found mount point : C:\WINDOWS\Temp\slu4b4d.tmp\slu4b4d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu4b4d.tmp\slu4b4d.tmp

Found mount point : C:\WINDOWS\Temp\slu4cfc.tmp\slu4cfc.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu4cfc.tmp\slu4cfc.tmp

Found mount point : C:\WINDOWS\Temp\slu4e56.tmp\slu4e56.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu4e56.tmp\slu4e56.tmp

Found mount point : C:\WINDOWS\Temp\slu511d.tmp\slu511d.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu511d.tmp\slu511d.tmp

Found mount point : C:\WINDOWS\Temp\slu54a1.tmp\slu54a1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu54a1.tmp\slu54a1.tmp

Found mount point : C:\WINDOWS\Temp\slu56dd.tmp\slu56dd.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu56dd.tmp\slu56dd.tmp

Found mount point : C:\WINDOWS\Temp\slu57cb.tmp\slu57cb.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu57cb.tmp\slu57cb.tmp

Found mount point : C:\WINDOWS\Temp\slu589a.tmp\slu589a.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu589a.tmp\slu589a.tmp

Found mount point : C:\WINDOWS\Temp\slu5995.tmp\slu5995.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5995.tmp\slu5995.tmp

Found mount point : C:\WINDOWS\Temp\slu5a2f.tmp\slu5a2f.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5a2f.tmp\slu5a2f.tmp

Found mount point : C:\WINDOWS\Temp\slu5c41.tmp\slu5c41.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5c41.tmp\slu5c41.tmp

Found mount point : C:\WINDOWS\Temp\slu5cb7.tmp\slu5cb7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5cb7.tmp\slu5cb7.tmp

Found mount point : C:\WINDOWS\Temp\slu5ea9.tmp\slu5ea9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu5ea9.tmp\slu5ea9.tmp

Found mount point : C:\WINDOWS\Temp\slu62e2.tmp\slu62e2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu62e2.tmp\slu62e2.tmp

Found mount point : C:\WINDOWS\Temp\slu6e5c.tmp\slu6e5c.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu6e5c.tmp\slu6e5c.tmp

Found mount point : C:\WINDOWS\Temp\slu71e8.tmp\slu71e8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu71e8.tmp\slu71e8.tmp

Found mount point : C:\WINDOWS\Temp\slu782.tmp\slu782.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu782.tmp\slu782.tmp

Found mount point : C:\WINDOWS\Temp\slu7bb7.tmp\slu7bb7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu7bb7.tmp\slu7bb7.tmp

Found mount point : C:\WINDOWS\Temp\slu818.tmp\slu818.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu818.tmp\slu818.tmp

Found mount point : C:\WINDOWS\Temp\slu89.tmp\slu89.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slu89.tmp\slu89.tmp

Found mount point : C:\WINDOWS\Temp\slubfb.tmp\slubfb.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slubfb.tmp\slubfb.tmp

Found mount point : C:\WINDOWS\Temp\slucaf.tmp\slucaf.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slucaf.tmp\slucaf.tmp

Found mount point : C:\WINDOWS\Temp\slud5.tmp\slud5.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slud5.tmp\slud5.tmp

Found mount point : C:\WINDOWS\Temp\slud75.tmp\slud75.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slud75.tmp\slud75.tmp

Found mount point : C:\WINDOWS\Temp\slufe7.tmp\slufe7.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\slufe7.tmp\slufe7.tmp

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

[Chuck Q]

Ok it ran fine, but now neither internet explorer or firefox will load the malwarebytes website, I'm posting from my blackberry so I can't post the logs unless I email them to myself and post them from here.

Everything else seems to be running just fine though!

