View Full Version : Have MalWare, Can't run HJT
setirich
2009-10-06, 01:29
Hi folks,
Probably should have posted here sooner, but...have tried just about every tool there is, but nothing works...more likely...I not the malware expert and have done something wrong.
HJT will not run for more than 20 or 30 seconds, and the malware closes it down and makes it un-usable & un-delete-able.
Tried the Kapersky, TrendMicro House Calls, nothing will stay up and running, even Kapersky in safe mode...which is really interesting.
Unless there is some sign this box can be fixed, it might be time for some serious disk cleaning with.
Writing from another computer...the box in question is running XP, SP3, seems to be very current with it's patches...trying to help the kid across the street...would like to understand what this virus / rootkit /whatever is. He may have got it from video codex....since his recent degree is in video production and he does a lot of anime (SP?) stuff...
Any suggestions on what / how I might gather any info from this machine without it shutting down whatever tool is running? Like I said, HJT must be high on it's list of things to kill...pretty amazing malware...never seen anything like it.
Hello setirich
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
You most likely have a rootkit infection that prevents most security scanners from running.
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
setirich
2009-10-07, 16:17
Good morning Ken, & thanks for your help.
Here's the report...which I ran first in safe mode, and next in normal, since I was concerned it would be disabled or truncated...it was not in either, and both outcomes where identical.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 08:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7C0C000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85D0000 Size: 8192 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7974000 Size: 49152 File Visible: No Signed: -
Status: -
Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xB84A0000 Size: 20480 File Visible: No Signed: -
Status: -
Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xB81E8000 Size: 61440 File Visible: No Signed: -
Status: -
==EOF==
Hi,
Your infected with the max++ Rootkit that is preventing all security scanners from running. This is difficult to remove but can be done, we will do it in stages as to not overwhelm you.
After you download and run this program, leave the program on your desktop.
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
setirich
2009-10-07, 17:06
Here's the report...you should know I'm having to use another machine to both get these programs & report back to you. The machine in question is blocked ... most searches are redirected, as are direct input of URL's such as spybot's...I am reformatting the usb device on each circuit...@ the good machine.
Thanks again....
Running from: C:\Documents and Settings\Computer User\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Computer User\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB928843\KB928843
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB929123\KB929123
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB935839\KB935839
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BD.tmp\ZAP1BD.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP244.tmp\ZAP244.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B5.tmp\ZAP2B5.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32A.tmp\ZAP32A.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
[1] 2004-08-03 18:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()
[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB937894\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)
[1] 2007-12-03 11:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe ()
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\8aff2c132bea63255d1cab83ef37c507\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe ()
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB937894\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)
[1] 2007-12-03 11:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe ()
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\8aff2c132bea63255d1cab83ef37c507\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe ()
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB937894\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)
[1] 2007-12-03 11:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe ()
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\8aff2c132bea63255d1cab83ef37c507\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe ()
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe (Microsoft Corporation)
[1] 2006-01-19 15:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB937894\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB939653-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe (Microsoft Corporation)
[1] 2007-12-03 11:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-11-15 13:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 07:18:51 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371-v2\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe (Microsoft Corporation)
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe (Microsoft Corporation)
[1] 2007-11-30 08:39:22 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB972260-IE7\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe (Microsoft Corporation)
[1] 2007-03-05 21:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\0eda838ef8ec599d822155030a70ecac\update\update.exe (Microsoft Corporation)
[1] 2005-10-12 19:12:28 716000 C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\12e31c1143e5f70785d44c867e7b3e13\update\update.exe (Microsoft Corporation)
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe ()
[1] 2008-07-09 03:38:29 755576 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe ()
[1] 2009-05-26 07:40:52 755576 C:\WINDOWS\SoftwareDistribution\Download\8aff2c132bea63255d1cab83ef37c507\update\update.exe (Microsoft Corporation)
[1] 2008-07-08 09:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe ()
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Cannot access: C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 18:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Cannot access: C:\WINDOWS\system32\logon.exe
[1] 2009-09-19 11:41:39 26628 C:\WINDOWS\system32\logon.exe ()
Cannot access: C:\WINDOWS\system32\MRT.exe
[1] 2009-08-28 14:38:22 24689600 C:\WINDOWS\system32\MRT.exe ()
Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe
[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2004-08-03 18:56:58 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 12:39:29 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 05:41:05 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 06:15:13 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\wmiprvse.exe (Microsoft Corporation)
[1] 2008-04-13 20:12:40 218112 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)
[1] 2009-02-06 06:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Finished!
