Erik35

Members
  • Content count

    22
  • Joined

  • Last visited

About Erik35

  • Rank
    New Member

Contact Methods

  • ICQ
    0
  1. I had read somewhere that wimprvse.exe could be a virus, but after looking some more, it is part of windows. I got this error message when trying to remove via control panel each of the software programs you mentioned in your previous post. "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance" Is there another way to remove them? Here is the mbam log. Malwarebytes' Anti-Malware 1.41 Database version: 2867 Windows 5.1.2600 Service Pack 3 9/28/2009 10:16:50 AM mbam-log-2009-09-28 (10-16-50).txt Scan type: Quick Scan Objects scanned: 118201 Time elapsed: 11 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  2. I guess I spoke too soon. AVG or MBAM found some spyware under the administrator account cookies. I could not seem to get to the files to delete them. I can only see the administrator account in safemode, so I started in safemode and logged on to administrator. Explorer.exe didn't start. I started task mgr and was surprised to see "wmiprvse running. I killed this, and tried to start explorer manually, but access denied. I then tryed to use xcaxls to change the permission, is not recognized internal or external command. I think I used it before. I logged in as my regular user in safemode and wmiprvse was running there too. It is also running when I log in in non-safemode. MsPMSPSv.exe is running too. I guess I need more help to get wmiprvse off, and get explorer to run in the administrator account. Thanks!
  3. I don't seem to have any issues left. Windows does want to install something when I shut down. I'm a little nervous to let it, so I have been shutting down without installing updates. Is there a way to see if the updates are legit? Thanks again for all your help with getting the malware off and makeing the computer run again!! Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 8.5 Antivirus up to date! `````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 14 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 5 Java SE Development Kit 6 Update 1 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 7.0.9 Out of date Adobe Reader installed! `````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe PESTPA~1 CookiePatrol.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````
  4. F-secure Scanning Report Friday, September 18, 2009 11:01:02 - 12:09:47 Computer name: FOX Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 4 malware found TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Trojan.FakeAV.PZ (virus) C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DESKTOP.HTT (Renamed & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 71631 System: 3926 Not scanned: 8 Actions: Disinfected: 3 Renamed: 1 Deleted: 0 Not cleaned: 0 Submitted: 1 Files not scanned: C:\PAGEFILE.SYS C:\HIBERFIL.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics
  5. c:\program files\WarBy2 c:\program files\WarBy1 This is where I had installed mbam when I was originally trying to get it to run. VirusTotal results attached. Pressing the reply button with the contents here => page cannot be displayed. reply.txt
  6. I am having trouble replying with the TotalVirus output. I'll keep trying.
  7. ComboFix 09-09-13.06 - Registered User 09/14/2009 9:29.2.2 - NTFSx86 Running from: c:\documents and settings\Registered User\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Registered User\Desktop\CFScript.txt.txt AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\documents and settings\All Users\Application Data\pike.exe file zipped: c:\documents and settings\All Users\Application Data\ubitijec.scr file zipped: c:\documents and settings\Registered User\Application Data\arun.exe file zipped: c:\program files\Common Files\akysyz.scr file zipped: c:\program files\Common Files\semymux.ban file zipped: c:\program files\Common Files\uluhonyji.lib file zipped: c:\program files\Common Files\yjukyqu.dl file zipped: c:\windows\system32\huzoxut.dat file zipped: c:\windows\system32\lokybehemy.dll file zipped: c:\windows\system32\timocygepy.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\pike.exe c:\documents and settings\All Users\Application Data\ubitijec.scr c:\documents and settings\Registered User\Application Data\arun.exe c:\program files\Common Files\akysyz.scr c:\program files\Common Files\semymux.ban c:\program files\Common Files\uluhonyji.lib c:\program files\Common Files\yjukyqu.dl c:\program files\Shared c:\windows\system32\huzoxut.dat c:\windows\system32\lokybehemy.dll c:\windows\system32\timocygepy.