[Chuck Q]

well ignore my last post, seems to be loading just fine now on my computer. The machine seems to be running just fine. heres the log from combofix:


ComboFix 09-10-26.03 - Kellies 10/27/2009 3:05.1.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\Kellies.KELLIE\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\KELLIE~1.KEL\LOCALS~1\Temp\csrss.exe
c:\docume~1\KELLIE~1.KEL\LOCALS~1\Temp\services.exe
c:\docume~1\KELLIE~1.KEL\LOCALS~1\Temp\svchost.exe
c:\docume~1\KELLIE~1.KEL\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\47447531
c:\documents and settings\All Users\Application Data\47447531\47447531.bat
c:\documents and settings\All Users\Application Data\47447531\47447531.exe
c:\documents and settings\All Users\Application Data\70847026
c:\documents and settings\All Users\Application Data\70847026\70847026.bat
c:\documents and settings\All Users\Application Data\70847026\70847026.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Kellies.KELLIE\Application Data\lizkavd.exe
c:\documents and settings\Kellies.KELLIE\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Kellies.KELLIE\Application Data\seres.exe
c:\documents and settings\Kellies.KELLIE\Application Data\svcst.exe
c:\documents and settings\Kellies.KELLIE\Desktop\Security Tool.lnk
c:\documents and settings\Kellies.KELLIE\ntuser.dll
c:\documents and settings\Kellies.KELLIE\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Kellies.KELLIE\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Kellies.KELLIE\Start Menu\Programs\Startup\scandisk.lnk
c:\recycler\S-1-5-21-3868997124-911790988-508925577-500
c:\windows\kb913800.exe
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\svohost.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\basezafa.exe
c:\windows\system32\bdjkoi5n.dll
c:\windows\system32\buwapite.exe
c:\windows\system32\calc.dll
c:\windows\system32\config\systemprofile\ntuser.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\fabokenu.exe
c:\windows\system32\himepuka.exe
c:\windows\system32\jepazeje.dll
c:\windows\system32\jogekini.exe
c:\windows\system32\jogopamo.exe
c:\windows\system32\kemituba.exe
c:\windows\system32\lehuguwe.dll
c:\windows\system32\lugatepo.dll
c:\windows\system32\luhuwuji.exe
c:\windows\system32\mivimoru.dll
c:\windows\system32\nasikaje.dll
c:\windows\system32\nezogeju.dll
c:\windows\system32\nifolije.exe
c:\windows\system32\niniyifu.dll
c:\windows\system32\nolomipu.dll
c:\windows\system32\pasaruwe.dll
c:\windows\system32\pezatehe.exe
c:\windows\system32\popiwoba.exe
c:\windows\system32\rizakoyu.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\tuvafuye.dll
c:\windows\system32\vobulite.exe
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\xa.tmp
c:\windows\system32\zayekofu.exe
c:\windows\Temp\2659976041.exe
c:\windows\usenecek.dll