You can do this on the infected computer, no program to install, but make sure that win32kdiag is still on the desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
setirich
2009-10-07, 17:25
Running from: C:\Documents and Settings\Computer User\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Computer User\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB923414\KB923414
Found mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB923980\KB923980
Found mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB924270\KB924270
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Found mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902
Found mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB926255\KB926255
Found mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255
Found mount point : C:\WINDOWS\$hf_mig$\KB928843\KB928843
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB928843\KB928843
Found mount point : C:\WINDOWS\$hf_mig$\KB929123\KB929123
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB929123\KB929123
Found mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB935839\KB935839
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB935839\KB935839
Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357
Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127
Found mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828
Found mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829
Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653
Found mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202
Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568
Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644
Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485
Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553
Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590
Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844
Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389
Found mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961
Found mount point : C:\WINDOWS\addins\addins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\addins\addins
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BD.tmp\ZAP1BD.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1BD.tmp\ZAP1BD.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DB.tmp\ZAP1DB.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP244.tmp\ZAP244.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP244.tmp\ZAP244.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B5.tmp\ZAP2B5.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B5.tmp\ZAP2B5.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32A.tmp\ZAP32A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP32A.tmp\ZAP32A.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\tmp\tmp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\CSC\d1\d1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d1\d1
Found mount point : C:\WINDOWS\CSC\d2\d2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d2\d2
Found mount point : C:\WINDOWS\CSC\d3\d3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d3\d3
Found mount point : C:\WINDOWS\CSC\d4\d4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d4\d4
Found mount point : C:\WINDOWS\CSC\d5\d5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d5\d5
Found mount point : C:\WINDOWS\CSC\d6\d6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d6\d6
Found mount point : C:\WINDOWS\CSC\d7\d7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d7\d7
Found mount point : C:\WINDOWS\CSC\d8\d8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\CSC\d8\d8
Found mount point : C:\WINDOWS\ime\chsime\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\chsime\applets\applets
Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\ime\shared\res\res
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\shared\res\res
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Minidump\Minidump
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-03 18:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
Cannot access: C:\WINDOWS\system32\logon.exe
Attempting to restore permissions of : C:\WINDOWS\system32\logon.exe
Cannot access: C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe
Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe
Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Finished!
Great, what we are doing is chipping away at this thing. This next one will reset permissions and then we will remove it with Combofix.
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Its important that you follow these instructions and rename Combofix as this Rootkit infection will stop it from running if its not renamed.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
setirich
2009-10-07, 21:22
First of all ... thank you very much for your help.
Here's the logs:
xeHelper by Raktor - 09
Build 20090925
Run at 13:27:12 on 10/07/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\logon.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
ComboFix 09-10-06.04 - Computer User 10/07/2009 13:36.1.2 - NTFSx86
Running from: c:\documents and settings\Computer User\Desktop\PepperCasks.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HCBackup\hcpackage.exe
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\bspatch.exe
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\bzip2.exe
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\hc_core.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\ICRCHdler.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\libcurl.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\libeay32.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\libexpatw.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\perfiCrcPerfMonMgr.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\ssleay32.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\tmcomm.sys
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\TmEngDrv.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\tmfbeng.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\TSC.exe
c:\docume~1\COMPUT~1\LOCALS~1\Temp\HouseCall\vsapi32.dll
c:\docume~1\COMPUT~1\LOCALS~1\Temp\setup.exe
c:\docume~1\COMPUT~1\LOCALS~1\Temp\TFR16.exe
c:\documents and settings\All Users\Microsoft Private Data
c:\documents and settings\All Users\Microsoft Private Data\Microsoft\t.id
c:\documents and settings\Computer User\Local Settings\Temp\HCBackup\hcpackage.exe
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\bspatch.exe
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\bzip2.exe
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\hc_core.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\ICRCHdler.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\libcurl.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\libeay32.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\libexpatw.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\perfiCrcPerfMonMgr.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\ssleay32.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\tmcomm.sys
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\TmEngDrv.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\tmfbeng.dll
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\TSC.exe
c:\documents and settings\Computer User\Local Settings\Temp\HouseCall\vsapi32.dll
c:\documents and settings\Computer User\Local Settings\Temp\setup.exe
c:\documents and settings\Computer User\Local Settings\Temp\TFR16.exe
c:\windows\bf23567.dat
c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\jmmark2.dat
c:\windows\kb913800.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lowsec
c:\windows\system32\nosazene.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\zaponce52597.dat
c:\windows\zaponce52621.dat
c:\windows\zaponce52689.dat
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.
