View Full Version : HJT Did Not Produce a Log
I have followed the steps outlined in the "Before You Post" message. The Registry is backed up and when I double clicked of HJT, it appeared to run but then shut down without opening Notepad. Whatever is ailing my laptop seems to prevent the installation or running of anything that might help solve the problem.
I have tried a number of things before finding this forum. In this forum I have learned that many of the things that I have done, I shouldn't have and I apologize. I will refrain from doing anything further until I hear from you.
Thank you.
Hello Melsdad
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
Hi Ken545:
Thanks for agreeing to help me out!
I had no problem installing RootRepeal on the infected computer. I did this by downloading onto another PC and transferring it to the desktop of the target computer. Because I don't really know what is going on, I try to stay disconnected from the net whenever possible on the infected computer.
When I tried to run RootRepeal, I got an Error Message as follows:
RootRepeal Error
Error - Invalid PE Image Found!
I was able to continue but did not get a choice for checking any boxes but there were tabs that corresponded to the categories you mentioned. I.e.: Drivers, Processes, etc.
I ran a scan on each of these tabs and am attaching the results. At some point I did get a notification to the effect the 1 hidden service had been found. Sorry but I don't remember exactly when.
I generated four files, one for each category you requested. It appears that I can only attach one file to this message. Should I consoldiate the four files I have to a single file and send it, or send additional messages for Processes, SSDT, and Hidden Services?
Again many thanks,
Good Morning,
I found exactly what I needed to know with RootRepeal. This program checks for Rootkit infections and what is found was max++ Rootkit This rootkit will prevent most or all security scanners and programs from running. Its a bit difficult to remove so we will do it one step at a time.
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
Hello:
I had not expected the process would take as long as it did but it worked as advertised!
The results are attached in a ZIP file as the size for a txt file exceeded the guidelines..
Thanks.
Melsdad,
I don't know how you attached it but the log wont open, it just wants me to run the program.
Open it on your own computer and post the log, take as many replies as you need to post them all.
Sorry about that. I must have compressed the wrong file. The original still exceeds the guideline for a .txt so I have zipped this one as well. I think I have got this right this time!
I appreciate your patience.
Great , got that one.
Next step. Make sure you still have Win32kdiag.exe on your desktop, if not redownload it.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Ran program without a hitch. Results follow:
Running from: C:\Documents and Settings\Melanie Lewis\desktop\win32kdiag.exe
Log file at : C:\Documents and Settings\Melanie Lewis\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281
Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899
Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213
Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760
Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496
Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454
Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338
Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784
Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168
Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729
Found mount point : C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\KB938127-v2-IE7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB938127-v2-IE7\KB938127-v2-IE7
Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460
Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844
Found mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB971961\KB971961
Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8
Found mount point : C:\WINDOWS\$hf_mig$\KB972260-IE7\KB972260-IE7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\$hf_mig$\KB972260-IE7\KB972260-IE7
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP194.tmp\ZAP194.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP194.tmp\ZAP194.tmp
Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP299.tmp\ZAP299.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP299.tmp\ZAP299.tmp
Found mount point : C:\WINDOWS\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\assembly\temp\temp
Found mount point : C:\WINDOWS\Config\Config
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Config\Config
Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard
Found mount point : C:\WINDOWS\Debug\UserMode\UserMode
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Found mount point : C:\WINDOWS\ie8updates\ie8updates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ie8updates\ie8updates
Found mount point : C:\WINDOWS\ime\imejp\applets\applets
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp\applets\applets
Found mount point : C:\WINDOWS\ime\imejp98\imejp98
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imejp98\imejp98
Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022
Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Found mount point : C:\WINDOWS\java\classes\classes
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\classes\classes
Found mount point : C:\WINDOWS\java\trustlib\trustlib
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\java\trustlib\trustlib
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Found mount point : C:\WINDOWS\msapps\msinfo\msinfo
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo
Found mount point : C:\WINDOWS\mui\mui
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\mui\mui
Found mount point : C:\WINDOWS\occache\occache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\occache\occache
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News
Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp
Found mount point : C:\WINDOWS\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\PIF\PIF
Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog
Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\3f62db0dd41de1740f8addce0cc500ec\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\97f18c7ac91916468f96bb79c87bff6c\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\backup\backup
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\d51648e96c60b005ac5ef56d831670cb\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\d51648e96c60b005ac5ef56d831670cb\update\update.exe
Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe
Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe
Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\0838e3ca46c974d22be0ec664b800381
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0838e3ca46c974d22be0ec664b800381\0838e3ca46c974d22be0ec664b800381
Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment
Found mount point : C:\WINDOWS\system32\1025\1025
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1025\1025
Found mount point : C:\WINDOWS\system32\1028\1028
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1028\1028
Found mount point : C:\WINDOWS\system32\1031\1031
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1031\1031
Found mount point : C:\WINDOWS\system32\1037\1037
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1037\1037
Found mount point : C:\WINDOWS\system32\1041\1041
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1041\1041
Found mount point : C:\WINDOWS\system32\1042\1042
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1042\1042
Found mount point : C:\WINDOWS\system32\1054\1054
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\1054\1054
Found mount point : C:\WINDOWS\system32\2052\2052
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\2052\2052
Found mount point : C:\WINDOWS\system32\3076\3076
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\3076\3076
Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi
Found mount point : C:\WINDOWS\system32\Adobe\Shockwave 11\Shockwave 11
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\Adobe\Shockwave 11\Shockwave 11
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Collab\Collab
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\8.0\Preferences\Preferences
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\AL4N7HGP\AL4N7HGP
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\AL4N7HGP\AL4N7HGP
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a07feceff0a4\a07feceff0a4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a07feceff0a4\a07feceff0a4
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2544761690-2588165671-2829143654-1003\S-1-5-21-2544761690-2588165671-2829143654-1003
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache
Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm
Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book
Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Found mount point : C:\WINDOWS\system32\dhcp\dhcp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\dhcp\dhcp
Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn
Cannot access: C:\WINDOWS\system32\dumprep.exe
Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe
Cannot access: C:\WINDOWS\system32\eventlog.dll
Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll
[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)
[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()
[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)
[1] 2004-08-04 06:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)
Found mount point : C:\WINDOWS\system32\export\export
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\export\export
Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp
Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv
Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF
Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Cannot access: C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe
Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec
Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Found mount point : C:\WINDOWS\system32\oobe\sample\sample
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\oobe\sample\sample
Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt
Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad
Found mount point : C:\WINDOWS\system32\wbem\mof\good\good
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good
Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp
Found mount point : C:\WINDOWS\system32\wins\wins
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\wins\wins
Found mount point : C:\WINDOWS\system32\xircom\xircom
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\system32\xircom\xircom
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\cs\cs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\cs\cs
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\da\da
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\da\da
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\de\de
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\de\de
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\el\el
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\el\el
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en\en
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en\en
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en-gb\en-gb
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\en-gb\en-gb
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\es\es
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\es\es
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fi\fi
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fi\fi
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fr\fr
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\fr\fr
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\HTML\HTML
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\HTML\HTML
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\it\it
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\it\it
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ja\ja
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ja\ja
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ko\ko
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ko\ko
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\nl\nl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\nl\nl
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\no\no
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\no\no
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pl\pl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pl\pl
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pt-br\pt-br
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\pt-br\pt-br
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ru\ru
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\ru\ru
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\sv\sv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\sv\sv
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\th\th
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\th\th
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\tr\tr
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\tr\tr
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-cn\zh-cn
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-cn\zh-cn
Found mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-tw\zh-tw
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2cc6dd2\2.4.1368.5602\zh-tw\zh-tw
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\cs\cs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\cs\cs
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\da\da
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\da\da
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\de\de
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\de\de
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\el\el
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\el\el
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en\en
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en\en
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en-gb\en-gb
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\en-gb\en-gb
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\es\es
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\es\es
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fi\fi
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fi\fi
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fr\fr
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\fr\fr
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\HTML\HTML
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\HTML\HTML
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\it\it
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\it\it
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ja\ja
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ja\ja
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ko\ko
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ko\ko
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\nl\nl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\nl\nl
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\no\no
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\no\no