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SONYPVF3 -------\Legacy_SONYPVL3 -------\Legacy_SONYPVT3 -------\Service_sonypvf3 -------\Service_sonypvl3 -------\Service_sonypvt3 ((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 ))))))))))))))))))))))))))))))) . 2009-09-12 18:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-09-12 18:07 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-12 18:07 . 2009-09-12 18:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-12 18:07 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-12 17:12 . 2009-09-12 17:12 -------- d-----w- c:\documents and settings\Registered User\Application Data\Malwarebytes 2009-09-04 18:48 . 2009-09-12 17:53 -------- d-----w- c:\program files\WarBy2 2009-09-04 18:08 . 2009-09-04 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-09-04 17:24 . 2009-09-12 17:54 -------- d-----w- c:\program files\WarBy1 2009-09-04 17:20 . 2009-09-04 17:21 3942048 ----a-w- C:\xxxcc.exe 2009-09-04 17:14 . 2009-09-04 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-09-04 15:29 . 2009-09-04 15:29 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-04 15:29 . 2009-09-04 15:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-04 15:29 . 2009-09-04 15:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\windows\system32\drivers\Avg 2009-09-04 15:28 . 2009-09-04 15:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll 2009-09-04 15:28 . 2009-09-04 15:28 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys 2009-09-04 15:28 . 2009-09-04 15:28 -------- d-----w- c:\program files\AVG 2009-09-04 15:28 . 2009-09-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-04 15:24 . 2009-09-04 15:24 48768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-04 14:16 . 2009-09-04 14:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-09-04 06:19 . 2009-09-04 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8 2009-09-04 05:30 . 2009-09-09 04:59 -------- d--h--w- c:\windows\PIF 2009-09-04 04:47 . 2009-09-04 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Scooter Software 2009-09-04 00:22 . 2009-09-04 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-09-03 23:14 . 2009-09-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion 2009-09-03 22:59 . 2009-09-03 22:59 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-03 22:59 . 2009-09-03 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-03 22:20 . 2009-09-03 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-15 21:35 . 2009-08-15 21:35 -------- d-sh--w- c:\documents and settings\Registered User\IECompatCache 2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\Registered User\PrivacIE 2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-15 21:31 . 2009-08-15 21:31 -------- d-sh--w- c:\documents and settings\Registered User\IETldCache 2009-08-15 21:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-08-15 21:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-08-15 21:28 . 2009-09-14 15:58 -------- d-----w- c:\windows\ie8updates 2009-08-15 21:27 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-08-15 21:25 . 2009-08-15 21:27 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-14 16:35 . 2004-10-25 22:47 -------- d-----w- c:\program files\PestPatrol 2009-09-03 13:41 . 2006-11-14 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-02 16:07 . 2006-07-08 15:31 -------- d-----w- c:\program files\lnav 2009-08-21 22:15 . 2009-05-17 15:13 -------- d-----w- c:\program files\ZipForm6 2009-08-11 22:56 . 2009-08-09 20:04 26352 ----a-w- c:\windows\system32\drivers\Vet-Filt.1 2009-08-11 22:56 . 2009-08-09 20:04 21104 ----a-w- c:\windows\system32\drivers\Vet-Rec.1 2009-08-09 19:51 . 2009-08-09 19:51 -------- d-----w- c:\program files\Common Files\Scanner 2009-08-06 17:17 . 2004-05-03 04:25 48768 ----a-w- c:\documents and settings\Registered User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\MSBuild 2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2004-04-01 17:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2004-04-01 17:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-02-07 01:05 915456 ------w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys . ((((((((((((((((((((((((((((( SnapShot@2009-09-12_17.46.44 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-14 16:35 . 2009-09-14 16:35 16384 c:\windows\temp\Perflib_Perfdata_238.dat + 2009-09-14 16:27 . 2009-09-14 16:27 5160 c:\windows\SoftwareDistribution\EventCache\{EB0C323E-DA56-412C-8DD1-84F10456EA2E}.bin - 2003-01-13 21:57 . 2009-03-08 11:33 726528 c:\windows\system32\jscript.dll + 2003-01-13 21:57 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll - 2008-05-09 10:53 . 