2009-10-07 17:41 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-07 15:13 . 2009-10-07 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-05 22:05 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\93265621.sys
2009-10-05 21:49 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\61875401.sys
2009-10-05 21:45 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\52037295.sys
2009-10-05 21:34 . 2009-10-05 21:34 -------- d-----w- c:\documents and settings\Computer User\Application Data\MSNInstaller
2009-10-05 21:30 . 2009-10-05 21:30 -------- d-----w- c:\program files\CCleaner
2009-10-03 20:00 . 2009-10-03 20:00 -------- d-----w- c:\documents and settings\Computer User\Local Settings\Application Data\Identities
2009-10-03 16:45 . 2009-10-03 16:53 -------- d-----w- c:\documents and settings\Computer User\.housecall6.6
2009-10-03 14:15 . 2009-10-03 14:15 -------- d-----w- c:\program files\Trend Micro
2009-10-03 14:13 . 2009-10-03 14:13 -------- d-----w- c:\documents and settings\Computer User\Application Data\LockHunter
2009-10-03 12:54 . 2009-10-03 12:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-03 12:54 . 2009-10-03 12:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-03 12:54 . 2009-10-03 12:54 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-03 12:54 . 2009-10-03 12:54 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-03 12:54 . 2009-10-05 21:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-03 12:54 . 2009-10-07 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-03 12:54 . 2009-10-03 12:54 -------- d-----w- c:\program files\AVG
2009-10-02 23:43 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\97179918.sys
2009-10-02 23:39 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\17051351.sys
2009-10-02 23:33 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\01159109.sys
2009-10-02 17:52 . 2004-08-04 02:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-10-02 17:51 . 2001-08-18 02:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2009-10-02 17:51 . 2001-08-17 16:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2009-10-02 17:51 . 2001-08-18 02:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll
2009-10-02 17:51 . 2001-08-18 02:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2009-10-02 17:51 . 2001-08-17 17:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2009-10-02 17:51 . 2001-08-17 18:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2009-10-02 17:51 . 2001-08-17 17:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-10-02 17:51 . 2001-08-18 02:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2009-10-02 17:51 . 2001-08-17 16:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2009-10-02 17:51 . 2001-08-17 17:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2009-10-02 17:51 . 2001-08-17 16:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2009-10-02 17:51 . 2008-04-13 18:40 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-10-02 17:51 . 2001-08-17 17:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-10-02 17:30 . 2001-08-17 17:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2009-10-02 17:21 . 2001-08-17 17:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2009-10-02 17:20 . 2004-08-04 02:06 169984 -c--a-w- c:\windows\system32\dllcache\pcx500.sys
2009-10-02 17:16 . 2001-08-17 17:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-10-02 17:15 . 2001-08-17 17:52 7424 -c--a-w- c:\windows\system32\dllcache\mammoth.sys
2009-10-02 16:59 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2009-10-02 16:58 . 2001-08-17 17:28 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2009-10-02 16:55 . 2001-08-17 16:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-10-02 16:54 . 2001-08-17 17:52 14720 -c--a-w- c:\windows\system32\dllcache\dac960nt.sys
2009-10-02 16:53 . 2001-08-17 17:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-10-02 16:52 . 2004-08-04 02:31 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2009-10-02 16:52 . 2001-08-17 17:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2009-10-02 16:52 . 2001-08-17 17:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2009-10-02 16:52 . 2001-08-17 16:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2009-10-02 16:52 . 2001-08-17 17:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2009-10-02 16:52 . 2001-08-17 17:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2009-10-02 16:52 . 2001-08-17 18:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-10-02 16:52 . 2001-08-17 16:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2009-10-02 16:52 . 2001-08-17 18:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-10-02 16:52 . 2001-08-17 17:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2009-10-02 14:37 . 2008-07-08 18:54 148496 ----a-w- c:\windows\system32\drivers\22798165.sys
2009-10-02 03:57 . 2009-10-07 17:43 32243744 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-30 23:04 . 2009-10-02 22:15 -------- d-----w- c:\program files\Spybot - Search & Destroy4