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pl\pl
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pl\pl
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pt-br\pt-br
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\pt-br\pt-br
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ru\ru
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\ru\ru
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\sv\sv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\sv\sv
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\th\th
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\th\th
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\tr\tr
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\tr\tr
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-cn\zh-cn
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-cn\zh-cn
Found mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-tw\zh-tw
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\gis2edbc01\2.4.1536.6592\zh-tw\zh-tw
Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Found mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\IXP000.TMP\IXP000.TMP
Found mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\IXP001.TMP\IXP001.TMP
Found mount point : C:\WINDOWS\Temp\IXP00205.tmp\IXP00205.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\IXP00205.tmp\IXP00205.tmp
Found mount point : C:\WINDOWS\Temp\vmgr10b8.tmp\vmgr10b8.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr10b8.tmp\vmgr10b8.tmp
Found mount point : C:\WINDOWS\Temp\vmgr1198.tmp\vmgr1198.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr1198.tmp\vmgr1198.tmp
Found mount point : C:\WINDOWS\Temp\vmgr207a.tmp\vmgr207a.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr207a.tmp\vmgr207a.tmp
Found mount point : C:\WINDOWS\Temp\vmgr20bb.tmp\vmgr20bb.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr20bb.tmp\vmgr20bb.tmp
Found mount point : C:\WINDOWS\Temp\vmgr239d.tmp\vmgr239d.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr239d.tmp\vmgr239d.tmp
Found mount point : C:\WINDOWS\Temp\vmgr472d.tmp\vmgr472d.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr472d.tmp\vmgr472d.tmp
Found mount point : C:\WINDOWS\Temp\vmgr50d0.tmp\vmgr50d0.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr50d0.tmp\vmgr50d0.tmp
Found mount point : C:\WINDOWS\Temp\vmgr5a46.tmp\vmgr5a46.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr5a46.tmp\vmgr5a46.tmp
Found mount point : C:\WINDOWS\Temp\vmgr5a9c.tmp\vmgr5a9c.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr5a9c.tmp\vmgr5a9c.tmp
Found mount point : C:\WINDOWS\Temp\vmgr6cb4.tmp\vmgr6cb4.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr6cb4.tmp\vmgr6cb4.tmp
Found mount point : C:\WINDOWS\Temp\vmgr7833.tmp\vmgr7833.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr7833.tmp\vmgr7833.tmp
Found mount point : C:\WINDOWS\Temp\vmgr7d91.tmp\vmgr7d91.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr7d91.tmp\vmgr7d91.tmp
Found mount point : C:\WINDOWS\Temp\vmgr7e37.tmp\vmgr7e37.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\vmgr7e37.tmp\vmgr7e37.tmp
Found mount point : C:\WINDOWS\Temp\VSW0\VSW0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW0\VSW0
Found mount point : C:\WINDOWS\Temp\VSW1\VSW1
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW1\VSW1
Found mount point : C:\WINDOWS\Temp\VSW10\VSW10
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW10\VSW10
Found mount point : C:\WINDOWS\Temp\VSW11\VSW11
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW11\VSW11
Found mount point : C:\WINDOWS\Temp\VSW12\VSW12
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW12\VSW12
Found mount point : C:\WINDOWS\Temp\VSW13\VSW13
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW13\VSW13
Found mount point : C:\WINDOWS\Temp\VSW14\VSW14
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW14\VSW14
Found mount point : C:\WINDOWS\Temp\VSW15\VSW15
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW15\VSW15
Found mount point : C:\WINDOWS\Temp\VSW16\VSW16
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW16\VSW16
Found mount point : C:\WINDOWS\Temp\VSW17\VSW17
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW17\VSW17
Found mount point : C:\WINDOWS\Temp\VSW18\VSW18
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW18\VSW18
Found mount point : C:\WINDOWS\Temp\VSW19\VSW19
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW19\VSW19
Found mount point : C:\WINDOWS\Temp\VSW2\VSW2
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW2\VSW2
Found mount point : C:\WINDOWS\Temp\VSW20\VSW20
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW20\VSW20
Found mount point : C:\WINDOWS\Temp\VSW21\VSW21
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW21\VSW21
Found mount point : C:\WINDOWS\Temp\VSW22\VSW22
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW22\VSW22
Found mount point : C:\WINDOWS\Temp\VSW23\VSW23
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW23\VSW23
Found mount point : C:\WINDOWS\Temp\VSW24\VSW24
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW24\VSW24
Found mount point : C:\WINDOWS\Temp\VSW25\VSW25
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW25\VSW25
Found mount point : C:\WINDOWS\Temp\VSW26\VSW26
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW26\VSW26
Found mount point : C:\WINDOWS\Temp\VSW27\VSW27
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW27\VSW27
Found mount point : C:\WINDOWS\Temp\VSW28\VSW28
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW28\VSW28
Found mount point : C:\WINDOWS\Temp\VSW29\VSW29
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW29\VSW29
Found mount point : C:\WINDOWS\Temp\VSW3\VSW3
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW3\VSW3
Found mount point : C:\WINDOWS\Temp\VSW30\VSW30
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW30\VSW30
Found mount point : C:\WINDOWS\Temp\VSW31\VSW31
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW31\VSW31
Found mount point : C:\WINDOWS\Temp\VSW32\VSW32
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW32\VSW32
Found mount point : C:\WINDOWS\Temp\VSW33\VSW33
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW33\VSW33
Found mount point : C:\WINDOWS\Temp\VSW34\VSW34
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW34\VSW34
Found mount point : C:\WINDOWS\Temp\VSW35\VSW35
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW35\VSW35
Found mount point : C:\WINDOWS\Temp\VSW36\VSW36
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW36\VSW36
Found mount point : C:\WINDOWS\Temp\VSW37\VSW37
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW37\VSW37
Found mount point : C:\WINDOWS\Temp\VSW38\VSW38
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW38\VSW38
Found mount point : C:\WINDOWS\Temp\VSW39\VSW39
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW39\VSW39
Found mount point : C:\WINDOWS\Temp\VSW4\VSW4
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW4\VSW4
Found mount point : C:\WINDOWS\Temp\VSW40\VSW40
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW40\VSW40
Found mount point : C:\WINDOWS\Temp\VSW41\VSW41
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW41\VSW41
Found mount point : C:\WINDOWS\Temp\VSW42\VSW42
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW42\VSW42
Found mount point : C:\WINDOWS\Temp\VSW43\VSW43
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW43\VSW43
Found mount point : C:\WINDOWS\Temp\VSW44\VSW44
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW44\VSW44
Found mount point : C:\WINDOWS\Temp\VSW45\VSW45
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW45\VSW45
Found mount point : C:\WINDOWS\Temp\VSW46\VSW46
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW46\VSW46
Found mount point : C:\WINDOWS\Temp\VSW47\VSW47
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW47\VSW47
Found mount point : C:\WINDOWS\Temp\VSW48\VSW48
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW48\VSW48
Found mount point : C:\WINDOWS\Temp\VSW49\VSW49
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW49\VSW49
Found mount point : C:\WINDOWS\Temp\VSW5\VSW5
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW5\VSW5
Found mount point : C:\WINDOWS\Temp\VSW50\VSW50
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW50\VSW50
Found mount point : C:\WINDOWS\Temp\VSW51\VSW51
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW51\VSW51
Found mount point : C:\WINDOWS\Temp\VSW52\VSW52
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW52\VSW52
Found mount point : C:\WINDOWS\Temp\VSW53\VSW53
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW53\VSW53
Found mount point : C:\WINDOWS\Temp\VSW54\VSW54
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW54\VSW54
Found mount point : C:\WINDOWS\Temp\VSW55\VSW55
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW55\VSW55
Found mount point : C:\WINDOWS\Temp\VSW56\VSW56
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW56\VSW56
Found mount point : C:\WINDOWS\Temp\VSW57\VSW57
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW57\VSW57
Found mount point : C:\WINDOWS\Temp\VSW58\VSW58
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW58\VSW58
Found mount point : C:\WINDOWS\Temp\VSW59\VSW59
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW59\VSW59
Found mount point : C:\WINDOWS\Temp\VSW6\VSW6
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW6\VSW6
Found mount point : C:\WINDOWS\Temp\VSW60\VSW60
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW60\VSW60
Found mount point : C:\WINDOWS\Temp\VSW61\VSW61
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW61\VSW61
Found mount point : C:\WINDOWS\Temp\VSW62\VSW62
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW62\VSW62
Found mount point : C:\WINDOWS\Temp\VSW63\VSW63
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW63\VSW63
Found mount point : C:\WINDOWS\Temp\VSW64\VSW64
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW64\VSW64
Found mount point : C:\WINDOWS\Temp\VSW65\VSW65
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW65\VSW65
Found mount point : C:\WINDOWS\Temp\VSW66\VSW66
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW66\VSW66
Found mount point : C:\WINDOWS\Temp\VSW67\VSW67
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW67\VSW67
Found mount point : C:\WINDOWS\Temp\VSW68\VSW68
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW68\VSW68
Found mount point : C:\WINDOWS\Temp\VSW69\VSW69
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW69\VSW69
Found mount point : C:\WINDOWS\Temp\VSW7\VSW7
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW7\VSW7
Found mount point : C:\WINDOWS\Temp\VSW70\VSW70
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW70\VSW70
Found mount point : C:\WINDOWS\Temp\VSW71\VSW71
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW71\VSW71
Found mount point : C:\WINDOWS\Temp\VSW72\VSW72
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW72\VSW72
Found mount point : C:\WINDOWS\Temp\VSW73\VSW73
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW73\VSW73
Found mount point : C:\WINDOWS\Temp\VSW74\VSW74
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW74\VSW74
Found mount point : C:\WINDOWS\Temp\VSW75\VSW75
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW75\VSW75
Found mount point : C:\WINDOWS\Temp\VSW76\VSW76
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW76\VSW76
Found mount point : C:\WINDOWS\Temp\VSW77\VSW77
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW77\VSW77
Found mount point : C:\WINDOWS\Temp\VSW78\VSW78
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW78\VSW78
Found mount point : C:\WINDOWS\Temp\VSW79\VSW79
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW79\VSW79
Found mount point : C:\WINDOWS\Temp\VSW8\VSW8
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW8\VSW8
Found mount point : C:\WINDOWS\Temp\VSW80\VSW80
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW80\VSW80
Found mount point : C:\WINDOWS\Temp\VSW81\VSW81
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW81\VSW81
Found mount point : C:\WINDOWS\Temp\VSW82\VSW82
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW82\VSW82
Found mount point : C:\WINDOWS\Temp\VSW83\VSW83
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW83\VSW83
Found mount point : C:\WINDOWS\Temp\VSW84\VSW84
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW84\VSW84
Found mount point : C:\WINDOWS\Temp\VSW85\VSW85
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW85\VSW85
Found mount point : C:\WINDOWS\Temp\VSW86\VSW86
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW86\VSW86
Found mount point : C:\WINDOWS\Temp\VSW87\VSW87
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW87\VSW87
Found mount point : C:\WINDOWS\Temp\VSW88\VSW88
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW88\VSW88
Found mount point : C:\WINDOWS\Temp\VSW89\VSW89
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW89\VSW89
Found mount point : C:\WINDOWS\Temp\VSW9\VSW9
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW9\VSW9
Found mount point : C:\WINDOWS\Temp\VSW90\VSW90
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW90\VSW90
Found mount point : C:\WINDOWS\Temp\VSW91\VSW91
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW91\VSW91
Found mount point : C:\WINDOWS\Temp\VSW92\VSW92
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW92\VSW92
Found mount point : C:\WINDOWS\Temp\VSW93\VSW93
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW93\VSW93
Found mount point : C:\WINDOWS\Temp\VSW94\VSW94
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW94\VSW94
Found mount point : C:\WINDOWS\Temp\VSW95\VSW95
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\Temp\VSW95\VSW95
Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e
Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790
Mount point destination : \Device\__max++>\^
Removing mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790
Finished!
What we are doing is chipping away at this Rootkit and then we will be able to run the tool that will completely remove it.
Next step
Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
Hey Ken545:
I did not receive and error message and obtained the following log:
exeHelper by Raktor - 09
Build 20090925
Run at 18:17:41 on 10/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\~.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
Interesting enough, I had tried to remove ~.exe without success. I am glad to see it gone.
Regards
Hi,
Things are moving along quite well, this next program will remove the Rootkit.
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Despite the fact that I had exited AVG from the systray, ComboFix reported that AVG was still active. I tried to close ComboFix by clicking on the upper right hand "X" but it would not allow me to do so. I wanted to try to figure out how to shut down AVG completely.
A DOS screen popped up momentarily. I did not get the entire message but it started with "Grep is not recognized...". After the DOS screen closed, I got another warning in Windows. That one said, "ComboFix has detected the presence of rootkit activity and needs to reboot the machine."
The only way out of that appeared to be to acknowledge the message and the machine rebooted. After rebooting, AVG was active again and ComboFix does not seem to be active anymore. At least the Task Manager does not show ComboFix as being a running application.
I will be standing by.
Thanks.
Lets try running combofix in Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
When I tried to run ComboFix in the Safe Mode, I had no visible means of disabling AVG. It told me that it detected the presence of AVG and that I should shut that down before continuing. As I was unable to shut it down I tried to close ComboFix but it would not let me. While it was running I got the Grep message in the Command Mode screen. This time I got it all. It read: "Grep is not recognized to be an internal or external command, operable program or batch file."
I then got the Rootkit warning described before and had to reboot the machine.
Should I uninstall AVG? That seems to be the only way that it will not interfere with ComboFix. Perhaps you know of an alternative way to keep AVG out?
As for Grep, I looked for it in Control Panel as a program to uninstall but Grep is not listed. I did find a Grep entry amongst the running processes in Task Manager. It is listed as grep.cfxxe. If I try to remove it I am warned: "Warning: Terminating a process can cause undesired results including loss of data and system instability. The process will not be given a chance to store its state or data before it is terminated. Are you sure you want to terminate the process?" I chose No.
Regards.
You can boot to safemode and then disable AVG. Open up AVG and look for the Resident Shield tab and disable it. Then run CF in Safemode
Ken545:
Anything I try to do with AVG in the Safe Mode results in a Command Line Composer Window as shown in the attached AVGSafeMode.jpg.
When I tried to unistall AVG, I got the error message shown in the attached text file and a notification to the effect that the uninstall failed.
I have yet to successfully run ComboFix.
Just run CF even if AVG is not disabled or uninstalled . CF needs to be run to remove this rootkit
Attempted running ComboFix. The program appears to load, then a command window opened briefly and I received a Window labelled Rootkit!!
The message reads "CoboFix has detected the presence of rootkit activity and needs to reboot the machine".
After rebooting, a command screen openned with the message "Grep is not recognized to be an internal or external command, operable program or batch file."
After a few minutes it flashed another message that I did not catch and the command window disappeared.
There is no evidence tha ComboFix is working, as per the Task Manager though it may be. I will give it a while.
Sorry your having so many problems running this.
Drag Combofix to the trash and redownload a fresh copy, make sure you rename it, then do this. Drag Combofix into this program.
Download Inherit (http://download.bleepingcomputer.com/sUBs/MiniFixes/Inherit.exe) and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"
There is no need to apologize. I am greatful that you are there and willing to help me out.
I downloaded inherit.exe from another computer to a flash drive and when I tried to put it on the destop of the infected laptop, it would not allow me to do that.
Following that, I broke my isolation and enabled my network connection. When I tried to run Internet Explorer in order to download inherit.exe, I got "Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access this item." I then disabled my network connection and re-booted in the Safe Mode.
There I was able to place inherit.exe on the destop and put a fresh copy of ComboFix in it. I also transferred HijackThis this to inherit.exe and deleted it form the desktop.
I had left the laptop on all night to see if ComboFix would deliver something this morning which it did not. I had then tried to run HijackThis and was told that I could not. When I tried to delete it I had not been allowed to do that either.
After completing your instruction in the Safe Mode, I rebooted. Once again, I got a command screen with the "Grep is not recognized..." warning. After a while, on that same screen I got "Please wait ComboFix is preparing to run" and then the command screen disappeared.
I do have Inherit.exe on my desktop and look forward to the next instruction.
Hi,
Grep is part of CF, did you delete CF and download a fresh copy, did you remember to rename it.
You can try this
Combo-fix.exe <--Right click on it and rename it to Melsdad.exe and drop it into Inherit.
If no luck, hang on I am going to have someone else take a peek at this
Post these results please
Open notepad and copy/paste the text inside the quotebox below into it:
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
Save the above batch file as peek.bat to your desktop, doubleclick to run it and post back with the contents
I was about to respond when I found an additional instruction.
I had to go into the Safe Mode in order to drop Melsdad.exe into Inherit. When I rebooted, I did not see the command window with the comment regarding Grap.
The log from Peek follows:
Volume in drive C has no label.
Volume Serial Number is 1C45-0905
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/04/2004 06:00 AM 180,224 scecli.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/04/2004 06:00 AM 407,040 netlogon.dll
Directory of C:\WINDOWS\$NtServicePackUninstall$
08/04/2004 06:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 08:12 PM 181,248 scecli.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 08:12 PM 407,040 netlogon.dll
Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes
Directory of C:\WINDOWS\system32
04/13/2008 08:12 PM 181,248 scecli.dll
Directory of C:\WINDOWS\system32
04/13/2008 08:12 PM 407,040 netlogon.dll
Directory of C:\WINDOWS\system32
04/13/2008 08:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes
Total Files Listed:
9 File(s) 1,937,920 bytes
0 Dir(s) 3,865,030,656 bytes free
Thanks for you help.
Hi,
This what we need to do, first drag combofix to the trash. We are going to redownload it but not rename it this time , and no need to drop it into Inherit.
Open notepad and copy/paste the text in the quotebox below into it:
@SC CONFIG EVENTLOG START= DISABLED
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:http://img.photobucket.com/albums/v706/ried7/bat_icon.gif
Double click on fix.bat & allow it to run.
Reboot
Run ComboFix.exe. If you see the "Grep is not recognized to be an internal or external command, operable program or batch file." Be patient - ComboFix wil get past that, and run.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Hi Ken545:
My work on the PC today has been quite piecemeal. I ran fix.bat and then I rebooted the computer to find ComboFix and remove it. I left the PC for a while and when I returned to continue my work, it appeared as if ComboFix was hard at work so I let it continue.
Sometime later, it was telling me that I did not have the recovery console installed so I broke isolation, made a network connection, and clicked Yes to download and install.
Sometime later, I was told that the installation had been successful. At that point I had to leave the house for an extended period of time and I left the PC running. When I got back, Notepad was open and the ComboFix log was displayed.
I then downloaded HijackThis from Trend Micro and ran that as well. The two resulting logs are attached. I was thrilled to see those processes work!
I will be available for the next several hours.
Great, but I do not see any attachments, thats ok I rather you just copy and pasted both logs in please
Sorry about that!
The ComboFix Log:
ComboFix 09-10-16.09 - Melanie Lewis 10/19/2009 11:14.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.571 [GMT -4:00]
Running from: c:\documents and settings\Melanie Lewis\Desktop\Combo-Fix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\MELANI~1\LOCALS~1\Temp\rd56.tmp\____mmfp.ocx
c:\documents and settings\Melanie Lewis\Local Settings\Temp\rd56.tmp\____mmfp.ocx
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Install.txt
c:\windows\Installer\12b7b3d.msp
c:\windows\Installer\12b7b3e.msp
c:\windows\Installer\12b7b3f.msp
c:\windows\Installer\12b7b40.msp
c:\windows\Installer\12b7b41.msp
c:\windows\Installer\12b7b42.msp
c:\windows\Installer\12b7b43.msp
c:\windows\Installer\12b7b44.msp
c:\windows\Installer\12b7b45.msp
c:\windows\Installer\144654a.msp
c:\windows\Installer\144654b.msp
c:\windows\Installer\144654c.msp
c:\windows\Installer\144654d.msp
c:\windows\Installer\144654e.msp
c:\windows\Installer\144654f.msp
c:\windows\Installer\1446550.msp
c:\windows\Installer\1446551.msp
c:\windows\Installer\1446552.msp
c:\windows\Installer\147f51.msp
c:\windows\Installer\147f52.msp
c:\windows\Installer\147f53.msp
c:\windows\Installer\147f54.msp
c:\windows\Installer\147f55.msp
c:\windows\Installer\147f56.msp
c:\windows\Installer\147f57.msp
c:\windows\Installer\147f58.msp
c:\windows\Installer\147f59.msp
c:\windows\Installer\1570972.msp
c:\windows\Installer\1570973.msp
c:\windows\Installer\1570974.msp
c:\windows\Installer\1570975.msp
c:\windows\Installer\1570976.msp
c:\windows\Installer\1570977.msp
c:\windows\Installer\1570978.msp
c:\windows\Installer\1570979.msp
c:\windows\Installer\157097a.msp
c:\windows\Installer\169d7e.msp
c:\windows\Installer\169d7f.msp
c:\windows\Installer\169d80.msp
c:\windows\Installer\169d81.msp
c:\windows\Installer\169d82.msp
c:\windows\Installer\169d83.msp
c:\windows\Installer\169d84.msp
c:\windows\Installer\169d85.msp
c:\windows\Installer\169d86.msp
c:\windows\Installer\175295.msp
c:\windows\Installer\175296.msp
c:\windows\Installer\175297.msp
c:\windows\Installer\175298.msp
c:\windows\Installer\175299.msp
c:\windows\Installer\17529a.msp
c:\windows\Installer\17529b.msp
c:\windows\Installer\17529c.msp
c:\windows\Installer\17529d.msp
c:\windows\Installer\1b017a.msp
c:\windows\Installer\1d01c9.msp
c:\windows\Installer\1d01ca.msp
c:\windows\Installer\1d01cb.msp
c:\windows\Installer\1d01cc.msp
c:\windows\Installer\1d01cd.msp
c:\windows\Installer\1d01ce.msp
c:\windows\Installer\1d01cf.msp
c:\windows\Installer\1d01d0.msp
c:\windows\Installer\1d01d1.msp
c:\windows\Installer\20710e.msp
c:\windows\Installer\20710f.msp
c:\windows\Installer\207110.msp
c:\windows\Installer\207111.msp
c:\windows\Installer\207112.msp
c:\windows\Installer\207113.msp
c:\windows\Installer\207114.msp
c:\windows\Installer\207115.msp
c:\windows\Installer\207116.msp
c:\windows\Installer\2482003.msp
c:\windows\Installer\2482004.msp
c:\windows\Installer\2482005.msp
c:\windows\Installer\2482006.msp
c:\windows\Installer\2482007.msp
c:\windows\Installer\2482008.msp
c:\windows\Installer\2482009.msp
c:\windows\Installer\248200a.msp
c:\windows\Installer\248200b.msp
c:\windows\Installer\2483f20.msp
c:\windows\Installer\2483f21.msp
c:\windows\Installer\2483f22.msp
c:\windows\Installer\2483f23.msp
c:\windows\Installer\2483f24.msp
c:\windows\Installer\2483f25.msp
c:\windows\Installer\2483f26.msp
c:\windows\Installer\2483f27.msp
c:\windows\Installer\2483f28.msp
c:\windows\Installer\26f2c.msp
c:\windows\Installer\26f2d.msp
c:\windows\Installer\26f2e.msp
c:\windows\Installer\26f2f.msp
c:\windows\Installer\26f30.msp
c:\windows\Installer\26f31.msp
c:\windows\Installer\26f32.msp
c:\windows\Installer\26f33.msp
c:\windows\Installer\26f34.msp
c:\windows\Installer\27a96.msp
c:\windows\Installer\27a97.msp
c:\windows\Installer\27a98.msp
c:\windows\Installer\27a99.msp
c:\windows\Installer\27a9a.msp
c:\windows\Installer\27a9b.msp
c:\windows\Installer\27a9c.msp
c:\windows\Installer\27a9d.msp
c:\windows\Installer\27a9e.msp
c:\windows\Installer\284da09.msp
c:\windows\Installer\284da0a.msp
c:\windows\Installer\284da0b.msp
c:\windows\Installer\284da0c.msp
c:\windows\Installer\284da0d.msp
c:\windows\Installer\284da0e.msp
c:\windows\Installer\284da0f.msp
c:\windows\Installer\284da10.msp
c:\windows\Installer\284da11.msp
c:\windows\Installer\287c5.msp
c:\windows\Installer\287c6.msp
c:\windows\Installer\287c7.msp
c:\windows\Installer\287c8.msp
c:\windows\Installer\287c9.msp
c:\windows\Installer\287ca.msp
c:\windows\Installer\287cb.msp
c:\windows\Installer\287cc.msp
c:\windows\Installer\287cd.msp
c:\windows\Installer\28ad45e.msp
c:\windows\Installer\28ad45f.msp
c:\windows\Installer\28ad460.msp
c:\windows\Installer\28ad461.msp
c:\windows\Installer\28ad462.msp
c:\windows\Installer\28ad463.msp
c:\windows\Installer\28ad464.msp
c:\windows\Installer\28ad465.msp
c:\windows\Installer\28ad466.msp
c:\windows\Installer\28eaa.msp
c:\windows\Installer\28eab.msp
c:\windows\Installer\28eac.msp
c:\windows\Installer\28ead.msp
c:\windows\Installer\28eae.msp
c:\windows\Installer\28eaf.msp
c:\windows\Installer\28eb0.msp
c:\windows\Installer\28eb1.msp
c:\windows\Installer\28eb2.msp
c:\windows\Installer\2ad2f.msp
c:\windows\Installer\2ad30.msp
c:\windows\Installer\2ad31.msp
c:\windows\Installer\2ad32.msp
c:\windows\Installer\2ad33.msp
c:\windows\Installer\2ad34.msp
c:\windows\Installer\2ad35.msp
c:\windows\Installer\2ad36.msp
c:\windows\Installer\2ad37.msp
c:\windows\Installer\2b5ba.msp
c:\windows\Installer\2b5bb.msp
c:\windows\Installer\2b5bc.msp
c:\windows\Installer\2b5bd.msp
c:\windows\Installer\2b5be.msp
c:\windows\Installer\2b5bf.msp
c:\windows\Installer\2b5c0.msp
c:\windows\Installer\2b5c1.msp
c:\windows\Installer\2b5c2.msp
c:\windows\Installer\2bb96.msp
c:\windows\Installer\2bb97.msp
c:\windows\Installer\2bb98.msp
c:\windows\Installer\2bb99.msp
c:\windows\Installer\2bb9a.msp
c:\windows\Installer\2bb9b.msp
c:\windows\Installer\2bb9c.msp
c:\windows\Installer\2bb9d.msp
c:\windows\Installer\2bb9e.msp
c:\windows\Installer\2c674.msp
c:\windows\Installer\2c675.msp
c:\windows\Installer\2c676.msp
c:\windows\Installer\2c677.msp
c:\windows\Installer\2c678.msp
c:\windows\Installer\2c679.msp
c:\windows\Installer\2c67a.msp
c:\windows\Installer\2c67b.msp
c:\windows\Installer\2c67c.msp
c:\windows\Installer\2cf1e.msp
c:\windows\Installer\2cf1f.msp
c:\windows\Installer\2cf20.msp
c:\windows\Installer\2cf21.msp
c:\windows\Installer\2cf22.msp
c:\windows\Installer\2cf23.msp
c:\windows\Installer\2cf24.msp
c:\windows\Installer\2cf25.msp
c:\windows\Installer\2cf26.msp
c:\windows\Installer\2d151.msp
c:\windows\Installer\2d152.msp
c:\windows\Installer\2d153.msp
c:\windows\Installer\2d154.msp
c:\windows\Installer\2d155.msp
c:\windows\Installer\2d156.msp
c:\windows\Installer\2d157.msp
c:\windows\Installer\2d158.msp
c:\windows\Installer\2d159.msp
c:\windows\Installer\2d45e.msp
c:\windows\Installer\2d45f.msp
c:\windows\Installer\2d460.msp
c:\windows\Installer\2d461.msp
c:\windows\Installer\2d462.msp
c:\windows\Installer\2d463.msp
c:\windows\Installer\2d464.msp
c:\windows\Installer\2d465.msp
c:\windows\Installer\2d466.msp
c:\windows\Installer\2d4bc.msp
c:\windows\Installer\2d4bd.msp
c:\windows\Installer\2d4be.msp
c:\windows\Installer\2d4bf.msp
c:\windows\Installer\2d4c0.msp
c:\windows\Installer\2d4c1.msp
c:\windows\Installer\2d4c2.msp
c:\windows\Installer\2d4c3.msp
c:\windows\Installer\2d4c4.msp
c:\windows\Installer\2d73c.msp
c:\windows\Installer\2d73d.msp
c:\windows\Installer\2d73e.msp
c:\windows\Installer\2d73f.msp
c:\windows\Installer\2d740.msp
c:\windows\Installer\2d741.msp
c:\windows\Installer\2d742.msp
c:\windows\Installer\2d743.msp
c:\windows\Installer\2d744.msp
c:\windows\Installer\2db05.msp
c:\windows\Installer\2db06.msp
c:\windows\Installer\2db07.msp
c:\windows\Installer\2db08.msp
c:\windows\Installer\2db09.msp
c:\windows\Installer\2db0a.msp
c:\windows\Installer\2db0b.msp
c:\windows\Installer\2db0c.msp
c:\windows\Installer\2db0d.msp
c:\windows\Installer\2e0f1.msp
c:\windows\Installer\2e0f2.msp
c:\windows\Installer\2e0f3.msp
c:\windows\Installer\2e0f4.msp
c:\windows\Installer\2e0f5.msp
c:\windows\Installer\2e0f6.msp
c:\windows\Installer\2e0f7.msp
c:\windows\Installer\2e0f8.msp
c:\windows\Installer\2e0f9.msp
c:\windows\Installer\2e13f.msp
c:\windows\Installer\2e140.msp
c:\windows\Installer\2e141.msp
c:\windows\Installer\2e142.msp
c:\windows\Installer\2e143.msp
c:\windows\Installer\2e144.msp
c:\windows\Installer\2e145.msp
c:\windows\Installer\2e146.msp
c:\windows\Installer\2e147.msp
c:\windows\Installer\2e2d5.msp
c:\windows\Installer\2e2d6.msp
c:\windows\Installer\2e2d7.msp
c:\windows\Installer\2e2d8.msp
c:\windows\Installer\2e2d9.msp
c:\windows\Installer\2e2da.msp
c:\windows\Installer\2e2db.msp
c:\windows\Installer\2e2dc.msp
c:\windows\Installer\2e2dd.msp
c:\windows\Installer\2e9bb.msp
c:\windows\Installer\2e9bc.msp
c:\windows\Installer\2e9bd.msp
c:\windows\Installer\2e9be.msp
c:\windows\Installer\2e9bf.msp
c:\windows\Installer\2e9c0.msp
c:\windows\Installer\2e9c1.msp
c:\windows\Installer\2e9c2.msp
c:\windows\Installer\2e9c3.msp
c:\windows\Installer\2ea38.msp
c:\windows\Installer\2ea39.msp
c:\windows\Installer\2ea3a.msp
c:\windows\Installer\2ea3b.msp
c:\windows\Installer\2ea3c.msp
c:\windows\Installer\2ea3d.msp
c:\windows\Installer\2ea3e.msp
c:\windows\Installer\2ea3f.msp
c:\windows\Installer\2ea40.msp
c:\windows\Installer\2f13f1e.msp
c:\windows\Installer\2f13f1f.msp
c:\windows\Installer\2f13f20.msp
c:\windows\Installer\2f13f21.msp
c:\windows\Installer\2f13f22.msp
c:\windows\Installer\2f13f23.msp
c:\windows\Installer\2f13f24.msp
c:\windows\Installer\2f13f25.msp
c:\windows\Installer\2f13f26.msp
c:\windows\Installer\2f68c.msp
c:\windows\Installer\2f68d.msp
c:\windows\Installer\2f68e.msp
c:\windows\Installer\2f68f.msp
c:\windows\Installer\2f690.msp
c:\windows\Installer\2f691.msp
c:\windows\Installer\2f692.msp
c:\windows\Installer\2f693.msp
c:\windows\Installer\2f694.msp
c:\windows\Installer\2fcf5.msp
c:\windows\Installer\2fcf6.msp
c:\windows\Installer\2fcf7.msp
c:\windows\Installer\2fcf8.msp
c:\windows\Installer\2fcf9.msp
c:\windows\Installer\2fcfa.msp
c:\windows\Installer\2fcfb.msp
c:\windows\Installer\2fcfc.msp
c:\windows\Installer\2fcfd.msp
c:\windows\Installer\305fd.msp
c:\windows\Installer\305fe.msp
c:\windows\Installer\305ff.msp
c:\windows\Installer\30600.msp
c:\windows\Installer\30601.msp
c:\windows\Installer\30602.msp
c:\windows\Installer\30603.msp
c:\windows\Installer\30604.msp
c:\windows\Installer\30605.msp
c:\windows\Installer\31743.msp
c:\windows\Installer\31744.msp
c:\windows\Installer\31745.msp
c:\windows\Installer\31746.msp
c:\windows\Installer\31747.msp
c:\windows\Installer\31748.msp
c:\windows\Installer\31749.msp
c:\windows\Installer\3174a.msp
c:\windows\Installer\3174b.msp
c:\windows\Installer\32aea.msp
c:\windows\Installer\32aeb.msp
c:\windows\Installer\32aec.msp
c:\windows\Installer\32aed.msp
c:\windows\Installer\32aee.msp
c:\windows\Installer\32aef.msp
c:\windows\Installer\32af0.msp
c:\windows\Installer\32af1.msp
c:\windows\Installer\32af2.msp
c:\windows\Installer\33092ca.msp
c:\windows\Installer\33092cb.msp
c:\windows\Installer\33092cc.msp
c:\windows\Installer\33092cd.msp
c:\windows\Installer\33092ce.msp
c:\windows\Installer\33092cf.msp
c:\windows\Installer\33092d0.msp
c:\windows\Installer\33092d1.msp
c:\windows\Installer\33092d2.msp
c:\windows\Installer\33616.msp
c:\windows\Installer\33617.msp
c:\windows\Installer\33618.msp
c:\windows\Installer\33619.msp
c:\windows\Installer\3361a.msp
c:\windows\Installer\3361b.msp
c:\windows\Installer\3361c.msp
c:\windows\Installer\3361d.msp
c:\windows\Installer\3361e.msp
c:\windows\Installer\33be2.msp
c:\windows\Installer\33be3.msp
c:\windows\Installer\33be4.msp
c:\windows\Installer\33be5.msp
c:\windows\Installer\33be6.msp
c:\windows\Installer\33be7.msp
c:\windows\Installer\33be8.msp
c:\windows\Installer\33be9.msp
c:\windows\Installer\33bea.msp
c:\windows\Installer\342b5ac.msp
c:\windows\Installer\342b5ad.msp
c:\windows\Installer\342b5ae.msp
c:\windows\Installer\342b5af.msp
c:\windows\Installer\342b5b0.msp
c:\windows\Installer\342b5b1.msp
c:\windows\Installer\342b5b2.msp
c:\windows\Installer\342b5b3.msp
c:\windows\Installer\342b5b4.msp
c:\windows\Installer\34d57.msp
c:\windows\Installer\34d58.msp
c:\windows\Installer\34d59.msp
c:\windows\Installer\34d5a.msp
c:\windows\Installer\34d5b.msp
c:\windows\Installer\34d5c.msp
c:\windows\Installer\34d5d.msp
c:\windows\Installer\34d5e.msp
c:\windows\Installer\34d5f.msp
c:\windows\Installer\352f4.msp
c:\windows\Installer\352f5.msp
c:\windows\Installer\352f6.msp
c:\windows\Installer\352f7.msp
c:\windows\Installer\352f8.msp
c:\windows\Installer\352f9.msp
c:\windows\Installer\352fa.msp
c:\windows\Installer\352fb.msp
c:\windows\Installer\352fc.msp
c:\windows\Installer\36382a5.msp
c:\windows\Installer\36382a6.msp
c:\windows\Installer\36382a7.msp
c:\windows\Installer\36382a8.msp
c:\windows\Installer\36382a9.msp
c:\windows\Installer\36382aa.msp
c:\windows\Installer\36382ab.msp
c:\windows\Installer\36382ac.msp
c:\windows\Installer\36382ad.msp
c:\windows\Installer\36aa3.msp
c:\windows\Installer\36aa4.msp
c:\windows\Installer\36aa5.msp
c:\windows\Installer\36aa6.msp
c:\windows\Installer\36aa7.msp
c:\windows\Installer\36aa8.msp
c:\windows\Installer\36aa9.msp
c:\windows\Installer\36aaa.msp
c:\windows\Installer\36aab.msp
c:\windows\Installer\37b6c.msp
c:\windows\Installer\37b6d.msp
c:\windows\Installer\37b6e.msp
c:\windows\Installer\37b6f.msp
c:\windows\Installer\37b70.msp
c:\windows\Installer\37b71.msp
c:\windows\Installer\37b72.msp
c:\windows\Installer\37b73.msp
c:\windows\Installer\37b74.msp
c:\windows\Installer\3883d.msp
c:\windows\Installer\3883e.msp
c:\windows\Installer\3883f.msp
c:\windows\Installer\38840.msp
c:\windows\Installer\38841.msp
c:\windows\Installer\38842.msp
c:\windows\Installer\38843.msp
c:\windows\Installer\38844.msp
c:\windows\Installer\38845.msp
c:\windows\Installer\38a6f.msp
c:\windows\Installer\38a70.msp
c:\windows\Installer\38a71.msp
c:\windows\Installer\38a72.msp
c:\windows\Installer\38a73.msp
c:\windows\Installer\38a74.msp
c:\windows\Installer\38a75.msp
c:\windows\Installer\38a76.msp
c:\windows\Installer\38a77.msp
c:\windows\Installer\38a78.msp
c:\windows\Installer\38a79.msp
c:\windows\Installer\38a7a.msp
c:\windows\Installer\38a7b.msp
c:\windows\Installer\38a7c.msp
c:\windows\Installer\38a7d.msp
c:\windows\Installer\38a7e.msp
c:\windows\Installer\38a7f.msp
c:\windows\Installer\38a80.msp
c:\windows\Installer\39695.msp
c:\windows\Installer\39696.msp
c:\windows\Installer\39697.msp
c:\windows\Installer\39698.msp
c:\windows\Installer\39699.msp
c:\windows\Installer\3969a.msp
c:\windows\Installer\3969b.msp
c:\windows\Installer\3969c.msp
c:\windows\Installer\3969d.msp
c:\windows\Installer\396bedb.msp
c:\windows\Installer\396bedc.msp
c:\windows\Installer\396bedd.msp
c:\windows\Installer\396bede.msp
c:\windows\Installer\396bedf.msp
c:\windows\Installer\396bee0.msp
c:\windows\Installer\396bee1.msp
c:\windows\Installer\396bee2.msp
c:\windows\Installer\396bee3.msp
c:\windows\Installer\39c23.msp
c:\windows\Installer\39c24.msp
c:\windows\Installer\39c25.msp
c:\windows\Installer\39c26.msp
c:\windows\Installer\39c27.msp
c:\windows\Installer\39c28.msp
c:\windows\Installer\39c29.msp
c:\windows\Installer\39c2a.msp
c:\windows\Installer\39c2b.msp
c:\windows\Installer\3a5c7.msp
c:\windows\Installer\3a5c8.msp
c:\windows\Installer\3a5c9.msp
c:\windows\Installer\3a5ca.msp
c:\windows\Installer\3a5cb.msp
c:\windows\Installer\3a5cc.msp
c:\windows\Installer\3a5cd.msp
c:\windows\Installer\3a5ce.msp
c:\windows\Installer\3a5cf.msp
c:\windows\Installer\3a877.msp
c:\windows\Installer\3a878.msp
c:\windows\Installer\3a879.msp
c:\windows\Installer\3a87a.msp
c:\windows\Installer\3a87b.msp
c:\windows\Installer\3a87c.msp
c:\windows\Installer\3a87d.msp
c:\windows\Installer\3a87e.msp
c:\windows\Installer\3a87f.msp
c:\windows\Installer\3c287.msp
c:\windows\Installer\3c288.msp
c:\windows\Installer\3c289.msp
c:\windows\Installer\3c28a.msp
c:\windows\Installer\3c28b.msp
c:\windows\Installer\3c28c.msp
c:\windows\Installer\3c28d.msp
c:\windows\Installer\3c28e.msp
c:\windows\Installer\3c28f.msp
c:\windows\Installer\3c4d9.msp
c:\windows\Installer\3c4da.msp
c:\windows\Installer\3c4db.msp
c:\windows\Installer\3c4dc.msp
c:\windows\Installer\3c4dd.msp
c:\windows\Installer\3c4de.msp
c:\windows\Installer\3c4df.msp
c:\windows\Installer\3c4e0.msp
c:\windows\Installer\3c4e1.msp
c:\windows\Installer\3e1a8.msp
c:\windows\Installer\3e1a9.msp
c:\windows\Installer\3e1aa.msp
c:\windows\Installer\3e1ab.msp
c:\windows\Installer\3e1ac.msp
c:\windows\Installer\3e1ad.msp
c:\windows\Installer\3e1ae.msp
c:\windows\Installer\3e1af.msp
c:\windows\Installer\3e1b0.msp
c:\windows\Installer\3e51fcc.msp
c:\windows\Installer\3e51fcd.msp
c:\windows\Installer\3e51fce.msp
c:\windows\Installer\3e51fcf.msp
c:\windows\Installer\3e51fd0.msp
c:\windows\Installer\3e51fd1.msp
c:\windows\Installer\3e51fd2.msp
c:\windows\Installer\3e51fd3.msp
c:\windows\Installer\3e51fd4.msp
c:\windows\Installer\3e801.msp
c:\windows\Installer\3e802.msp
c:\windows\Installer\3e803.msp
c:\windows\Installer\3e804.msp
c:\windows\Installer\3e805.msp
c:\windows\Installer\3e806.msp
c:\windows\Installer\3e807.msp
c:\windows\Installer\3e808.msp
c:\windows\Installer\3e809.msp
c:\windows\Installer\3f5ea.msi
c:\windows\Installer\3f5eb.msp
c:\windows\Installer\3f5ec.msp
c:\windows\Installer\3f5ed.msp
c:\windows\Installer\3f5ee.msp
c:\windows\Installer\3f5ef.msp
c:\windows\Installer\3f5f0.msp
c:\windows\Installer\3f5f1.msp
c:\windows\Installer\3f5f2.msp
c:\windows\Installer\3f5f3.msp
c:\windows\Installer\40b57db.msp
c:\windows\Installer\40b57dc.msp
c:\windows\Installer\40b57dd.msp
c:\windows\Installer\40b57de.msp
c:\windows\Installer\40b57df.msp
c:\windows\Installer\40b57e0.msp
c:\windows\Installer\40b57e1.msp
c:\windows\Installer\40b57e2.msp
c:\windows\Installer\40b57e3.msp
c:\windows\Installer\41d2a.msp
c:\windows\Installer\41d2b.msp
c:\windows\Installer\41d2c.msp
c:\windows\Installer\41d2d.msp
c:\windows\Installer\41d2e.msp
c:\windows\Installer\41d2f.msp
c:\windows\Installer\41d30.msp
c:\windows\Installer\41d31.msp
c:\windows\Installer\41d32.msp
c:\windows\Installer\423f0.msp
c:\windows\Installer\423f1.msp
c:\windows\Installer\423f2.msp
c:\windows\Installer\423f3.msp
c:\windows\Installer\423f4.msp
c:\windows\Installer\423f5.msp
c:\windows\Installer\423f6.msp
c:\windows\Installer\423f7.msp
c:\windows\Installer\423f8.msp
c:\windows\Installer\4318d.msp
c:\windows\Installer\4318e.msp
c:\windows\Installer\4318f.msp
c:\windows\Installer\43190.msp
c:\windows\Installer\43191.msp
c:\windows\Installer\43192.msp
c:\windows\Installer\43193.msp
c:\windows\Installer\43194.msp
c:\windows\Installer\43195.msp
c:\windows\Installer\4343b52.msp
c:\windows\Installer\4343b53.msp
c:\windows\Installer\4343b54.msp
c:\windows\Installer\4343b55.msp
c:\windows\Installer\4343b56.msp
c:\windows\Installer\4343b57.msp
c:\windows\Installer\4343b58.msp
c:\windows\Installer\4343b59.msp
c:\windows\Installer\4343b5a.msp
c:\windows\Installer\43a95.msp
c:\windows\Installer\43a96.msp
c:\windows\Installer\43a97.msp
c:\windows\Installer\43a98.msp
c:\windows\Installer\43a99.msp
c:\windows\Installer\43a9a.msp
c:\windows\Installer\43a9b.msp
c:\windows\Installer\43a9c.msp
c:\windows\Installer\43a9d.msp
c:\windows\Installer\4435f.msp
c:\windows\Installer\44360.msp
c:\windows\Installer\44361.msp
c:\windows\Installer\44362.msp
c:\windows\Installer\44363.msp
c:\windows\Installer\44364.msp
c:\windows\Installer\44365.msp
c:\windows\Installer\44366.msp
c:\windows\Installer\44367.msp
c:\windows\Installer\45976c1.msp
c:\windows\Installer\45976c2.msp
c:\windows\Installer\45976c3.msp
c:\windows\Installer\45976c4.msp
c:\windows\Installer\45976c5.msp
c:\windows\Installer\45976c6.msp
c:\windows\Installer\45976c7.msp
c:\windows\Installer\45976c8.msp
c:\windows\Installer\45976c9.msp
c:\windows\Installer\45d87a6.msp
c:\windows\Installer\45d87a7.msp
c:\windows\Installer\45d87a8.msp
c:\windows\Installer\45d87a9.msp
c:\windows\Installer\45d87aa.msp
c:\windows\Installer\45d87ab.msp
c:\windows\Installer\45d87ac.msp
c:\windows\Installer\45d87ad.msp
c:\windows\Installer\45d87ae.msp
c:\windows\Installer\46eaf21.msp
c:\windows\Installer\46eaf22.msp
c:\windows\Installer\46eaf23.msp
c:\windows\Installer\46eaf24.msp
c:\windows\Installer\46eaf25.msp
c:\windows\Installer\46eaf26.msp
c:\windows\Installer\46eaf27.msp
c:\windows\Installer\46eaf28.msp
c:\windows\Installer\46eaf29.msp
c:\windows\Installer\46f8ec3.msp
c:\windows\Installer\46f8ec4.msp
c:\windows\Installer\46f8ec5.msp
c:\windows\Installer\46f8ec6.msp
c:\windows\Installer\46f8ec7.msp
c:\windows\Installer\46f8ec8.msp
c:\windows\Installer\46f8ec9.msp
c:\windows\Installer\46f8eca.msp
c:\windows\Installer\46f8ecb.msp
c:\windows\Installer\47c16a6.msp
c:\windows\Installer\47c16a7.msp
c:\windows\Installer\47c16a8.msp
c:\windows\Installer\47c16a9.msp
c:\windows\Installer\47c16aa.msp
c:\windows\Installer\47c16ab.msp
c:\windows\Installer\47c16ac.msp
c:\windows\Installer\47c16ad.msp
c:\windows\Installer\47c16ae.msp
c:\windows\Installer\47c51.msp
c:\windows\Installer\47c52.msp
c:\windows\Installer\47c53.msp
c:\windows\Installer\47c54.msp
c:\windows\Installer\47c55.msp
c:\windows\Installer\47c56.msp
c:\windows\Installer\47c57.msp
c:\windows\Installer\47c58.msp
c:\windows\Installer\47c59.msp
c:\windows\Installer\49596.msp
c:\windows\Installer\49597.msp
c:\windows\Installer\49598.msp
c:\windows\Installer\49599.msp
c:\windows\Installer\4959a.msp
c:\windows\Installer\4959b.msp
c:\windows\Installer\4959c.msp
c:\windows\Installer\4959d.msp
c:\windows\Installer\4959e.msp
c:\windows\Installer\4a56e05.msp
c:\windows\Installer\4a56e06.msp
c:\windows\Installer\4a56e07.msp
c:\windows\Installer\4a56e08.msp
c:\windows\Installer\4a56e09.msp
c:\windows\Installer\4a56e0a.msp
c:\windows\Installer\4a56e0b.msp
c:\windows\Installer\4a56e0c.msp
c:\windows\Installer\4a56e0d.msp
c:\windows\Installer\4ec6f15.msp
c:\windows\Installer\4ec6f16.msp
c:\windows\Installer\4ec6f17.msp
c:\windows\Installer\4ec6f18.msp
c:\windows\Installer\4ec6f19.msp
c:\windows\Installer\4ec6f1a.msp
c:\windows\Installer\4ec6f1b.msp
c:\windows\Installer\4ec6f1c.msp
c:\windows\Installer\4ec6f1d.msp
c:\windows\Installer\4f2e8bd.msp
c:\windows\Installer\4f2e8be.msp
c:\windows\Installer\4f2e8bf.msp
c:\windows\Installer\4f2e8c0.msp
c:\windows\Installer\4f2e8c1.msp
c:\windows\Installer\4f2e8c2.msp
c:\windows\Installer\4f2e8c3.msp
c:\windows\Installer\4f2e8c4.msp
c:\windows\Installer\4f2e8c5.msp
c:\windows\Installer\5085c31.msp
c:\windows\Installer\5085c32.msp
c:\windows\Installer\5085c33.msp
c:\windows\Installer\5085c34.msp
c:\windows\Installer\5085c35.msp
c:\windows\Installer\5085c36.msp
c:\windows\Installer\5085c37.msp
c:\windows\Installer\5085c38.msp
c:\windows\Installer\5085c39.msp
c:\windows\Installer\50b80f1.msp
c:\windows\Installer\50b80f2.msp
c:\windows\Installer\50b80f3.msp
c:\windows\Installer\50b80f4.msp
c:\windows\Installer\50b80f5.msp
c:\windows\Installer\50b80f6.msp
c:\windows\Installer\50b80f7.msp
c:\windows\Installer\50b80f8.msp
c:\windows\Installer\50b80f9.msp
c:\windows\Installer\51a7e68.msp
c:\windows\Installer\51a7e69.msp
c:\windows\Installer\51a7e6a.msp
c:\windows\Installer\51a7e6b.msp
c:\windows\Installer\51a7e6c.msp
c:\windows\Installer\51a7e6d.msp
c:\windows\Installer\51a7e6e.msp
c:\windows\Installer\51a7e6f.msp
c:\windows\Installer\51a7e70.msp
c:\windows\Installer\52505.msp
c:\windows\Installer\52506.msp
c:\windows\Installer\52507.msp
c:\windows\Installer\52508.msp
c:\windows\Installer\52509.msp
c:\windows\Installer\5250a.msp
c:\windows\Installer\5250b.msp
c:\windows\Installer\5250c.msp
c:\windows\Installer\5250d.msp
c:\windows\Installer\5853fa1.msp
c:\windows\Installer\5853fa2.msp
c:\windows\Installer\5853fa3.msp
c:\windows\Installer\5853fa4.msp
c:\windows\Installer\5853fa5.msp
c:\windows\Installer\5853fa6.msp
c:\windows\Installer\5853fa7.msp
c:\windows\Installer\5853fa8.msp
c:\windows\Installer\5853fa9.msp
c:\windows\Installer\5b0a196.msp
c:\windows\Installer\5b0a197.msp
c:\windows\Installer\5b0a198.msp
c:\windows\Installer\5b0a199.msp
c:\windows\Installer\5b0a19a.msp
c:\windows\Installer\5b0a19b.msp
c:\windows\Installer\5b0a19c.msp
c:\windows\Installer\5b0a19d.msp
c:\windows\Installer\5b0a19e.msp
c:\windows\Installer\5d16d37.msp
c:\windows\Installer\5d16d38.msp
c:\windows\Installer\5d16d39.msp
c:\windows\Installer\5d16d3a.msp
c:\windows\Installer\5d16d3b.msp
c:\windows\Installer\5d16d3c.msp
c:\windows\Installer\5d16d3d.msp
c:\windows\Installer\5d16d3e.msp
c:\windows\Installer\5d16d3f.msp
c:\windows\Installer\5d43001.msp
c:\windows\Installer\5d43002.msp
c:\windows\Installer\5d43003.msp
c:\windows\Installer\5d43004.msp
c:\windows\Installer\5d43005.msp
c:\windows\Installer\5d43006.msp
c:\windows\Installer\5d43007.msp
c:\windows\Installer\5d43008.msp
c:\windows\Installer\5d43009.msp
c:\windows\Installer\60274.msp
c:\windows\Installer\60275.msp
c:\windows\Installer\60276.msp
c:\windows\Installer\60277.msp
c:\windows\Installer\60278.msp
c:\windows\Installer\60279.msp
c:\windows\Installer\6027a.msp
c:\windows\Installer\6027b.msp
c:\windows\Installer\6027c.msp
c:\windows\Installer\605ef.msp
c:\windows\Installer\605f0.msp
c:\windows\Installer\605f1.msp
c:\windows\Installer\605f2.msp
c:\windows\Installer\605f3.msp
c:\windows\Installer\605f4.msp
c:\windows\Installer\605f5.msp
c:\windows\Installer\605f6.msp
c:\windows\Installer\605f7.msp
c:\windows\Installer\6a079.msp
c:\windows\Installer\6a07a.msp
c:\windows\Installer\6a07b.msp
c:\windows\Installer\6a07c.msp
c:\windows\Installer\6a07d.msp
c:\windows\Installer\6a07e.msp
c:\windows\Installer\6a07f.msp
c:\windows\Installer\6a080.msp
c:\windows\Installer\6a081.msp
c:\windows\Installer\70f179a.msp
c:\windows\Installer\70f179b.msp
c:\windows\Installer\70f179c.msp
c:\windows\Installer\70f179d.msp
c:\windows\Installer\70f179e.msp
c:\windows\Installer\70f179f.msp
c:\windows\Installer\70f17a0.msp
c:\windows\Installer\70f17a1.msp
c:\windows\Installer\70f17a2.msp
c:\windows\Installer\79fe53e.msp
c:\windows\Installer\79fe53f.msp
c:\windows\Installer\79fe540.msp
c:\windows\Installer\79fe541.msp
c:\windows\Installer\79fe542.msp
c:\windows\Installer\79fe543.msp
c:\windows\Installer\79fe544.msp
c:\windows\Installer\79fe545.msp
c:\windows\Installer\79fe546.msp
c:\windows\Installer\7a71c.msp
c:\windows\Installer\7a71d.msp
c:\windows\Installer\7a71e.msp
c:\windows\Installer\7a71f.msp
c:\windows\Installer\7a720.msp
c:\windows\Installer\7a721.msp
c:\windows\Installer\7a722.msp
c:\windows\Installer\7a723.msp
c:\windows\Installer\7a724.msp
c:\windows\Installer\7c6da83.msp
c:\windows\Installer\7c6da84.msp
c:\windows\Installer\7c6da85.msp
c:\windows\Installer\7c6da86.msp
c:\windows\Installer\7c6da87.msp
c:\windows\Installer\7c6da88.msp
c:\windows\Installer\7c6da89.msp
c:\windows\Installer\7c6da8a.msp
c:\windows\Installer\7c6da8b.msp
c:\windows\Installer\7e01928.msp
c:\windows\Installer\7e01929.msp
c:\windows\Installer\7e0192a.msp
c:\windows\Installer\7e0192b.msp
c:\windows\Installer\7e0192c.msp
c:\windows\Installer\7e0192d.msp
c:\windows\Installer\7e0192e.msp
c:\windows\Installer\7e0192f.msp
c:\windows\Installer\7e01930.msp
c:\windows\Installer\82c6ca6.msp
c:\windows\Installer\82c6ca7.msp
c:\windows\Installer\82c6ca8.msp
c:\windows\Installer\82c6ca9.msp
c:\windows\Installer\82c6caa.msp
c:\windows\Installer\82c6cab.msp
c:\windows\Installer\82c6cac.msp
c:\windows\Installer\82c6cad.msp
c:\windows\Installer\82c6cae.msp
c:\windows\Installer\95aa3a7.msp
c:\windows\Installer\95aa3a8.msp
c:\windows\Installer\95aa3a9.msp
c:\windows\Installer\95aa3aa.msp
c:\windows\Installer\95aa3ab.msp
c:\windows\Installer\95aa3ac.msp
c:\windows\Installer\95aa3ad.msp
c:\windows\Installer\95aa3ae.msp
c:\windows\Installer\95aa3af.msp
c:\windows\Installer\962f1b0.msp
c:\windows\Installer\962f1b1.msp
c:\windows\Installer\962f1b2.msp
c:\windows\Installer\962f1b3.msp
c:\windows\Installer\962f1b4.msp
c:\windows\Installer\962f1b5.msp
c:\windows\Installer\962f1b6.msp
c:\windows\Installer\962f1b7.msp
c:\windows\Installer\962f1b8.msp
c:\windows\Installer\98bfbcb.msp
c:\windows\Installer\98bfbcc.msp
c:\windows\Installer\98bfbcd.msp
c:\windows\Installer\98bfbce.msp
c:\windows\Installer\98bfbcf.msp
c:\windows\Installer\98bfbd0.msp
c:\windows\Installer\98bfbd1.msp
c:\windows\Installer\98bfbd2.msp
c:\windows\Installer\98bfbd3.msp
c:\windows\Installer\9cbc4b6.msp
c:\windows\Installer\9cbc4b7.msp
c:\windows\Installer\9cbc4b8.msp
c:\windows\Installer\9cbc4b9.msp
c:\windows\Installer\9cbc4ba.msp
c:\windows\Installer\9cbc4bb.msp
c:\windows\Installer\9cbc4bc.msp
c:\windows\Installer\9cbc4bd.msp
c:\windows\Installer\9cbc4be.msp
c:\windows\Installer\c3399.msp
c:\windows\Installer\c339a.msp
c:\windows\Installer\c339b.msp
c:\windows\Installer\c339c.msp
c:\windows\Installer\c339d.msp
c:\windows\Installer\c339e.msp
c:\windows\Installer\c339f.msp
c:\windows\Installer\c33a0.msp
c:\windows\Installer\c33a1.msp
c:\windows\Installer\c6ad55.msp
c:\windows\Installer\c6ad56.msp
c:\windows\Installer\c6ad57.msp
c:\windows\Installer\c6ad58.msp
c:\windows\Installer\c6ad59.msp
c:\windows\Installer\c6ad5a.msp
c:\windows\Installer\c6ad5b.msp
c:\windows\Installer\c6ad5c.msp
c:\windows\Installer\c6ad5d.msp
c:\windows\Installer\cef2f65.msp
c:\windows\Installer\cef2f66.msp
c:\windows\Installer\cef2f67.msp
c:\windows\Installer\cef2f68.msp
c:\windows\Installer\cef2f69.msp
c:\windows\Installer\cef2f6a.msp
c:\windows\Installer\cef2f6b.msp
c:\windows\Installer\cef2f6c.msp
c:\windows\Installer\cef2f6d.msp
c:\windows\Installer\d1c63.msp
c:\windows\Installer\d1c64.msp
c:\windows\Installer\d1c65.msp
c:\windows\Installer\d1c66.msp
c:\windows\Installer\d1c67.msp
c:\windows\Installer\d1c68.msp
c:\windows\Installer\d1c69.msp
c:\windows\Installer\d1c6a.msp
c:\windows\Installer\d1c6b.msp
c:\windows\run.log
c:\windows\system32\axaltocm.dll
c:\windows\system32\certstore.dat
c:\windows\system32\drivers\19ba2ed9.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\Install.txt
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Temp\~2E.dll
c:\windows\TEMP\mta13187.dll
c:\windows\TEMP\t4m0_70790121130.bk.old
c:\windows\TEMP\x1c31584.dll
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_MDTDISK
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_6to4
-------\Service_mdtdisk
((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.
2009-10-17 12:14 . 2009-10-17 12:28 -------- dc----w- C:\Combo-Fix
2009-10-11 18:26 . 2009-10-13 16:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 20:07 . 2009-10-09 10:30 -------- d-----w- c:\documents and settings\Melanie Lewis\.housecall6.6
2009-10-08 19:54 . 2009-10-08 19:54 -------- d-----w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\Threat Expert
2009-10-08 11:23 . 2006-09-18 20:07 166 -c--a-w- C:\hosts.bat
2009-10-07 11:15 . 2009-10-07 11:15 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-10-05 23:17 . 2009-10-05 23:17 -------- dc----w- C:\$AVG8.VAULT$
2009-10-05 22:53 . 2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 22:52 . 2009-10-05 22:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 22:52 . 2009-10-05 22:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 22:52 . 2009-10-05 22:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 22:52 . 2009-10-11 16:06 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-05 22:52 . 2009-10-05 22:52 -------- d-----w- c:\program files\AVG
2009-10-05 22:52 . 2009-10-17 18:37 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-04 23:22 . 2009-10-04 23:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-04 15:44 . 2009-10-04 15:48 -------- dc-h--w- c:\windows\ie8
2009-10-03 01:41 . 2009-10-03 01:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 01:26 . 2009-10-01 01:26 -------- d-----w- c:\documents and settings\Melanie Lewis\Application Data\AVG8
2009-10-01 00:43 . 2009-10-01 00:43 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-29 18:44 . 2009-09-29 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-28 22:37 . 2009-09-29 11:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-26 23:39 . 2009-10-16 22:14 -------- d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 16:21 . 2008-06-29 03:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-15 00:57 . 2008-05-31 22:58 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:44 . 2006-06-21 23:06 -------- d-----w- c:\program files\Spybot - Search & DestroyThis Folder
2009-10-06 20:30 . 2008-11-21 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:30 . 2006-06-14 04:16 -------- d-----w- c:\program files\Java
2009-10-06 19:22 . 2009-10-06 19:22 0 ----a-w- c:\windows\system32\REN42.tmp
2009-10-04 23:22 . 2009-02-09 04:20 -------- d-----w- c:\program files\MSECACHE
2009-09-30 10:59 . 2009-09-16 15:38 -------- dc----w- c:\documents and settings\All Users\Application Data\14487344
2009-09-29 13:05 . 2006-08-13 05:18 -------- d-----w- c:\program files\Soulseek
2009-09-29 00:47 . 2006-12-06 18:30 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-09-27 16:54 . 2008-09-09 04:27 -------- d-----w- c:\program files\DivX
2009-09-07 18:08 . 2007-03-26 02:34 -------- d--h--w- c:\documents and settings\Melanie Lewis\Application Data\Move Networks
2009-08-27 08:35 . 2006-06-28 21:47 38888 ----a-w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-06 149280]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-14 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-14 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-6 118784]
NuvaTime(tm).lnk - c:\program files\NuvaTime\NuvaTime(tm).exe [2004-5-17 1051655]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 6:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 6:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 6:52 PM 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 6:00 AM 94208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/5/2008 1:45 PM 24652]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 6:52 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-10-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 03:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-HijackThis - c:\documents and settings\Melanie Lewis\Desktop\Tool Box\HijackThis.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 11:30
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ServiceDll"="c:\windows\system32\BtwSrv.dll\00dPЍM蹎MuMَE\0d\00\00\00UԍMCh@\00tE\04t\08MBEPEPEPEPEPEPEPEPEPEPj\0a+,MVxPEPEPj\03j\10tPj\00ÍM؍ËE؋Md\0d\00\00\00\00_^
[\04\00 U\14h\16\19@\00d"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(608)
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(1516)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-19 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 15:36
Pre-Run: 3,842,203,648 bytes free
Post-Run: 4,813,504,512 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
1185 --- E O F --- 2009-10-19 13:00
The HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:23 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9731 bytes
Hi,
c:\program files\Soulseek <-- This a is most likely how you got infected, File Sharing programs have become the latest source of infections, think about it, your downloading a file from an unknown source, its like playing Russian Roulette malwarewise.
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, is considered Adware, uses system resources and is not needed for anything.
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
C:\WINDOWS\system32\BtwSrv.dll
c:\windows\system32\REN42.tmp
c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download Malwarebytes' Anti-Malware from Here ( http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please
Post the new Combofix log, the Malwarebytes log and a new HJT log please
I removed two programs that had Viewpoint in the name. Proceeded to save CFScript to my desktop. When I tried to drop it into ComboFix and ComboFix prepared to run, I received an error message to the effect that CFScript was mispelled.
I tried running ComboFix again and it appeared to go well. The outcome is listed here:
ComboFix 09-10-18.03 - Melanie Lewis 10/19/2009 22:52.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.596 [GMT -4:00]
Running from: c:\documents and settings\Melanie Lewis\Desktop\ComboFix.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\MELANI~1\LOCALS~1\Temp\rdC.tmp\____mmfp.ocx
c:\documents and settings\Melanie Lewis\Local Settings\Temp\rdC.tmp\____mmfp.ocx
c:\windows\TEMP\mta13187.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))
.
2009-10-17 12:14 . 2009-10-17 12:28 -------- dc----w- C:\Combo-Fix
2009-10-11 18:26 . 2009-10-13 16:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-08 20:07 . 2009-10-09 10:30 -------- d-----w- c:\documents and settings\Melanie Lewis\.housecall6.6
2009-10-08 19:54 . 2009-10-08 19:54 -------- d-----w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\Threat Expert
2009-10-08 11:23 . 2006-09-18 20:07 166 -c--a-w- C:\hosts.bat
2009-10-07 11:15 . 2009-10-07 11:15 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-10-05 23:17 . 2009-10-05 23:17 -------- dc----w- C:\$AVG8.VAULT$
2009-10-05 22:53 . 2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 22:52 . 2009-10-05 22:52 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 22:52 . 2009-10-05 22:52 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 22:52 . 2009-10-05 22:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 22:52 . 2009-10-11 16:06 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-05 22:52 . 2009-10-05 22:52 -------- d-----w- c:\program files\AVG
2009-10-05 22:52 . 2009-10-17 18:37 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-04 23:22 . 2009-10-04 23:22 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-04 15:44 . 2009-10-04 15:48 -------- dc-h--w- c:\windows\ie8
2009-10-03 01:41 . 2009-10-03 01:41 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-01 01:26 . 2009-10-01 01:26 -------- d-----w- c:\documents and settings\Melanie Lewis\Application Data\AVG8
2009-10-01 00:43 . 2009-10-01 00:43 -------- dc----w- c:\documents and settings\Administrator\Application Data\AVG8
2009-09-29 18:44 . 2009-09-29 18:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-09-28 22:37 . 2009-09-29 11:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-26 23:39 . 2009-10-19 15:27 -------- d--h--w- c:\windows\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-20 02:29 . 2006-06-14 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-18 16:21 . 2008-06-29 03:09 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-15 00:57 . 2008-05-31 22:58 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-09 22:44 . 2006-06-21 23:06 -------- d-----w- c:\program files\Spybot - Search & DestroyThis Folder
2009-10-06 20:30 . 2008-11-21 16:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-06 20:30 . 2006-06-14 04:16 -------- d-----w- c:\program files\Java
2009-10-06 19:22 . 2009-10-06 19:22 0 ----a-w- c:\windows\system32\REN42.tmp
2009-10-04 23:22 . 2009-02-09 04:20 -------- d-----w- c:\program files\MSECACHE
2009-09-30 10:59 . 2009-09-16 15:38 -------- dc----w- c:\documents and settings\All Users\Application Data\14487344
2009-09-29 13:05 . 2006-08-13 05:18 -------- d-----w- c:\program files\Soulseek
2009-09-29 00:47 . 2006-12-06 18:30 20 -c-h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-09-27 16:54 . 2008-09-09 04:27 -------- d-----w- c:\program files\DivX
2009-09-07 18:08 . 2007-03-26 02:34 -------- d--h--w- c:\documents and settings\Melanie Lewis\Application Data\Move Networks
2009-08-27 08:35 . 2006-06-28 21:47 38888 ----a-w- c:\documents and settings\Melanie Lewis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-19_15.31.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-20 03:02 . 2009-10-20 03:02 16384 c:\windows\temp\Perflib_Perfdata_718.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-06 149280]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-06-14 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-09-10 393216]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-14 24576]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2006-12-6 118784]
NuvaTime(tm).lnk - c:\program files\NuvaTime\NuvaTime(tm).exe [2004-5-17 1051655]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 22:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 6:52 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 6:52 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 6:52 PM 297752]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/10/2004 1:51 PM 14336]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 6:00 AM 94208]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 6:52 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder
2009-10-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-10-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-31 03:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 23:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ServiceDll"="c:\windows\system32\BtwSrv.dll\00dPЍM蹎MuMَE\0d\00\00\00UԍMCh@\00tE\04t\08MBEPEPEPEPEPEPEPEPEPEPj\0a+,MVxPEPEPj\03j\10tPj\00ÍM؍ËE؋Md\0d\00\00\00\00_^
[\04\00 U\14h\16\19@\00d"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(604)
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF6278.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-20 23:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-20 03:08
ComboFix2.txt 2009-10-19 15:36
Pre-Run: 4,777,717,760 bytes free
Post-Run: 4,750,938,112 bytes free
- - End Of File - - 72A307B76CBF634BFAA5EAEAD86BACF9
The HijackThis file was:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:01 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Melanie Lewis\Desktop\Spybot Working Files\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9438 bytes
When I went to download Malwarebytes, however, I got an error message to the effect that Trojan Horse PSW.Banker5.Z0Y was present. When I requested that it be "cured" I got a message to the effect that some files could not be healed...
I hope I have not infected another one of my computers while trying to fix my daughter's!
Hi,
I need you to run Malwarebytes. After were done here you can post in the forum for your other computer.
You can run this one if Malwarebytes gives you a problem
Please download SuperAntiSpyware Free (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Good morning! Here are the two logs. I was unable to download Malwarebytes. Thankfully the alternate Spyware program worked.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/20/2009 at 07:57 AM
Application Version : 4.29.1004
Core Rules Database Version : 4175
Trace Rules Database Version: 2094
Scan type : Complete Scan
Total Scan Time : 00:47:20
Memory items scanned : 487
Memory threats detected : 1
Registry items scanned : 5204
Registry threats detected : 0
File items scanned : 22380
File threats detected : 57
Trojan.Agent/Gen-Virut[FNS]
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
C:\WINDOWS\SYSTEM32\FASTNETSRV.EXE
C:\WINDOWS\Prefetch\FASTNETSRV.EXE-17B57F56.pf
Adware.Tracking Cookie
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.sun[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@a1.interclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@a1.interclick[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@accounts.pkr[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ad.m5prod[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@adinterax[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.adap[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.fatvine[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.funadvice[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.ireport[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.lucidmedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.techguy[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.undertone[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@ads.widgetbucks[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@adtracker.americantowns[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@bizrate[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@caloriecount.about[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@cdnh.tremormedia[3].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@chitika[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@clicksor[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@collective-media[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@dc.tremormedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@elitecme[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@hairfinder[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@imediablast[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@interclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@intermundomedia[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@invitemedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@invitemedia[3].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@lfstmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@media-bucket[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@media6degrees[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@myaccount.bellsouth[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@optimize.indieclick[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@qnsr[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@richmedia.yahoo[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@socialmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@specificmedia[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.findyourspot[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[1].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[4].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[5].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[6].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.googleadservices[7].txt
C:\Documents and Settings\Melanie Lewis\Cookies\melanie__lewis@www.hairfinder[2].txt
C:\Documents and Settings\Melanie Lewis\Cookies\system@media6degrees[2].txt
Adware.Media-Codec/ZLob
C:\Program Files\Applications
Trojan.Agent/Gen
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EVENTLOG.DLL.VIR
Rootkit.Agent/Gen-DiskFake
C:\WINDOWS\SYSTEM32\MDTDISK.SYS
Trojan.Agent/Gen-WIWOW64
C:\WINDOWS\SYSTEM32\WMDTC.EXE
C:\WINDOWS\Prefetch\WMDTC.EXE-3367E9ED.pf
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:24 AM, on 10/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\Spybot Working Files\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\WINDOWS\system32\FastNetSrv.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9821 bytes
I will be gone most of the day but will look for a response this evening.
One more scan
Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) to the desktop:
Doubleclick the drweb-cureit icon to start the program.
press start
Allow the program to run the initial express scan
This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
Once the scan is complete, on the menu bar, click file and choose report list.
Save the report to your desktop. The report will be called DrWeb.csv
Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
Close Dr.Web Cureit.
Please post the Dr.Web.txt report in your next reply
I lost power right after the express scan was completed and had to reboot. The express scan found one item. The full scan took a long time because I was not able to be around to acknowledge each infection found. The log for the full scan follows:
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;;
3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
A0006833.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP16;Trojan.DownLoad.47474;Deleted.;
A0011971.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP17;Trojan.Click.1487;Deleted.;
Again, thanks for your help.
Everything looks fine, how are things running now ?
Hi Ken545,
I can't tell how things are running now since I have no Spybot Search and Destroy, etc. The main thing is that when I try to use Internet Explorer I get the old "Windows cannot access the specified device, path or file..." error message. I am assuming that this is the result of the rootkit infection that was present.
I am not sure that I know how to try to reload IE so that I can get Spybot and some of the other programs running.
Which of all the programs you had me download, if any, should stay on the machine we have been working on. I see that I have SuperAntiSpyware in the systray.
You have a marker in your log for a serious infection, this is what I would like you to do.
First I would like you to run Dr Web, I need to see the complete report.
Then do this.
Open notepad and then copy and paste the bolded lines below into Notepad.
Go to File > save as and name the file fixes.bat.
Change the Save as type to all files and save it to your desktop.
@echo off
sc stop fastnetsrv
sc delete fastnetsrv
Double-click on fixes.bat file to execute it.
Reboot and post a fresh hjt log.
Yesterday, I wasn't sure whther I should merely exit Dr. Web when it was finished and the report filed or whether I should have done something about IntallHelper.exe that seemed to be just sitting there.
Today, I debated whether to try to cure it but was not sure whether to rename, delete, or move it so I exited without neutralizing the threat before closing as I did yesterday.
I don't know what InstallHelper is supposed to do or how critical it is for my daughter. If it is legitimate and got infected, I suppose it can always be obtained again from the original source.
The log for Dr Web is:
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably DLOADER.Trojan;;
The HijackThis log made after running Fixes:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:24 AM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\NuvaTime\NuvaTime(tm).exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Melanie Lewis\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NuvaTime(tm).lnk = C:\Program Files\NuvaTime\NuvaTime(tm).exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://games.myspace.com/gameshell/games/channel--110343720/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159578987937
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 9740 bytes
Hi,
That file most likely is ok. I was looking for something else but since Dr Web didn't find anything it looks like your good to go.
You can delete all the tools we used in the beginning, win32kdiag, inherit , just drag them to the trash.
RootRepeal <---Drag it to the trash
TFC <--Yours to keep, run it about once aweek to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Ken:
Many thanks for your help and for the suggested reading. I will make sure my daughter learns more about safe computing.
I still have on the computer:
SuperAntiSpyware
HiJackThis
DrWeb-CureIt
None are listed in the uninstall list in Control Panel and have no obvious way to uninstall.
If I don't need to keep them, is it sufficient to merely delete these programs from the desktop?
You mention TFC and that I should run it once a week to clean out the clutter. Which program is this?
I shall be working to gain access to the Internet so that I can install Spybot, AVG, etc.
Again, many thanks. I will be returning to the forum with a question on my computer that I believe may have gotten infected in the process of fixing my daughter's.
I can remove HiJackThis and SuperAntiSpyware from the Control Panel.
TFC <--My bad, another great free program for you to use, it cleans out all the temp files and other not needed junk that tends to slow a system down.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
You can post to have your other computer checked, don't reply to this thread, just start a new topic and one of our great staff will reply
Take Care,
Ken :)
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.