----- BITS: Possible infected sites -----

hxxp://mastoblastobrevodo.com
hxxp://wsus.findlay.edu
c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_WDefend
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 06:38 . 2009-10-27 06:38 9666 ----a-w- c:\windows\icuholuracanar.dll
2009-10-27 06:29 . 2009-10-27 06:29 9668 ----a-w- c:\windows\erepijaferocohuv.dll
2009-10-27 05:47 . 2009-10-27 05:47 9666 ----a-w- c:\windows\ezicokuvomuyi.dll
2009-10-21 08:50 . 2009-10-21 08:50 -------- d-----w- C:\malwarebytes
2009-10-21 08:12 . 2009-10-21 08:23 -------- d-----w- c:\program files\Trend Micro
2009-10-21 07:07 . 2009-10-21 07:48 -------- d-----w- C:\malwarecrap
2009-10-21 06:10 . 2009-10-21 06:10 -------- d-----w- c:\program files\ERUNT
2009-10-20 06:09 . 2009-10-20 06:09 -------- d-----w- C:\6e5d4cfe5733aeda209e6bdb61f3ca
2009-10-19 05:21 . 2009-10-19 05:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 05:13 . 2009-10-19 05:13 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\Malwarebytes
2009-10-19 05:08 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 05:07 . 2009-10-19 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 05:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 04:57 . 2009-10-27 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\09475328
2009-10-19 04:31 . 2009-10-08 15:31 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-10-19 04:31 . 2009-10-08 15:31 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-10-19 04:31 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-19 04:31 . 2009-10-08 15:31 767952 ----a-w- c:\windows\BDTSupport.dll
2009-10-19 04:31 . 2009-10-02 18:19 1152470 ----a-w- c:\windows\UDB.zip
2009-10-19 04:31 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2009-10-19 04:30 . 2009-09-24 12:55 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-19 04:30 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-19 04:30 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-19 04:30 . 2009-09-03 13:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-19 04:30 . 2009-10-19 04:39 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-19 04:30 . 2009-10-27 06:54 -------- d-----w- c:\program files\Spyware Doctor
2009-10-19 04:30 . 2009-10-19 04:30 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\PC Tools
2009-10-19 04:30 . 2009-10-19 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-19 04:01 . 2009-10-19 04:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-10-19 03:56 . 2009-10-19 03:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{E363803E-0D71-400E-8024-591C38995471}
2009-10-18 12:14 . 2009-10-18 12:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-18 08:55 . 2009-10-27 05:42 -------- d-----w- c:\documents and settings\All Users\Application Data\66857335
2009-10-18 08:54 . 2009-10-27 05:14 0 ----a-w- c:\windows\Bcune.bin
2009-10-18 08:54 . 2009-10-27 06:03 9668 ----a-w- c:\windows\Tbepujumuqoboxe.dat
2009-10-18 08:54 . 2009-10-18 08:54 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}
2009-10-18 07:59 . 2009-10-27 05:13 0 ----a-w- c:\windows\win32k.sys
2009-10-18 07:22 . 2009-10-18 12:30 58 ----a-w- c:\windows\wp4.dat
2009-10-18 07:22 . 2009-10-18 12:30 4 ----a-w- c:\windows\wp3.dat
2009-10-15 06:06 . 2004-08-10 12:00 24576 ----a-w- c:\windows\system32\stu2.exe
2009-10-14 13:42 . 2009-10-14 13:42 -------- d-----w- c:\program files\BBSAK
2009-10-14 11:24 . 2009-10-14 11:24 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-14 11:15 . 2009-10-14 11:15 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\WMTools Downloaded Files
2009-10-14 05:17 . 2009-10-14 07:40 -------- d-----w- c:\program files\Magic Workstation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 07:16 . 2009-02-18 20:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 05:31 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-15 08:33 . 2008-03-07 09:14 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\LimeWire
2009-10-15 07:44 . 2009-02-24 06:54 256 ----a-w- c:\windows\system32\pool.bin
2009-10-15 06:31 . 2009-02-24 06:24 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-15 06:06 . 2006-02-15 14:04 68096 ----a-w- c:\windows\system32\userinit.exe
2009-09-19 01:58 . 2007-05-04 16:26 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\Apple Computer
2009-09-19 01:51 . 2009-09-19 01:50 -------- d-----w- c:\program files\iTunes
2009-09-19 01:51 . 2009-09-19 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 01:50 . 2009-09-19 01:50 -------- d-----w- c:\program files\iPod
2009-09-19 01:50 . 2008-02-20 20:46 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 01:48 . 2009-09-19 01:48 -------- d-----w- c:\program files\QuickTime
2009-09-16 07:20 . 2009-10-19 04:30 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-15 10:20 . 2009-10-19 04:30 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-09-15 06:12 . 2009-10-19 04:30 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-09-15 05:01 . 2009-10-19 04:30 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-09-06 21:05 . 2009-09-06 21:05 256 ----a-w- c:\documents and settings\Kellies.KELLIE\pool.bin
2009-08-28 23:42 . 2009-08-23 06:57 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-12-25 23:00 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2007-06-26 21:14 . 2006-08-25 18:16 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-06-26 21:14 . 2006-08-25 18:16 49256 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-26 21:14 . 2006-08-25 18:16 166000 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-27 06:03 . 2009-07-27 06:03 53760 --sha-w- c:\windows\system32\fakubija.dll
2009-07-27 06:03 . 2009-07-27 06:03 39424 --sha-w- c:\windows\system32\gisiyojo.dll
2009-07-18 08:54 . 2009-07-18 08:54 193544 --sha-w- c:\windows\system32\kihinuga.exe
2009-07-18 08:54 . 2009-07-18 08:54 24576 --sha-w- c:\windows\system32\pojovosa.exe
2009-07-27 06:05 . 2009-07-27 06:05 53760 --sha-w- c:\windows\system32\rasawofu.dll
.