2009-09-30 22:38 . 2009-09-30 23:04 -------- d-----w- c:\program files\Spybot - Search & Destroy3
2009-09-30 22:26 . 2009-10-02 22:14 -------- d-----w- c:\program files\Spybot - Search & Destroy2
2009-09-30 22:05 . 2009-10-07 14:31 -------- d--h--w- c:\windows\PIF
2009-09-30 20:55 . 2009-09-30 20:55 -------- d-----w- C:\Patch files
2009-09-30 18:21 . 2009-10-07 17:22 0 ----a-r- c:\windows\win32k.sys
2009-09-30 18:21 . 2009-09-30 18:21 79360 ----a-w- C:\mqhimp.exe
2009-09-22 04:55 . 2009-09-30 22:11 -------- d-----w- c:\windows\BDOSCAN8
2009-09-22 04:43 . 2009-09-22 04:43 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-22 04:39 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-09-21 19:22 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\6abc18c.dll
2009-09-21 19:22 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\1e9dbd56.dll
2009-09-21 19:04 . 2009-09-21 19:04 -------- d-----w- c:\program files\Common Files\iS3
2009-09-20 14:21 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\3142fe00.dll
2009-09-20 14:21 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\2e2d380.dll
2009-09-19 19:04 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\2a3ce04.dll
2009-09-19 19:04 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\15a0962.dll
2009-09-19 18:42 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\f14e6b4.dll
2009-09-19 18:42 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\1afda2c.dll
2009-09-19 18:04 . 2009-09-30 22:49 -------- dc-h--w- c:\windows\ie8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 17:41 . 2009-10-02 03:57 378116 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-07 01:23 . 2008-05-21 17:25 -------- d-----w- c:\program files\Java
2009-10-07 01:23 . 2009-10-07 01:23 0 ----a-w- c:\windows\system32\REND.tmp
2009-10-05 21:48 . 2009-06-25 02:14 -------- d-----w- c:\program files\DivX
2009-10-04 17:47 . 2009-10-04 16:57 3808 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-04 16:59 . 2009-10-04 16:58 688 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-10-03 17:37 . 2008-08-29 08:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-02 23:53 . 2008-08-13 16:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-02 02:37 . 2008-07-09 01:27 -------- d-----w- c:\program files\VideoLAN
2009-09-30 23:01 . 2008-05-21 15:46 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-30 22:45 . 2008-07-07 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-28 18:54 . 2008-07-09 00:59 -------- d-----w- c:\program files\Gpotato
2009-08-29 21:33 . 2008-07-09 01:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-29 21:32 . 2009-08-29 21:12 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-29 21:25 . 2008-09-25 01:45 -------- d-----w- c:\program files\SystemRequirementsLab
2009-08-23 04:22 . 2008-09-11 00:28 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-23 04:22 . 2009-08-23 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-08-23 04:05 . 2009-08-23 04:05 -------- d-----w- c:\program files\THQICE
2009-08-17 07:04 . 2009-08-17 07:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 07:04 . 2009-08-17 07:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-17 07:03 . 2009-08-17 07:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 07:03 . 2009-08-17 07:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 07:03 . 2009-08-17 07:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 07:03 . 2009-08-17 07:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 07:03 . 2009-08-17 07:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 07:03 . 2009-08-17 07:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 07:03 . 2009-08-17 07:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 07:03 . 2009-08-17 07:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-17 07:03 . 2009-08-17 07:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-17 07:03 . 2009-08-17 07:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 07:02 . 2009-08-17 07:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-17 04:57 . 2009-08-29 21:10 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57 . 2009-08-17 04:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57 . 2009-08-17 04:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-17 04:57 . 2009-02-18 18:44 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-17 04:57 . 2009-02-18 18:44 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57 . 2009-02-18 18:44 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57 . 2009-02-18 18:44 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-17 04:57 . 2009-02-18 18:44 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57 . 2009-02-18 18:44 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-17 04:57 . 2008-05-21 16:00 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-17 04:57 . 2008-05-21 16:00 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-14 17:36 . 2009-08-14 17:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-11 16:35 . 2009-08-29 21:10 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-08-05 09:01 . 2004-08-03 22:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 04:21 . 2009-08-03 04:21 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2009-07-29 04:37 . 2006-09-26 20:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2006-09-26 20:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2006-09-26 20:09 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 15:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - c:\program files\Belkin\F5D8053\Belkinwcui.exe [2007-9-17 1732608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-03 12:54 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^Computer User^Start Menu^Programs^Startup^is-F04P4.lnk]