2009-03-08 11:33 726528 c:\windows\system32\dllcache\jscript.dll + 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll + 2009-09-14 15:58 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll + 2009-09-14 15:58 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe + 2009-09-14 15:58 . 2009-03-08 11:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll - 2004-04-01 17:12 . 2008-06-18 12:03 2458112 c:\windows\system32\wmvcore.dll + 2004-04-01 17:12 . 2009-05-20 11:56 2458112 c:\windows\system32\WMVCore.dll - 2004-04-01 17:12 . 2008-06-18 12:03 2458112 c:\windows\system32\dllcache\wmvcore.dll + 2004-04-01 17:12 . 2009-05-20 11:56 2458112 c:\windows\system32\dllcache\WMVCore.dll + 2009-09-14 15:59 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480] "PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-04-02 53248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2004-04-02 69632] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] Alarm Manager.LNK - c:\palm\AlarmApp.exe [2002-8-9 274432] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "NVSvc"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\CamView\\CamView.exe"= "c:\\Program Files\\CamView\\component1.exe"= "c:\\jls45\\lib\\jre\\bin\\java.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\StubInstaller.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Chessmaster 9000\\UBI1.EXE"= R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [9/4/2009 8:29 AM 12552] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/4/2009 8:29 AM 335240] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/4/2009 8:29 AM 108552] R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [9/4/2009 8:28 AM 29208] S1 sonypvd3;Sony DVD Handycam;c:\windows\system32\drivers\sonypvd3.sys [5/10/2009 10:17 PM 64964] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?] S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe --> c:\progra~1\AVG\AVG8\avgfws8.exe [?] S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [9/4/2009 8:28 AM 29208] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [5/22/2005 1:19 PM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [5/22/2005 1:19 PM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [5/22/2005 1:19 PM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [5/22/2005 1:19 PM 60416] S3 FXDRV;FXDRV;c:\program files\Foxconn\SuperUtilities\Fxdrv.sys [4/2/2005 11:30 AM 12288] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.google.com uInternet Settings,ProxyServer = fox:9990 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com Trusted Zone: webattend.com Trusted Zone: webtrain.com DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} - hxxp://www.webattend.com/components/wt0523.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-14 09:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*] "Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd, 3a [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2592) c:\windows\system32\WININET.dll c:\program files\TortoiseSVN\bin\tortoisesvn.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\TortoiseSVN\bin\intl3_svn.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\MsPMSPSv.exe . ************************************************************************** . Completion time: 2009-09-14 9:38 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-14 16:38 ComboFix2.txt 2009-09-12 17:48 Pre-Run: 26,573,758,464 bytes free Post-Run: 26,560,290,816 bytes free 261 --- E O F --- 2009-09-14 16:00
  8. It wants to install critical updates when I shut down. I have a hunch that this is how some of the viruses got installed before because it asked to install updates on shutdown every day for a while. I tried running windows update through IE, but the same 16 bit MS-DOS error popup from my last post keeps re-appearing while windows update is running. For now I just shut down without installing updates. Thanks Erik
  9. The computer is much better now. I updated mbam with the latest build and ran it. It found and removed 11 more threats. I get this window on startup: 16 bit MS-DOS Subsystem C:\WINDOWS\system32\wbem\wmiprvse.exe -secured C:\WINDOWS\TEMP\. A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available. Choose 'Close' to terminate the application. Seems like something is still trying to start the wmiprvse. Is there a way to fix this? Do you like AVG or avira for a AV program? Do you have a registry cleaner that you like? I think mine is probably full of uneeded stuff after six years... I really want to thank you for saving my computer!!!