------- Sigcheck -------

[-] 2009-10-15 06:06 . 9579FD95E7EF64EF5F5BE2B3D5F95F3B . 68096 . . [------] . . c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ae46f49-6e96-49ca-9003-bd7e9bd3c2fb}]
2009-07-27 06:05 53760 --sha-w- c:\windows\system32\rasawofu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{472734EA-242A-422B-ADF8-83D1E48CC825}"= "c:\program files\Spyware Doctor\BDT\PCTBrowserDefender.dll" [2009-10-08 395216]

[HKEY_CLASSES_ROOT\clsid\{472734ea-242a-422b-adf8-83d1e48cc825}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}]
[HKEY_CLASSES_ROOT\BrowserDefender.BDToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-08 185896]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-09-22 1243088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [BU]

c:\documents and settings\Kellies.KELLIE\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-08-25 18:15 106496 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mcamuq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metamail Trust Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metamail Trust Manager.lnk
backup=c:\windows\pss\Metamail Trust Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"odClientService"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sierra\\Empire Earth Gold\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Documents and Settings\\Kellies.KELLIE\\My Documents\\My Pictures\\crap\\magic-_the_gathering\\Magic\\Manalink.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56828:TCP"= 56828:TCP:Pando Media Booster
"56828:UDP"= 56828:UDP:Pando Media Booster

R3 cdrmkaun;cdrmkaun;c:\docume~1\KELLIE~1.KEL\LOCALS~1\Temp\cdrmkaun.sys [x]
R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2005-09-06 155184]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 odFips;odFips;c:\windows\system32\drivers\odFips.sys [2006-05-24 254208]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-10-08 112592]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-09-23 358600]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2005-09-06 24521]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - mbr
*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-10-17 c:\windows\Tasks\At1.job
- c:\program files\spybot - search & destroy\spybotsd.exe [2006-08-25 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: connwsp.dll
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\documents and settings\Kellies.KELLIE\Application Data\Mozilla\Firefox\Profiles\l2co8tuz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.toshibadirect.com/dpdstart
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: XULRunner: {38512FCB-6B6A-4F35-A22A-FB302BA73DF5} - c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}
FF - HiddenExtension: XULRunner: {E363803E-0D71-400E-8024-591C38995471} - c:\documents and settings\Administrator\Local Settings\Application Data\{E363803E-0D71-400E-8024-591C38995471}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\bdjkoi5n.dll
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
HKLM-Run-Acuzogoloputuye - c:\windows\usenecek.dll
HKLM-Run-66857335 - c:\docume~1\ALLUSE~1\APPLIC~1\66857335\66857335.exe
HKLM-Run-09475328 - c:\docume~1\ALLUSE~1\APPLIC~1\09475328\09475328.exe
HKLM-Run-70847026 - c:\documents and settings\All Users\Application Data\70847026\70847026.exe
HKLM-Run-47447531 - c:\documents and settings\All Users\Application Data\47447531\47447531.exe
HKLM-Run-serisejeh - c:\windows\system32\pasaruwe.dll
HKLM-Run-mogiluhehe - tuvafuye.dll
SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\bdjkoi5n.dll
SharedTaskScheduler-{4473fd11-d88c-4c6e-afe4-33477f20598b} - c:\windows\system32\pasaruwe.dll
SSODL-jadimukut-{e7496247-9478-42cc-b687-f088e3bf6407} - (no file)
SSODL-lihijaros-{4473fd11-d88c-4c6e-afe4-33477f20598b} - c:\windows\system32\pasaruwe.dll
Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 03:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3133354311-158489622-3555420663-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{197D85AF-AAF7-9BC1-7AC7-6813F56B2659}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaadelajlbbflpckfobkcipcdoboch"=hex:64,61,6e,6d,6e,6e,6c,6d,00,80
"oamfefabbddlfpdojmidbbdmcofnfg"=hex:6a,61,61,6e,61,6e,64,6f,70,65,69,65,66,6c,
63,69,6a,61,67,6a,00,ba
"nacfodfgcpolmmalojejkacfaiph"=hex:69,61,61,6e,67,6e,6f,65,61,69,63,6f,63,64,
62,66,63,65,00,00

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ }*2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\windows\system32\odyEvent.dll
c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'lsass.exe'(1736)
c:\windows\mcamuq.dll

- - - - - - - > 'explorer.exe'(156)
c:\program files\Spyware Doctor\pctgmhk.dll
c:\windows\system32\ieframe.dll
c:\windows\mcamuq.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\connwsp.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\combofix\CF14879.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\Rundll32.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\TOSHIBA\ConfigFree\CFXFER.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-27 3:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-27 07:28

Pre-Run: 11,847,905,280 bytes free
Post-Run: 11,441,602,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 948B0CBD972D7929C857DAB120891F72

[Perplexus]

Hi Chuck Q,

This machine is really infected! We have quite a bit to do, so please stick with me until I give the all clear.

------------------
Step 1:
------------------

Too Many Antivirus Programs Installed

You have too many Antivirus programs installed. Antivirus programs often conflict and can cause system slowdowns, crashes, or even leave you unprotected. Select one of these to keep and remove the others:

• Norton 360
  
• Spyware Doctor with Antivirus <------- uninstall this one

.

------------------
Step 2:
------------------

P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (if they exist):

• Limewire

------------------
Step 3:
------------------

It's very important to disable your antivirus BEFORE running ComboFix. Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\icuholuracanar.dll
c:\windows\erepijaferocohuv.dll
c:\windows\ezicokuvomuyi.dll
c:\windows\Bcune.bin
c:\windows\Tbepujumuqoboxe.dat
c:\windows\win32k.sys
c:\windows\wp4.dat
c:\windows\wp3.dat
c:\windows\system32\stu2.exe
c:\windows\system32\fakubija.dll
c:\windows\system32\gisiyojo.dll
c:\windows\system32\kihinuga.exe
c:\windows\system32\pojovosa.exe
c:\windows\system32\rasawofu.dll

Folder::
c:\documents and settings\All Users\Application Data\66857335
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ae46f49-6e96-49ca-9003-bd7e9bd3c2fb}]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Documents and Settings\\Kellies.KELLIE\\My Documents\\My Pictures\\crap\\magic-_the_gathering\\Magic\\Manalink.exe"=-

RegNull::
[HKEY_USERS\S-1-5-21-3133354311-158489622-3555420663-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{197D85AF-AAF7-9BC1-7AC7-6813F56B2659}*]

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ }*2*]

Driver::
cdrmkaun

SRPeek::
C:\windows\system32\userinit.exe

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

------------------
Step 4:
------------------

Please post back with the following:

• How your machine is running
  
• ComboFix.txt

[Chuck Q]

ok folowed all the steps, everything seems to be running normally, heres the combofix log:


ComboFix 09-10-27.04 - Kellies 10/28/2009 1:43.2.1 - NTFSx86
Running from: c:\documents and settings\Kellies.KELLIE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kellies.KELLIE\Desktop\CFScript.txt.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
* Created a new restore point

FILE ::
"c:\windows\Bcune.bin"
"c:\windows\erepijaferocohuv.dll"
"c:\windows\ezicokuvomuyi.dll"
"c:\windows\icuholuracanar.dll"
"c:\windows\system32\fakubija.dll"
"c:\windows\system32\gisiyojo.dll"
"c:\windows\system32\kihinuga.exe"
"c:\windows\system32\pojovosa.exe"
"c:\windows\system32\rasawofu.dll"
"c:\windows\system32\stu2.exe"
"c:\windows\Tbepujumuqoboxe.dat"
"c:\windows\win32k.sys"
"c:\windows\wp3.dat"
"c:\windows\wp4.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\66857335
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}\chrome.manifest
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}\chrome\content\_cfg.js
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}\chrome\content\overlay.xul
c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{38512FCB-6B6A-4F35-A22A-FB302BA73DF5}\install.rdf
c:\windows\Bcune.bin
c:\windows\erepijaferocohuv.dll
c:\windows\ezicokuvomuyi.dll
c:\windows\icuholuracanar.dll
c:\windows\system32\fakubija.dll
c:\windows\system32\gisiyojo.dll
c:\windows\system32\kihinuga.exe
c:\windows\system32\pojovosa.exe
c:\windows\system32\rasawofu.dll
c:\windows\system32\stu2.exe
c:\windows\system32\zelosubo.dll
c:\windows\Tbepujumuqoboxe.dat
c:\windows\win32k.sys
c:\windows\wp3.dat
c:\windows\wp4.dat

c:\windows\system32\userinit.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDRMKAUN
-------\Service_cdrmkaun


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-27 08:02 . 2009-10-27 08:02 9668 ----a-w- c:\windows\eziguzeyaw.dll
2009-10-27 07:41 . 2009-10-27 07:41 9668 ----a-w- c:\windows\unisiyuwamox.dll
2009-10-27 07:27 . 2009-10-27 07:27 9667 ----a-w- c:\windows\oyiderir.dll
2009-10-27 07:19 . 2009-10-27 07:19 9668 ----a-w- c:\windows\iricudez.dll
2009-10-21 08:50 . 2009-10-27 08:09 -------- d-----w- C:\malwarebytes
2009-10-21 08:12 . 2009-10-21 08:23 -------- d-----w- c:\program files\Trend Micro
2009-10-21 07:07 . 2009-10-21 07:48 -------- d-----w- C:\malwarecrap
2009-10-21 06:10 . 2009-10-21 06:10 -------- d-----w- c:\program files\ERUNT
2009-10-20 06:09 . 2009-10-20 06:09 -------- d-----w- C:\6e5d4cfe5733aeda209e6bdb61f3ca
2009-10-19 05:21 . 2009-10-19 05:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-19 05:13 . 2009-10-19 05:13 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\Malwarebytes
2009-10-19 05:08 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 05:07 . 2009-10-19 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-19 05:07 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-19 04:57 . 2009-10-27 05:18 -------- d-----w- c:\documents and settings\All Users\Application Data\09475328
2009-10-19 04:01 . 2009-10-19 04:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder
2009-10-19 03:56 . 2009-10-19 03:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\{E363803E-0D71-400E-8024-591C38995471}
2009-10-18 12:14 . 2009-10-18 12:14 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-14 13:42 . 2009-10-14 13:42 -------- d-----w- c:\program files\BBSAK
2009-10-14 11:24 . 2009-10-14 11:24 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-10-14 11:15 . 2009-10-14 11:15 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\WMTools Downloaded Files
2009-10-14 05:17 . 2009-10-14 07:40 -------- d-----w- c:\program files\Magic Workstation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 08:32 . 2009-02-18 20:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-19 05:31 . 2006-02-25 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-15 08:33 . 2008-03-07 09:14 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\LimeWire
2009-10-15 07:44 . 2009-02-24 06:54 256 ----a-w- c:\windows\system32\pool.bin
2009-10-15 06:31 . 2009-02-24 06:24 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-10-15 06:06 . 2006-02-15 14:04 68096 ----a-w- c:\windows\system32\userinit.exe
2009-09-19 01:58 . 2007-05-04 16:26 -------- d-----w- c:\documents and settings\Kellies.KELLIE\Application Data\Apple Computer
2009-09-19 01:51 . 2009-09-19 01:50 -------- d-----w- c:\program files\iTunes
2009-09-19 01:51 . 2009-09-19 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 01:50 . 2009-09-19 01:50 -------- d-----w- c:\program files\iPod
2009-09-19 01:50 . 2008-02-20 20:46 -------- d-----w- c:\program files\Common Files\Apple
2009-09-19 01:48 . 2009-09-19 01:48 -------- d-----w- c:\program files\QuickTime
2009-09-06 21:05 . 2009-09-06 21:05 256 ----a-w- c:\documents and settings\Kellies.KELLIE\pool.bin
2009-08-28 23:42 . 2009-08-23 06:57 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:42 . 2008-12-25 23:00 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2007-06-26 21:14 . 2006-08-25 18:16 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-06-26 21:14 . 2006-08-25 18:16 49256 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-26 21:14 . 2006-08-25 18:16 166000 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-28 05:08 . 2009-07-28 05:08 39424 --sha-w- c:\windows\system32\kanerihe.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2009-10-15 06:06 . 9579FD95E7EF64EF5F5BE2B3D5F95F3B . 68096 . . [------] . . c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-27_07.17.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-28 05:54 . 2009-10-28 05:54 16384 c:\windows\temp\Perflib_Perfdata_674.dat
+ 2006-02-15 15:41 . 2009-10-27 08:01 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-02-15 15:41 . 2009-10-27 05:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-27 07:39 . 2009-10-27 08:01 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-30 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-06-20 339968]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-08 185896]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"serisejeh"="c:\windows\system32\zelosubo.dll" [BU]
"Acuzogoloputuye"="c:\windows\ipaboxebodamu.dll" [2007-03-08 173056]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]
"CFSServ.exe"="CFSServ.exe" [BU]
"mogiluhehe"="tuvafuye.dll" [BU]

c:\documents and settings\Kellies.KELLIE\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-12 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OdysseyClient]
2006-08-25 18:15 106496 ----a-w- c:\windows\system32\odyEvent.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mcamuq.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metamail Trust Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metamail Trust Manager.lnk
backup=c:\windows\pss\Metamail Trust Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"TAPPSRV"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ose"=3 (0x3)
"odClientService"=2 (0x2)
"LiveUpdate Notice Service"=2 (0x2)
"LiveUpdate Notice Ex"=2 (0x2)
"LiveUpdate"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"comHost"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sierra\\Empire Earth Gold\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\NDSTray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56828:TCP"= 56828:TCP:Pando Media Booster
"56828:UDP"= 56828:UDP:Pando Media Booster

R3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys [2005-09-06 155184]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 odFips;odFips;c:\windows\system32\drivers\odFips.sys [2006-05-24 254208]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys [2005-09-06 24521]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-10-17 c:\windows\Tasks\At1.job
- c:\program files\spybot - search & destroy\spybotsd.exe [2006-08-25 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
LSP: connwsp.dll
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
FF - ProfilePath - c:\documents and settings\Kellies.KELLIE\Application Data\Mozilla\Firefox\Profiles\l2co8tuz.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.toshibadirect.com/dpdstart
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - HiddenExtension: XULRunner: {E363803E-0D71-400E-8024-591C38995471} - c:\documents and settings\Administrator\Local Settings\Application Data\{E363803E-0D71-400E-8024-591C38995471}
FF - HiddenExtension: XULRunner: {6550F1D5-A52F-46D8-828A-13D59CF98945} - c:\documents and settings\Kellies.KELLIE\Local Settings\Application Data\{6550F1D5-A52F-46D8-828A-13D59CF98945}\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{05011fec-9346-4627-9894-632980b0428c} - c:\windows\system32\zelosubo.dll
SSODL-figofusun-{05011fec-9346-4627-9894-632980b0428c} - c:\windows\system32\zelosubo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 01:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\¬ }*2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1904)
c:\windows\system32\odyEvent.dll
c:\program files\Funk Software\Odyssey Client\odLogin.dll