path=c:\documents and settings\Computer User\Start Menu\Programs\Startup\is-F04P4.lnk
backup=c:\windows\pss\is-F04P4.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Computer User^Start Menu^Programs^Startup^is-HMN82.lnk]
path=c:\documents and settings\Computer User\Start Menu\Programs\Startup\is-HMN82.lnk
backup=c:\windows\pss\is-HMN82.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Computer User^Start Menu^Programs^Startup^is-SI9JV.lnk]
path=c:\documents and settings\Computer User\Start Menu\Programs\Startup\is-SI9JV.lnk
backup=c:\windows\pss\is-SI9JV.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\THQICE\\Dragonica Online - Open Beta Test\\Release\\DRAGONICA.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgrsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 is-SI9JVdrv;is-SI9JVdrv;c:\windows\system32\DRIVERS\52037295.sys [2008-07-08 148496]
R1 SABKUTIL;SABKUTIL;c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 digiclsb;digiclsb;c:\windows\system32\DRIVERS\digiclsb.sys [2007-07-25 122254]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\DRIVERS\rt2870.sys [2007-07-28 517632]
R3 UFB;UFB;c:\docume~1\COMPUT~1\LOCALS~1\Temp\UFB.exe [x]
R3 XDva202;XDva202;c:\windows\system32\XDva202.sys [x]
R4 EBRHT;EBRHT;c:\docume~1\COMPUT~1\LOCALS~1\Temp\EBRHT.exe [x]
R4 JMDNNI;JMDNNI;c:\docume~1\COMPUT~1\LOCALS~1\Temp\JMDNNI.exe [2005-12-07 97280]
R4 UNXJABY;UNXJABY;c:\docume~1\COMPUT~1\LOCALS~1\Temp\UNXJABY.exe [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-10-03 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-10-03 108552]
S1 is-C02J6drv;is-C02J6drv;c:\windows\system32\DRIVERS\01159109.sys [2008-07-08 148496]
S1 is-F04P4drv;is-F04P4drv;c:\windows\system32\DRIVERS\61875401.sys [2008-07-08 148496]
S1 is-HMN82drv;is-HMN82drv;c:\windows\system32\DRIVERS\93265621.sys [2008-07-08 148496]
S1 is-IJUH8drv;is-IJUH8drv;c:\windows\system32\DRIVERS\97179918.sys [2008-07-08 148496]
S1 is-O1NVRdrv;is-O1NVRdrv;c:\windows\system32\DRIVERS\17051351.sys [2008-07-08 148496]
S1 is-PLQIVdrv;is-PLQIVdrv;c:\windows\system32\DRIVERS\22798165.sys [2008-07-08 148496]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-10-03 297752]
.
Contents of the 'Scheduled Tasks' folder
2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
FF - ProfilePath - c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\cwlj312a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Computer User\Application Data\Mozilla\Firefox\Profiles\cwlj312a.default\extensions\CSLauncher@getamped.com\plugins\npCsLauncher.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
Notify-NavLogon - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 13:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2052111302-920026266-1801674531-1003\Software\SecuROM\License information*]
"datasecu"=hex:6b,42,0a,b8,e6,92,bd,09,a3,d9,23,bf,c1,a0,f1,d1,ba,3d,06,07,32,
3b,c6,5d,84,dc,e2,60,f3,c8,1d,14,a7,58,a0,18,39,e2,b3,8f,cf,75,c1,a2,26,4b,\
"rkeysecu"=hex:e2,26,6d,94,9c,ba,ad,1d,64,79,70,1b,d8,19,de,23
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2552)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-07 13:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 17:47
Pre-Run: 32,375,246,848 bytes free
Post-Run: 32,351,657,984 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
393
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:47, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Computer User\My Documents\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2052111302-920026266-1801674531-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2052111302-920026266-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196436445734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196436378265
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UFB - Unknown owner - C:\DOCUME~1\COMPUT~1\LOCALS~1\Temp\UFB.exe (file missing)
--
End of file - 9308 bytes
I need a bit of time to look over your CF log to make sure we didn't miss anything.
In the meantime do this.
Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
sc stop npggsvc
sc delete npggsvc
Double-click on fixes.bat file to execute it.
Reboot your computer for it to take effect
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
setirich
2009-10-08, 01:58
Hi Ken...
I created the cmd file as instructed...ran it...rebooted...and then ran tfc as also advised...and it rebooted.