  10. ComboFix 09-09-10.01 - Registered User 09/12/2009 10:37.1.2 - NTFSx86 Running from: c:\documents and settings\Registered User\Desktop\Erik35.exe AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\11035154 c:\documents and settings\All Users\Application Data\11035154\11035154 c:\documents and settings\All Users\Application Data\11035154\11035154.exe c:\documents and settings\All Users\Application Data\11035154\pc11035154ins c:\documents and settings\Registered User\Cookies\bogipo.dat c:\documents and settings\Registered User\Local Settings\Application Data\igyxufym.bat c:\documents and settings\Registered User\Local Settings\Application Data\pyte.vbs c:\documents and settings\Registered User\My Documents\RegistryBackup.reg c:\program files\Common Files\dasadaro.reg c:\program files\Common Files\pitopowoc.inf c:\program files\Common c:\program files\Common\_helper.sig c:\program files\Shared\_lib.sig c:\program files\Shared\lib.dll c:\program files\Shared\lib.sig c:\program files\Windows Police Pro c:\program files\Windows Police Pro\ANTI_files.exe c:\recycler\S-1-5-21-1715567821-706699826-839522115-1003 c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199 c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199\Desktop.ini c:\recycler\S-1-5-21-4572696148-6095178705-452875987-2199\msimfo32.exe c:\recycler\S-1-5-21-4759092663-0757557939-346118174-3300 c:\windows\egyqobov.bat c:\windows\ilivitoti.vbs c:\windows\Installer\1a9b527.msi c:\windows\Installer\1a9b52d.msi c:\windows\Installer\7e3c6.msi c:\windows\ocehysiwos.bat c:\windows\system32\garayudi.exe c:\windows\system32\Ijl11.dll c:\windows\system32\minix32.exe c:\windows\system32\pojezija.dll c:\windows\system32\radisezo.exe c:\windows\system32\tilepilo.exe c:\windows\system32\wicituf.bat c:\windows\system32\wscsvc32.exe c:\windows\system32\xafajanysa.vbs c:\windows\xukuruji.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 ))))))))))))))))))))))))))))))) . 2009-09-12 17:12 . 2009-09-12 17:12 -------- d-----w- c:\documents and settings\Registered User\Application Data\Malwarebytes 2009-09-04 18:48 . 2009-09-04 19:00 -------- d-----w- c:\program files\WarBy2 2009-09-04 18:08 . 2009-09-04 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-09-04 17:24 . 2009-09-04 18:46 -------- d-----w- c:\program files\WarBy1 2009-09-04 17:20 . 2009-09-04 17:21 3942048 ----a-w- C:\xxxcc.exe 2009-09-04 17:15 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-04 17:14 . 2009-09-04 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-04 17:14 . 2009-09-04 17:15 -------- d-----w- c:\program files\WarBy 2009-09-04 17:14 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-04 15:38 . 2009-09-08 19:25 -------- d-----w- C:\$AVG8.VAULT$ 2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations 2009-09-04 15:29 . 2009-09-04 15:29 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-09-04 15:29 . 2009-09-04 15:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-09-04 15:29 . 2009-09-04 15:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-09-04 15:29 . 2009-09-04 15:29 -------- d-----w- c:\windows\system32\drivers\Avg 2009-09-04 15:28 . 2009-09-04 15:28 50968 ----a-w- c:\windows\system32\avgfwdx.dll 2009-09-04 15:28 . 2009-09-04 15:28 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys 2009-09-04 15:28 . 2009-09-04 15:28 -------- d-----w- c:\program files\AVG 2009-09-04 15:28 . 2009-09-08 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-09-04 15:24 . 2009-09-04 15:24 48768 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-09-04 14:16 . 2009-09-04 14:16 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-09-04 06:19 . 2009-09-04 06:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG8 2009-09-04 05:30 . 2009-09-09 04:59 -------- d--h--w- c:\windows\PIF 2009-09-04 04:47 . 2009-09-04 04:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\Scooter Software 2009-09-04 00:22 . 2009-09-04 00:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-09-03 23:14 . 2009-09-03 23:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion 2009-09-03 22:59 . 2009-09-03 22:59 -------- d--h--w- c:\windows\system32\GroupPolicy 2009-09-03 22:59 . 2009-09-03 22:59 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE 2009-09-03 22:20 . 2009-09-03 22:20 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-15 21:35 . 2009-08-15 21:35 -------- d-sh--w- c:\documents and settings\Registered User\IECompatCache 2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\Registered User\PrivacIE 2009-08-15 21:32 . 2009-08-15 21:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-15 21:31 . 2009-08-15 21:31 -------- d-sh--w- c:\documents and settings\Registered User\IETldCache 2009-08-15 21:29 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-08-15 21:29 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-08-15 21:28 . 2009-08-15 21:28 -------- d-----w- c:\windows\ie8updates 2009-08-15 21:27 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-08-15 21:25 . 2009-08-15 21:27 -------- dc-h--w- c:\windows\ie8 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-12 17:46 . 2004-10-25 22:47 -------- d-----w- c:\program files\PestPatrol 2009-09-12 17:41 . 2009-08-01 00:41 -------- d-----w- c:\program files\Shared 2009-09-03 13:41 . 2006-11-14 07:02 1324 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-02 16:07 . 2006-07-08 15:31 -------- d-----w- c:\program files\lnav 2009-08-21 22:15 . 2009-05-17 15:13 -------- d-----w- c:\program files\ZipForm6 2009-08-11 22:56 . 2009-08-09 20:04 26352 ----a-w- c:\windows\system32\drivers\Vet-Filt.1 2009-08-11 22:56 . 2009-08-09 20:04 21104 ----a-w- c:\windows\system32\drivers\Vet-Rec.1 2009-08-10 02:33 . 2009-08-10 02:33 18646 ----a-w- c:\documents and settings\All Users\Application Data\ubitijec.scr 2009-08-10 02:33 . 2009-08-10 02:33 18151 ----a-w- c:\documents and settings\Registered User\Application Data\arun.exe 2009-08-10 02:33 . 2009-08-10 02:33 15287 ----a-w- c:\program files\Common Files\semymux.ban 2009-08-10 02:33 . 2009-08-10 02:33 14441 ----a-w- c:\windows\system32\timocygepy.dll 2009-08-10 02:33 . 2009-08-10 02:33 13249 ----a-w- c:\program files\Common Files\akysyz.scr 2009-08-10 02:33 . 2009-08-10 02:33 13136 ----a-w- c:\documents and settings\All Users\Application Data\pike.exe 2009-08-10 02:33 . 2009-08-10 02:33 12583 ----a-w- c:\program files\Common Files\uluhonyji.lib 2009-08-10 02:33 . 2009-08-10 02:33 12294 ----a-w- c:\program files\Common Files\yjukyqu.dl 2009-08-10 02:33 . 2009-08-10 02:33 11300 ----a-w- c:\windows\system32\huzoxut.dat 2009-08-10 02:33 . 2009-08-10 02:33 11134 ----a-w- c:\windows\system32\lokybehemy.dll 2009-08-09 19:51 . 2009-08-09 19:51 -------- d-----w- c:\program files\Common Files\Scanner 2009-08-06 17:17 . 2004-05-03 04:25 48768 ----a-w- c:\documents and settings\Registered User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\MSBuild 2009-08-06 00:21 . 2009-08-06 00:21 -------- d-----w- c:\program files\Reference Assemblies 2009-08-05 09:01 . 2004-04-01 17:49 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 06:43 . 2004-04-01 17:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-03 21:20 . 2009-06-03 21:20 49152 --sha-w- c:\windows\system32\sipaneya.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PPMemCheck"="c:\progra~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480] "PestPatrol Control Center"="c:\progra~1\PESTPA~1\PPControl.exe" [2004-04-02 53248] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-05-06 155648] "CookiePatrol"="c:\progra~1\PESTPA~1\CookiePatrol.exe" [2004-04-02 69632] "AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-23 217194] Alarm Manager.LNK - c:\palm\AlarmApp.exe [2002-8-9 274432] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-04 15:29 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "NVSvc"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\CamView\\CamView.exe"= "c:\\Program Files\\CamView\\component1.exe"= "c:\\jls45\\lib\\jre\\bin\\java.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\StubInstaller.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Chessmaster 9000\\UBI1.EXE"= R1 sonypvd3;Sony DVD Handycam;c:\windows\system32\DRIVERS\sonypvd3.sys [2004-12-07 64964] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [x] R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [x] R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-04 29208] R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\Drivers\Brfilt.sys [2001-08-17 2944] R3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\DRIVERS\BrParImg.sys [2001-08-17 3168] R3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\Drivers\BrParwdm.sys [2001-08-17 39552] R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\Drivers\BrSerWdm.sys [2001-08-17 60416] R3 FXDRV;FXDRV;c:\program files\Foxconn\SuperUtilities\Fxdrv.sys [2004-01-06 12288] S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-09-04 12552] S0 sonypvl3;sonypvl3; [x] S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-04 335240] S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-04 108552] S1 sonypvf3;sonypvf3; [x] S1 sonypvt3;sonypvt3; [x] S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2009-09-04 29208] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 mStart Page = hxxp://www.google.com uInternet Settings,ProxyServer = fox:9990 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: ameritrade.com Trusted Zone: tdameritrade.com Trusted Zone: webattend.com Trusted Zone: webtrain.com DPF: {21C6245C-9408-11D7-BF3B-00E09876DF26} - hxxp://www.webattend.com/components/wt0523.cab . - - - - ORPHANS REMOVED - - - - HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe HKU-Default-Run-NvMediaCenter - c:\windows\System32\NVMCTRAY.DLL ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-12 10:46 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}*] "Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd, 3a [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3296) c:\windows\system32\WININET.dll c:\program files\TortoiseSVN\bin\tortoisesvn.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\TortoiseSVN\bin\intl3_svn.dll c:\windows\system32\webcheck.dll c:\windows\system32\IEFRAME.dll c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL c:\windows\system32\mshtml.dll c:\windows\system32\msls31.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\MsPMSPSv.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-12 10:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-12 17:48 Pre-Run: 26,563,710,976 bytes free Post-Run: 26,751,905,792 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 284 --- E O F --- 2009-09-03 13:27
  11. Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 9/12/2009 10:26:59 AM mbam-log-2009-09-12 (10-26-27).txt Scan type: Quick Scan Objects scanned: 110317 Time elapsed: 8 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 14 Registry Values Infected: 15 Registry Data Items Infected: 13 Folders Infected: 6 Files Infected: 33 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{79007602-0cdb-4405-9dbf-1257bb3226ee} (Spyware.OnlineGames) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pamivogad (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\datajafut (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken. HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> No action taken. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: C:\Program Files\MyWay (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\History (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\Settings (Adware.MyWay) -> No action taken. C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken. Files Infected: c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> No action taken. C:\Program Files\Shared\_lib.dll (Trojan.BHO) -> No action taken. C:\WINDOWS\system32\UACmttpdwyllr.dll (Rogue.Agent) -> No action taken. C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> No action taken. C:\WINDOWS\Temp\UACcc77.tmp (Rogue.Agent) -> No action taken. C:\WINDOWS\Temp\UACe2a3.tmp (Rogue.Agent) -> No action taken. C:\Documents and Settings\Registered User\Local Settings\Temporary Internet Files\Content.IE5\RQ37QQ7Y\zwjkbb[1].txt (Trojan.Dropper) -> No action taken. C:\Program Files\MyWay\myBar\History\search (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> No action taken. C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Favorites\Cheap Software.url (Rogue.Link) -> No action taken. C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msc.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msd.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken. C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken. C:\Documents and Settings\Administrator\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken. C:\Documents and Settings\Administrator\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\UAChtqsoorobr.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UACkgluquxlbt.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UAClbjhispqla.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UAConldkrkxip.dat (Trojan.Agent) -> No action taken.
  12. Malwarebytes' Anti-Malware 1.40 Database version: 2551 Windows 5.1.2600 Service Pack 3 9/12/2009 10:26:59 AM mbam-log-2009-09-12 (10-26-27).txt Scan type: Quick Scan Objects scanned: 110317 Time elapsed: 8 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 14 Registry Values Infected: 15 Registry Data Items Infected: 13 Folders Infected: 6 Files Infected: 33 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken. HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\{79007602-0cdb-4405-9dbf-1257bb3226ee} (Spyware.OnlineGames) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pamivogad (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a4290b36-a8c1-4658-b225-564f5a2dcab5} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\datajafut (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken. HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken. HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows System Recover! (Trojan.Downloader) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiSpyware Service (Trojan.Dropper) -> No action taken. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: C:\Program Files\MyWay (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\History (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\Settings (Adware.MyWay) -> No action taken. C:\Program Files\Protection System (Rogue.ProtectionSystem) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken. Files Infected: c:\WINDOWS\system32\gezokije.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> No action taken. C:\Program Files\Shared\_lib.dll (Trojan.BHO) -> No action taken. C:\WINDOWS\system32\UACmttpdwyllr.dll (Rogue.Agent) -> No action taken. C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> No action taken. C:\WINDOWS\Temp\UACcc77.tmp (Rogue.Agent) -> No action taken. C:\WINDOWS\Temp\UACe2a3.tmp (Rogue.Agent) -> No action taken. C:\Documents and Settings\Registered User\Local Settings\Temporary Internet Files\Content.IE5\RQ37QQ7Y\zwjkbb[1].txt (Trojan.Dropper) -> No action taken. C:\Program Files\MyWay\myBar\History\search (Adware.MyWay) -> No action taken. C:\Program Files\MyWay\myBar\Settings\prevcfg.htm (Adware.MyWay) -> No action taken. C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk (Rogue.PC_Antispyware2010) -> No action taken. C:\Documents and Settings\Registered User\Favorites\Cheap Software.url (Rogue.Link) -> No action taken. C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msb.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msc.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\msd.exe (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> No action taken. C:\Program Files\Common\helper.sig (Trojan.Agent) -> No action taken. C:\Documents and Settings\Administrator\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken. C:\Documents and Settings\Administrator\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> No action taken. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\UAChtqsoorobr.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UACkgluquxlbt.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UAClbjhispqla.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\UAConldkrkxip.dat (Trojan.Agent) -> No action taken.
  13. I'll paste the 3 logs (avenger, mbam, combofix) in seperate posts: 1st avenger: Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 3) Sat Sep 12 10:06:48 2009 10:06:48: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate.
  14. Log file is located at: C:\Documents and Settings\Registered User\Desktop\Win32kDiag.txt Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP161.tmp\ZAP161.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP243.tmp\ZAP243.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP260.tmp\ZAP260.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPAC.tmp\ZAPAC.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\browserxtras\browserxtras Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CAVTemp\CAVTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Drivers\Intel\Graphics\Graphics Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\cache\javaws\javaws Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-73586283-484061587-682003330-1003\S-1-5-21-73586283-484061587-682003330-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Kinko's\FPFK\FPFK Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Q3FBLH6RIF6MYMN6VD31LVQSMD\Q3FBLH6RIF6MYMN6VD31LVQSMD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 17:11:53 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\igfxtray.exe Attempting to restore permissions of : C:\WINDOWS\system32\igfxtray.exe [1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\igfxtray.exe (Intel Corporation) [1] 2004-05-06 00:52:00 155648 C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\igfxtray.exe (Intel Corporation) Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\NtmsData\Export\Export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\WMD\WMD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\WMFA\WMFA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!
  15. GMER worked in normal mode. Here is the output! GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net Rootkit scan 2009-09-10 21:41:37 Windows 5.1.2600 Service Pack 3 ---- Kernel code sections - GMER 1.0.15 ---- ? win32k.sys:1 The system cannot find the file specified. ! ? win32k.sys:2 The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\explorer.exe[2480] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll .text C:\WINDOWS\explorer.exe[2480] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll .text C:\WINDOWS\explorer.exe[2480] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\explorer.exe[2480] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll IAT C:\WINDOWS\explorer.exe[2480] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [180] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [588] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1480] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1520] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1688] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1932] 0x35670000 Library \\?\globalroot\Device\__max++>\87FD8C6A.x86.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2480] 0x35670000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\soseyuma.dll c:\windows\system32\gezokije.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1 Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2} Reg HKLM\SOFTWARE\Classes\CLSID\{AA58136B-E4D9-7C22-F318862907B73EF7}\{7320B164-7CDE-F0FA-3D718014E02662FF}\{717B3025-5806-2EEA-4DFCCD0F4E1E26A2}@Q3FBLH6RIF6MYMN6VD31LVQSMD1 0x01 0x00 0x00 0x00 ... ---- EOF - GMER 1.0.15 ----