- - - - - - - > 'lsass.exe'(1436)
c:\windows\mcamuq.dll

- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\ieframe.dll
c:\windows\mcamuq.dll
c:\windows\ipaboxebodamu.dll
c:\windows\system32\msi.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\connwsp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\combofix\CF11094.exe
c:\windows\system32\dllhost.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\eHome\ehmsas.exe
c:\program files\TOSHIBA\ConfigFree\CFSServ.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFXFER.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Real\RealPlayer\RealPlay.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-28 2:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-28 06:03
ComboFix2.txt 2009-10-27 07:28

Pre-Run: 11,594,293,248 bytes free
Post-Run: 11,569,471,488 bytes free

- - End Of File - - 9EE0BCB1DE62593D70B30AFE3F09BD61

[Perplexus]

Ok, we have a really persistent one here. I want to run some different scans. We will also need to update your Windows to SP3 so that it will replace the bad userinit.exe file.

------------------
Step 1:
------------------

Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Note: It is a good idea to run TFC to clear out all your temp files every now and again. This helps to keep your computer running more efficiently. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

------------------
Step 2:
------------------

Uninstall Malwarebyes and let's get a fresh copy.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

------------------
Step 3:
------------------

Download and install SP3 from here:

http://www.softwarepatch.com/windows/windo...ice-pack-3.html

------------------
Step 4:
------------------

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check.
  
• Under the Custom Scan box paste this in
  
  netsvcs
  %SYSTEMDRIVE%\*.exe
  %SYSTEMDRIVE%\eventlog.dll /s /md5
  %SYSTEMDRIVE%\scecli.dll /s /md5
  %SYSTEMDRIVE%\netlogon.dll /s /md5
  %SYSTEMDRIVE%\cngaudit.dll /s /md5
  %SYSTEMDRIVE%\sceclt.dll /s /md5
  %SYSTEMDRIVE%\ntelogon.dll /s /md5
  %SYSTEMDRIVE%\logevent.dll /s /md5
  %SYSTEMDRIVE%\iaStor.sys /s /md5
  %SYSTEMDRIVE%\nvstor.sys /s /md5
  %SYSTEMDRIVE%\atapi.sys /s /md5
  %SYSTEMDRIVE%\IdeChnDr.sys /s /md5
  %SYSTEMDRIVE%\viasraid.sys /s /md5
  %SYSTEMDRIVE%\AGP440.sys /s /md5
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

------------------
Step 5:
------------------

Please post back with the following:

• How your machine is running
  
• MBAM log
  
• OTL.txt
  
• Extras.txt

[Chuck Q]

Ok I did step one, worked fine. Installed new malwarebytes, scanned and hit remove. It said one item couldn't be removed and would be removed on restart, I hit ok and it rebooted the machine, now when windows starts its just a blank background image, no taskbar, no start menu, no icons, nothing. I don't know how to bring it back. I can open the task manager but that's all, I'm posting from my blackberry

[Chuck Q]

nevermind, googled it and found out i had to open task manager and start explorer.exe, continuing with the rest of the steps now

[Chuck Q]

ok installed the service pack, everything seems to be working fine.

I cant post the malware log, when the computer rebooted and the explorer.exe wasnt running it never showed up, is it saved somewhere that i can find it?

when i try to download OTL a window pops up and says i cant copy it, access is denied. And to make sure th disc isnt full or write protected, and that its not currently in use.

[Perplexus]

Sorry about your troubles! I'm glad you got it back up though. The MBAM log should be available by starting Malwarebytes and selecting the Logs tab. If it's not there, we'll re-run it a little later. I'm not sure what's going on with OTL at the moment, but make sure you deleted any version of OTL you have already before trying the download.

Are you able to reboot ok now?

Let's go ahead and get another ComboFix run as I want to see what changed after the steps you completed. Just double-click ComboFix.exe and post back the log.