Rootkit Max++ problem, can't use antiviruses or hijackthis

**alwaysatodds** · 2009-10-23, 01:34

I'm usually pretty good at bug fixing but this one is a real pain.

Also, hijackthis will not work, as soon as it starts to scan it shuts itself down and I can't copy anything.

Cause - tried downloading a movie online, not sure what the site was

Effects -

Spybot has become a read-only file and is impossible to use. When I reinstall under a different name in a different folder it works until it is about to scan then shuts itself off and becomes another read-only file. The hidden .scr file cannot be located.

Clicking on unprotected links will redirect to random advertising websites like mom.com and other useless garbage. I have massive slowdown and the computer crashes all the time.

I tried downloading AVG and it located the viruses and trojans, said they were removed and after I rebooted it was the same problem as before. Except now when I use AVG is freezes up when it's about to scan the infected files. I could really use some help on this one. Can't seem to get anything working.

Here is a copy of my Gmer and win32kdiag

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-22 17:47:16
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CARLGR~1\LOCALS~1\Temp\fwryrpod.sys

---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF847E0B0]
SSDT sptd.sys ZwEnumerateKey [0xF848384C]
SSDT sptd.sys ZwEnumerateValueKey [0xF8483BEC]
SSDT sptd.sys ZwOpenKey [0xF847E090]
SSDT sptd.sys ZwQueryKey [0xF8483CC4]
SSDT sptd.sys ZwQueryValueKey [0xF8483B44]
SSDT sptd.sys ZwSetValueKey [0xF8483D56]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F79428AC 5 Bytes JMP 829C11B8
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1352] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F849252C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84ACAB8] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F847EABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F847EC00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F847EB82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F847F72E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F847F604] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8491B9A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82BD71D8
Device \Driver\usbuhci \Device\USBPDO-0 829C01D8
Device \Driver\usbuhci \Device\USBPDO-1 829C01D8
Device \Driver\usbuhci \Device\USBPDO-2 829C01D8
Device \Driver\usbehci \Device\USBPDO-3 8299E1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82B681D8
Device \Driver\Cdrom \Device\CdRom0 829501D8
Device \Driver\Cdrom \Device\CdRom1 829501D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8286B980
Device \Driver\NetBT \Device\NetbiosSmb 8286B980
Device \Driver\NetBT \Device\NetBT_Tcpip_{B51E43F1-0056-46D6-88FD-80BE7E138B70} 8286B980
Device \Driver\usbuhci \Device\USBFDO-0 829C01D8
Device \Driver\usbuhci \Device\USBFDO-1 829C01D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82868980
Device \Driver\usbuhci \Device\USBFDO-2 829C01D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82868980
Device \Driver\usbehci \Device\USBFDO-3 8299E1D8
Device \Driver\Ftdisk \Device\FtControl 82B681D8
Device \FileSystem\Cdfs \Cdfs FF6683E8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1216] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1272] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1352] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1976] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2468] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2620] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1967336333
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -848722675
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...

---- EOF - GMER 1.0.15 ----

Running from: C:\Documents and Settings\Carl Griesser\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Carl Griesser\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP10E.tmp\ZAP10E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9b9c80e2f055ce97c0f0b65924ea9f29\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\Temp\9d43ab99-d1d5-457d-98df-f6da1f2e59ff\9d43ab99-d1d5-457d-98df-f6da1f2e59ff

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\beb9832c-8b0d-47f9-83c4-15d6e4748733\beb9832c-8b0d-47f9-83c4-15d6e4748733

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\COMMON\COMMON

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\LANG\LANG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\CTZAPXX\Drivers\WDM\WIN2K_XP\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\{49F609AE-FA37-4DAC-8736-5E373C4F8298}\{49F609AE-FA37-4DAC-8736-5E373C4F8298}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

**ken545** · 2009-10-23, 22:31

Hello

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Dont get ahead of me now, we need to do this in order.

Make sure Win32kdiag.exe is still on your desktop

Click Start>Run and type the following bolded text into the Run box and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it has finished, post the log it produces.

**alwaysatodds** · 2009-10-25, 09:24

the current response is

Running from: C:\Documents and Settings\Carl Griesser\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Carl Griesser\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

**ken545** · 2009-10-25, 12:12

Hi,

Run both these programs and post the log, they wont take long

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Open up notepad and copy and paste the bolded text into it.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Then click File > Save As, name the file Peak.bat
Save it to your desktop, Double click it to run, it will produce a log, post it please
It should look like this:

**alwaysatodds** · 2009-10-25, 16:35

Ken when I use your link to exehelper it says the file isn't found. My secureit antiviral software also detects a virus trying to be downloaded at the same time.

I'm assuming this is another redirect problem. What should I do?

**ken545** · 2009-10-25, 16:43

Skip exehelper for now and run Peak.bat

**alwaysatodds** · 2009-10-25, 16:45

I'm dumb. Sorry. Posting the log now

exeHelper by Raktor
Build 20091021
Run at 11:43:21 on 10/25/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PopRock
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Thanks for being patient. This is all new to me. And thanks in advance for all of the help.

~Carl.

**alwaysatodds** · 2009-10-25, 16:48

peak.bat log

Volume in drive C has no label.
Volume Serial Number is 1089-8B62

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 03:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

04/13/2008 08:11 PM 56,320 eventlog.dll
1 File(s) 56,320 bytes

Total Files Listed:
10 File(s) 1,988,608 bytes
0 Dir(s) 44,023,418,880 bytes free

**ken545** · 2009-10-25, 16:55

Not a problem Carl, this can be confusing if your not used to it. What we have been doing is chipping away at this rootkit so we can get a program that will remove it to run, we are almost there.

Copy the text in the quote to Notepad

@SC CONFIG EVENTLOG START= DISABLED

Save this as fix.bat Choose to "Save type as - All Files"
Save it to your desktop
It should look like this:

Double click on fix.bat & allow it to run.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

**alwaysatodds** · 2009-10-25, 17:40

Combofix log

ComboFix 09-10-24.06 - Carl Griesser 10/25/2009 12:25.1.1 - NTFSx86
Running from: c:\documents and settings\Carl Griesser\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Carl Griesser\Application Data\shc1n6j0ej99
c:\documents and settings\Carl Griesser\Cookies\hijehosaza.ban
c:\documents and settings\Carl Griesser\Cookies\jyhy.bin
c:\documents and settings\Carl Griesser\Cookies\onimigig.pif
c:\documents and settings\Carl Griesser\Local Settings\Application Data\ifegow.inf
c:\documents and settings\Carl Griesser\Local Settings\Temporary Internet Files\hucuxugumi._sy
c:\documents and settings\Carl Griesser\Local Settings\Temporary Internet Files\jykizep.scr
c:\documents and settings\Carl Griesser\Local Settings\Temporary Internet Files\udepuz.bat
c:\documents and settings\Carl Griesser\Local Settings\Temporary Internet Files\ujuhivab.lib
c:\windows\etowu.reg
c:\windows\wiaserviv.log
c:\windows\ysovodotu._sy

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-23 20:08 . 2009-10-23 20:08 -------- d-----w- c:\windows\system32\XPSViewer
2009-10-23 20:07 . 2009-10-23 20:07 -------- d-----w- c:\program files\MSBuild
2009-10-23 20:07 . 2009-10-23 20:07 -------- d-----w- c:\program files\Reference Assemblies
2009-10-23 20:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-10-23 20:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-10-23 20:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-10-23 20:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-10-23 20:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-10-23 20:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-10-23 20:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-10-23 20:05 . 2009-10-23 20:06 -------- d-----w- C:\d193b42131cc88be1a42
2009-10-23 19:47 . 2009-10-23 19:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-23 19:47 . 2009-10-23 19:47 -------- d-sh--w- c:\documents and settings\Carl Griesser\IETldCache
2009-10-23 19:13 . 2009-08-29 08:08 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-23 19:13 . 2009-08-29 08:08 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-23 19:13 . 2009-10-25 07:01 -------- d-----w- c:\windows\ie8updates
2009-10-23 19:13 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-23 19:07 . 2009-10-23 19:12 -------- dc-h--w- c:\windows\ie8
2009-10-23 18:03 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-23 18:03 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-23 18:03 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-23 18:03 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-23 18:03 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-23 18:03 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-23 18:03 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-23 18:03 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-23 18:02 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-23 18:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-23 17:58 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-23 17:58 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-22 21:43 . 2009-10-22 21:43 -------- d-----w- C:\HijackThis
2009-10-22 21:40 . 2009-10-22 21:40 -------- d-----w- c:\program files\Trend Micro
2009-10-22 21:40 . 2009-10-22 21:40 396288 ----a-w- C:\HijackThis.exe
2009-10-22 21:21 . 2009-10-22 21:21 -------- d-----w- C:\gmer
2009-10-22 20:02 . 2009-10-22 20:04 -------- d-----w- c:\program files\Spybot1 - Search & Destroy
2009-10-21 19:29 . 2009-10-21 19:29 -------- d-----w- c:\program files\AVG
2009-10-21 17:04 . 2009-10-22 19:53 0 ----a-w- c:\windows\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 16:30 . 2004-10-09 00:50 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-10-25 16:30 . 2004-10-09 00:50 384 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10021102}.dat
2009-10-24 07:09 . 2004-10-23 18:09 36872 -c--a-w- c:\documents and settings\Carl Griesser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 20:02 . 2005-02-21 04:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 19:59 . 2009-09-15 18:18 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 17:29 . 2009-09-18 18:31 -------- d-----w- c:\program files\Turbine
2009-10-19 18:44 . 2008-02-28 03:18 -------- d-----w- c:\documents and settings\Carl Griesser\Application Data\dvdcss
2009-09-19 00:05 . 2009-09-19 00:05 136 ----a-w- c:\documents and settings\Carl Griesser\Local Settings\Application Data\fusioncache.dat
2009-09-11 14:18 . 2002-09-03 16:46 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 22:03 . 2009-08-18 22:03 19421 ----a-w- c:\windows\seroxonoty.pif
2009-08-18 22:03 . 2009-08-18 22:03 16684 ----a-w- c:\program files\Common Files\olyhuxe.bin
2009-08-18 22:03 . 2009-08-18 22:03 17682 ----a-w- c:\program files\Common Files\dexujigu.exe
2009-08-18 22:03 . 2009-08-18 22:03 15774 ----a-w- c:\program files\Common Files\orakomemym.dl
2009-08-18 22:03 . 2009-08-18 22:03 15547 ----a-w- c:\windows\system32\zadyce.scr
2009-08-18 22:03 . 2009-08-18 22:03 15180 ----a-w- c:\program files\Common Files\syri.exe
2009-08-18 22:03 . 2009-08-18 22:03 14167 ----a-w- c:\program files\Common Files\hazuqadaf.pif
2009-08-18 22:03 . 2009-08-18 22:03 13626 ----a-w- c:\documents and settings\All Users\Application Data\afiz.bin
2009-08-18 22:03 . 2009-08-18 22:03 12327 ----a-w- c:\program files\Common Files\utejece.ban
2009-08-18 22:03 . 2009-08-18 22:03 11811 ----a-w- c:\documents and settings\All Users\Application Data\eryk.dll
2009-08-18 22:03 . 2009-08-18 22:03 11087 ----a-w- c:\program files\Common Files\utunevysi._dl
2009-08-18 22:03 . 2009-08-18 22:03 10744 ----a-w- c:\documents and settings\All Users\Application Data\zetog.scr
2009-08-05 09:01 . 2002-09-03 16:46 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2002-09-03 16:50 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:37 . 2002-09-03 17:06 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2002-09-03 16:33 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-20 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-10-06 24576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\utilities\Word\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\btdownloadgui.exe"=
"c:\\Utilities\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Utilities\\WinDVD\\WinDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Carl Griesser\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [10/8/2004 8:49 PM 12160]
S2 gupdate1ca21badd4a53f0;Google Update Service (gupdate1ca21badd4a53f0);c:\program files\Google\Update\GoogleUpdate.exe [8/20/2009 1:22 PM 133104]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [12/7/2006 10:59 AM 39048]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-20 17:20]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-20 17:22]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-20 17:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} - hxxps://www.play.net/components/activex/AXSAL.ocx
FF - ProfilePath - c:\documents and settings\Carl Griesser\Application Data\Mozilla\Firefox\Profiles\mgzpxuah.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-hp 1000 firmware - c:\program files\hp LaserJet 1000\fwdl.exe
Notify-pmnmnOEX - pmnmnOEX.dll
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-Move Networks Player - IE - c:\documents and settings\Carl Griesser\Application Data\Move Networks\ie_bin\Uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 12:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF11106.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 12:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 16:35

Pre-Run: 44,083,372,032 bytes free
Post-Run: 44,479,193,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 1978DEA191FDB22E1FBB17CC8FE49A53

But I still can't run hijack this because it says I may not have the apropriate permissions to access the item, which I'm guessing is a result of the rootkit.

Thread: Rootkit Max++ problem, can't use antiviruses or hijackthis

Thread Tools

Display

Rootkit Max++ problem, can't use antiviruses or hijackthis

response

Posting Permissions