After that I ran the malware & hjt scans...one item...to remove some of the files & directories that where touched by the various badware, I dropped to cmd prompt, and they were 'deletable' from there. Lots of attempts to run hjt, spybot, etc, left various folders & files that didn't respond to a windows delete, but dropping to a dos (like) prompt they went away with no problem.
Here's the malware log...it's just before I pushed the button to handle the issues...I actually ran the wrong scan here...did the full Monty !!!
And after that....is the new hjt...
Malwarebytes' Anti-Malware 1.41
Database version: 2922
Windows 5.1.2600 Service Pack 3
10/7/2009 6:24:02 PM
mbam-log-2009-10-07 (18-23-53).txt
Scan type: Full Scan (C:\|)
Objects scanned: 154586
Time elapsed: 25 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\fias4051 (Malware.Trace) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nosazene.dll.vir (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{00D01E3F-CFBA-4104-A2FF-AC950A560547}\RP11\A0000654.exe (Trojan.Dropper) -> No action taken.
C:\System Volume Information\_restore{00D01E3F-CFBA-4104-A2FF-AC950A560547}\RP3\A0000155.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{00D01E3F-CFBA-4104-A2FF-AC950A560547}\RP3\A0000163.dll (Trojan.Sirefef) -> No action taken.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.
******************************************************
NOTE TO KEN...I ACTUALLY FIXED THE ABOVE ISSUES WITH THE MALWAREBYTES PROGRAM. Sorry for the shouting, but I thought it would get your attention....8-)
******************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:54, on 10/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\All Users\Documents\hjt\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2052111302-920026266-1801674531-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2052111302-920026266-1801674531-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196436445734
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196436378265
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UFB - Unknown owner - C:\DOCUME~1\COMPUT~1\LOCALS~1\Temp\UFB.exe (file missing)
--
End of file - 8463 bytes
setirich
2009-10-08, 03:36
:oops:
I mis-spoke in my last post...at least concerning the SpyBot S&D folders & exe files...they are all with these atributes: RHSA and I've tried a number of things, including plain old win98 boot disk access...with bat files to remove the attributes...but to no avail. But then, Windows files & folders permissions has always been my downfall....
Rich
Hello Rich,
Your logs look good :bigthumb:
Download this program to your desktop and drag and drop any program like Spybot into it to run.
Download Inherit (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"
setirich
2009-10-09, 20:46
just a follow up note...
System runs fine...& with all the cleaning it's like brand new...however...
Your last note on the undeletable folders/files...the actual file marked system & hiddend is SpybotSD.exe I've tried every trick I could find to remove those attributes...going back to dos attrib commands, but to no avail. And of course, I couldn't drag & drop on the attrib reset thing you sent along...since you can't d&d a hidden file.
So this morning, I thought...hmmm...time for RegAlyzer to find those...being lazy I just turned on search and let it go...instead of going right to the key...but 5 hours later...and the search is still hung up at this registry point
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries
I tried just going there...and I can see the entries below this point, but the registry won't open to reveal this. I've never seen that happen before, where I've been locked out of registry points...
Sooo...shortening the story a bit....I'm not sure if this blocked remon point has to do with the blocked spyware files...but it all seems quite odd to me, and worthy of at least advising you & spybot that this is going on...they (the virus makers) seemed to have targeted spots that would be monitored...and targeted software like spybot that is capable of dealing with them.
If there are any logs or files that would be helpful to any badware fighting organizations...such your group at the forum or spybot in particular, I'd be happy to supply them...
Thanks Again,
Rich
fyi...this machine belongs to the kid across the street...a nice enough kid who's been in a wheelchair since he was about 6 yrs old...who graduted from engineering school in the spring of 2008, and has yet to find a job...not surprising in the south-eastern section of Michigan where we live. I myself have been out for 1 1/2 years, and my wife lost her's this past march. Thanks for helping out a bunch of unemployed folks we really need it!
Hi,
Yep, this unemployment thing has hit us also, my wife had been out of work for almost a year, my self, I want to retire and do everything I can think of to get fired but they dont want to let me go :red:
Why don't you post in this windows forum for help with the registry as we just do malware removal on this one.
http://forums.whatthetech.com/Microsoft_Windows_f119.html
I really don't need any logs at this point, thanks for the offer. I hope your friend next door enjoys his nice new clean computer :)
You can delete all the programs we have used like RootRepeal, Win32kdiag and exehelper.
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken