Browser Hijack, no removal programmes will run!

silver-tongue · Sep 21, 2009

Hi folks.

Hoping for a speedy recovery of my infected laptop. Appears to be a browser hijacker which didnt respond to any avg removal attempts. Since then I installed Spybot S&D, Hijack This, Malwarebytes & Kaspersky however not on of them will run due to the error "Windows cannot access the specified device, path or file...".

Noticed on another thread someone being asked to run Win32kDiag.exe so I have done this and the following report was produced, not much though:

Running from: C:\Users\Desktop\Win32kDiag.exe

Log file at : C:\Users\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5B.tmp\ZAPF5B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-09-21 14:46:40 12 C:\Windows\bthservsdp.dat ()

Can someone pls advise asap. Thanks

:

ken545 · Sep 23, 2009

Hello silver-tongue

Welcome to Safer Networking.

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

If you still have win32Kdiag on your desktop than the download is not needed

Please save this file to your Desktop <-- Important.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

silver-tongue · Sep 24, 2009

Logs

Hi Ken, thanks for helping. Please find below the requested log results:-

........................................................................................................
exeHelper by Raktor - 09
Build 20090919
Run at 10:13:58 on 09/24/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
........................................................................................................

Running from: C:\Users\Imran\Desktop\win32kdiag.exe

Log file at : C:\Users\Imran\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5B.tmp\ZAPF5B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF5B.tmp\ZAPF5B.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Debug\UserMode\UserMode

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ftpcache\ftpcache

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\OEM\OEM

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Minidump\Minidump

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\RegisteredPackages\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RegisteredPackages\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}

Found mount point : C:\Windows\RegisteredPackages\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\RegisteredPackages\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\logs\logs

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Cannot access: C:\Windows\System32\cngaudit.dll

Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 10:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 10:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 10:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-24 09:46:09 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-09-24 09:45:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-09-24 09:45:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-09-24 09:45:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-09-24 09:46:53 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Found mount point : C:\Windows\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Temp\Temp

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingDeletes\PendingDeletes

Finished!

Hope this helps!

:

ken545 · Sep 24, 2009

Hi,

So far so good. We need to run Combofix, follow the instructions for renaming it as this Rootkit will prevent it from running if not renamed.

Its important that you follow these instructions and rename Combofix as this Rootkit infection will stop it from running if its not renamed.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

silver-tongue · Sep 24, 2009

Internet connection

Hi Ken.

Followed your instructions and a CF log has been created however I cannot seem to get a wireless internet connection back. Have tried rebooting a number of times, and removing and adding wireless network however it only seems to connect on a local connection although it is saying connection successful. I am on another laptop on the same wireless network and it is ok.

notes:

1.I have no firewall or AV installed as I had avg and removed it to install Kaspersky which didnt run.
2. Once I ran CF it immediately rebooted my computer before running scans and producing the log. On trying to load ie I got the message "illegal operation" on rebooting this message has gone however still no connection.

Any suggestions?

ken545 · Sep 24, 2009

You can try running this, transfer it by disk to the infected computer. This is for WinXP, I never seen any logs stating what Operating System you have

Winsockxpfix

silver-tongue · Oct 2, 2009

Further logs

Sorry for the late response, internet has been off for a while. My operating system is Vista, I am still operating from a different laptop as other still wont connect to the internet.

I have attached the original Combo Fix log and also run and included a recent Exe helper and Win32kdiag logs which seems to have issues.

Pls advise what I should do next as this is driving me crazy.

Thanks Ken.

ken545 · Oct 2, 2009

ComboFix 09-09-23.02 - Imran 24/09/2009 12:32.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1014.353 [GMT 1:00]
Running from: c:\users\Imran\Desktop\CF.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-106157299-751495278-3244335930-1001
c:\$recycle.bin\S-1-5-21-1326500012-3462953451-1868905146-500
c:\$recycle.bin\S-1-5-21-2139252429-1018222934-1169608220-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\Installer\209b6.msi
c:\windows\Installer\WMEncoder.msi

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-08-24 to 2009-09-24 )))))))))))))))))))))))))))))))
.

2009-09-24 11:39 . 2009-09-24 12:02 -------- d-----w- c:\users\Imran\AppData\Local\temp
2009-09-24 11:39 . 2009-09-24 11:39 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-09-24 11:39 . 2009-09-24 11:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-24 11:39 . 2009-09-24 11:39 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-09-23 14:26 . 2009-09-23 14:41 219 ----a-w- c:\windows\system32\nk.dat
2009-09-23 14:26 . 2009-09-23 14:26 45 ----a-w- c:\windows\system32\ca.dat
2009-09-23 12:26 . 2009-09-23 12:26 2381452 ----a-w- C:\MGtools.exe
2009-09-23 12:11 . 2009-09-23 12:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-23 12:09 . 2009-09-23 12:09 -------- d-----w- c:\users\Imran\AppData\Roaming\SUPERAntiSpyware.com
2009-09-22 16:04 . 2009-09-22 16:04 1 ----a-w- c:\windows\system32\jc.dat
2009-09-22 16:04 . 2009-09-22 16:04 1 ----a-w- c:\windows\system32\idm.dat
2009-09-22 16:04 . 2009-09-22 16:04 1 ----a-w- c:\windows\system32\c2d.dat
2009-09-22 14:06 . 2009-09-22 14:06 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2009-09-21 16:10 . 2009-09-21 16:10 70008 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-21 16:10 . 2009-09-21 16:10 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-09-21 15:29 . 2009-09-21 15:29 -------- d-----w- c:\users\Imran\AppData\Roaming\Malwarebytes
2009-09-21 15:29 . 2009-09-21 15:29 -------- d-----w- c:\programdata\Malwarebytes
2009-09-21 12:16 . 2009-09-22 13:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-21 10:04 . 2009-09-24 08:45 0 ----a-r- c:\windows\win32k.sys
2009-09-15 16:11 . 2009-09-22 13:06 -------- d-----w- c:\users\Imran\AppData\Roaming\vlc
2009-09-15 16:09 . 2009-09-15 16:09 -------- d-----w- c:\program files\VideoLAN
2009-09-15 16:01 . 2008-12-31 23:00 60273 ----a-w- c:\windows\system32\

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 11:24 . 2008-07-15 17:26 -------- d-----w- c:\users\Imran\AppData\Roaming\uTorrent
2009-09-23 14:56 . 2008-07-17 17:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-21 17:55 . 2007-09-12 19:44 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-15 16:31 . 2007-09-12 20:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 21:49 . 2008-07-05 16:39 -------- d-----w- c:\users\Imran\AppData\Roaming\LimeWire
2009-08-16 08:57 . 2009-06-12 18:06 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-11 11:08 . 2009-07-11 11:08 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2007-07-13 10:29 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 133912]
"UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 202024]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-11 4468736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Reminder_MUI"=c:\applications\oem\Reminder\Reminder_MUI.exe
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{DB17032A-72F1-4034-9133-F90A506DE44A}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{73766817-4B1C-4C15-A646-0082A58D7C9A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{DE1DB5E1-5552-4F28-955A-CE45CEA714B3}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E0164BE8-28AA-4B76-853A-54E4268D6264}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{97F4E5B3-388B-41EC-888C-3B80A1BC4A29}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{A98F439B-8BBE-4E6E-A224-7AEE1965C1B8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{761B856F-E56E-4079-B7F9-164276786628}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{DBDABDBC-672F-466E-A9BC-F3A5E48B35C7}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{E7B83E5D-CD5D-46E5-B28C-7F8409B8C9E9}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{CB5A0FC8-AA68-44FE-9EB4-C4DB62F8CB21}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{42B30F01-6D9F-4ADB-A7CD-3C4FF041E0A3}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{272ECB0B-A0CF-4A53-B30F-A0D431EECC15}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{54F79208-AAE6-4CE6-8DE2-6D4826BEB402}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{52724D76-F7AF-45C6-9C80-481FE626B015}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.2
"{05CCF084-11DF-46F8-8C2E-984735055377}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.2
"TCP Query User{640A9E44-1C67-4E20-9706-724194494D9A}c:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"UDP Query User{5311A6B2-221E-4080-86EC-9D3F1C8E9770}c:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"{ADF28531-FB3C-48D7-A9A7-84C7D43FEE51}"= UDP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{32F57E29-E5BE-4282-B5A5-27580D21F0C8}"= TCP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{B8069E41-9C04-443F-9423-BF6D6A870D46}"= UDP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{0EFB4AB5-0B1B-4EA4-AB05-3CC5CEA7C6E6}"= TCP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{906FA583-4ECB-4F7F-B247-B61C0B68F1CE}"= UDP:c:\program files\Adobe\Adobe Bridge CS3\Bridge.exe:Adobe Bridge CS3
"{76D05A7B-954A-4D83-8DFB-D3B132B5A34D}"= TCP:c:\program files\Adobe\Adobe Bridge CS3\Bridge.exe:Adobe Bridge CS3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [24/09/2008 19:06 598856]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [26/02/2008 09:17 493568]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [24/01/2009 21:24 10976]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\System32\drivers\s1018bus.sys [24/01/2009 20:15 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\System32\drivers\s1018mdfl.sys [24/01/2009 20:15 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\System32\drivers\s1018mdm.sys [24/01/2009 20:15 122024]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s1018mgmt.sys [24/01/2009 20:15 115368]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\System32\drivers\s1018nd5.sys [24/01/2009 20:15 25768]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\System32\drivers\s1018obex.sys [24/01/2009 20:15 111784]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\System32\drivers\s1018unic.sys [24/01/2009 20:15 117544]
S3 wrssweep;Webroots Volume Access Driver;c:\program files\Webroot\Washer\wrSSweep.sys [04/10/2008 10:32 21832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-09-24 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 08:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {532F6469-0149-478F-969C-4C7D1B33DEDC} = 194.168.4.100,194.168.8.100
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 13:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2009-09-24 13:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-24 12:05

Pre-Run: 17,783,996,416 bytes free
Post-Run: 17,580,675,072 bytes free

197 --- E O F --- 2009-07-06 16:46

ken545 · Oct 2, 2009

Good Morning,

Please copy and paste your logs and reports into this thread and do not attach them, its easier for me to diagnose them this way.

This is how you most likely got infected, uninstall them from your Add Remove Programs in the Control Panel.
c:\program files\LimeWire
c:\program files\utorrent

FYI, doing what I do, my last vacation visiting friends I cleaned 5 computers for people who's kids downloaded music and what not from sites like Limewire. Your downloading files from an unknown source, who knows whats attached or bundled with that file, it like playing Russian Roulette Malwarewise.

Read this please.

We have noticed that many people seeking help from us are coming with infections contracted from the use of P2P programs.

Because of this, we changed our malware forum's policy on the use of P2P file sharing programs.

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

If we clean your computer of infection, and you return to us a short time later with an infection contracted by the use of P2P programs, volunteer analysts will refuse their help.

We do not ask you to do this without reason.

P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld.com/article/07/09/06/...ID-theft_1.html

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
c:\windows\system32\nk.dat
c:\windows\system32\ca.dat
c:\windows\system32\jc.dat
c:\windows\system32\idm.dat
c:\windows\system32\c2d.dat
C:\MGtools.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

You can transfer this to disk to the infected computer and run it, you can bypass the updates as it will be fairly current when you download it.

Please download Malwarebytes' Anti-Malware from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

Post here in our sister site for help in getting you back online
http://forums.whatthetech.com/Browsers_Internet_email_f123.html

Ken

silver-tongue · Oct 2, 2009

Logs

Pls find below the combo fix log followed by HJT log and finally the Mbam log.
............................................................................................................
ComboFix 09-09-23.02 - Imran 02/10/2009 13:34.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1014.266 [GMT 1:00]
Running from: c:\users\Imran\Desktop\CF.exe
Command switches used :: c:\users\Imran\Desktop\CFScript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
"c:\MGtools.exe"
"c:\windows\system32\c2d.dat"
"c:\windows\system32\ca.dat"
"c:\windows\system32\idm.dat"
"c:\windows\system32\jc.dat"
"c:\windows\system32\nk.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\MGtools.exe
c:\windows\system32\c2d.dat
c:\windows\system32\ca.dat
c:\windows\system32\idm.dat
c:\windows\system32\jc.dat
c:\windows\system32\nk.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-02 12:36 . 2009-10-02 12:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-02 12:36 . 2009-10-02 12:36 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-10-02 12:36 . 2009-10-02 12:36 -------- d-----w- c:\users\Leanne\AppData\Local\temp
2009-10-02 12:36 . 2009-10-02 12:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-02 12:36 . 2009-10-02 12:36 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-09-24 11:39 . 2009-10-02 12:36 -------- d-----w- c:\users\Imran\AppData\Local\temp
2009-09-23 12:11 . 2009-09-23 12:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-23 12:09 . 2009-09-23 12:09 -------- d-----w- c:\users\Imran\AppData\Roaming\SUPERAntiSpyware.com
2009-09-22 14:06 . 2009-09-22 14:06 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2009-09-21 16:10 . 2009-09-21 16:10 70008 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-21 16:10 . 2009-09-21 16:10 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-09-21 15:29 . 2009-09-21 15:29 -------- d-----w- c:\users\Imran\AppData\Roaming\Malwarebytes
2009-09-21 15:29 . 2009-09-21 15:29 -------- d-----w- c:\programdata\Malwarebytes
2009-09-21 12:16 . 2009-09-22 13:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-21 10:04 . 2009-09-24 08:45 0 ----a-r- c:\windows\win32k.sys
2009-09-15 16:11 . 2009-09-22 13:06 -------- d-----w- c:\users\Imran\AppData\Roaming\vlc
2009-09-15 16:09 . 2009-09-15 16:09 -------- d-----w- c:\program files\VideoLAN
2009-09-15 16:01 . 2008-12-31 23:00 60273 ----a-w- c:\windows\system32\pthreadGC2.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 12:27 . 2009-01-24 22:20 -------- d-----w- c:\program files\LimeWire
2009-09-24 11:24 . 2008-07-15 17:26 -------- d-----w- c:\users\Imran\AppData\Roaming\uTorrent
2009-09-23 14:56 . 2008-07-17 17:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-21 17:55 . 2007-09-12 19:44 12 ----a-w- c:\windows\bthservsdp.dat
2009-09-15 16:31 . 2007-09-12 20:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 21:49 . 2008-07-05 16:39 -------- d-----w- c:\users\Imran\AppData\Roaming\LimeWire
2009-08-16 08:57 . 2009-06-12 18:06 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2009-07-11 11:08 . 2009-07-11 11:08 70671 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2007-07-13 10:29 . 2007-03-07 12:54 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_12.02.13 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-12 20:05 . 2009-09-24 11:27 48814 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2007-09-12 20:05 . 2009-10-02 10:00 48814 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-02 10:00 70220 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-18 13:39 . 2009-10-02 08:59 13520 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-106157299-751495278-3244335930-1000_UserData.bin
- 2008-06-18 13:34 . 2009-09-24 09:03 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-18 13:34 . 2009-10-02 12:32 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-18 13:34 . 2009-10-02 12:32 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-18 13:34 . 2009-09-24 09:03 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-18 13:34 . 2009-09-24 09:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-18 13:34 . 2009-10-02 12:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-09-12 20:18 . 2009-09-21 10:19 2922 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2007-09-12 20:18 . 2009-09-25 17:19 2922 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-10-02 09:58 . 2009-10-02 09:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-24 11:41 . 2009-09-24 11:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-09-24 11:41 . 2009-09-24 11:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-02 09:58 . 2009-10-02 09:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-25 08:18 . 2009-10-02 12:24 260356 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-10-02 11:29 603282 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-21 08:56 603282 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-21 08:56 106696 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-02 11:29 106696 c:\windows\System32\perfc009.dat
- 2006-11-02 12:47 . 2009-06-12 18:37 1624952 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:47 . 2009-10-02 09:59 1624952 c:\windows\System32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-11 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-11 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-11 133912]
"UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 202024]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-11 4468736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Reminder_MUI"=c:\applications\oem\Reminder\Reminder_MUI.exe
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{DB17032A-72F1-4034-9133-F90A506DE44A}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{73766817-4B1C-4C15-A646-0082A58D7C9A}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{DE1DB5E1-5552-4F28-955A-CE45CEA714B3}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{E0164BE8-28AA-4B76-853A-54E4268D6264}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{97F4E5B3-388B-41EC-888C-3B80A1BC4A29}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{A98F439B-8BBE-4E6E-A224-7AEE1965C1B8}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{761B856F-E56E-4079-B7F9-164276786628}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{DBDABDBC-672F-466E-A9BC-F3A5E48B35C7}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{E7B83E5D-CD5D-46E5-B28C-7F8409B8C9E9}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{CB5A0FC8-AA68-44FE-9EB4-C4DB62F8CB21}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{54F79208-AAE6-4CE6-8DE2-6D4826BEB402}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{52724D76-F7AF-45C6-9C80-481FE626B015}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.2
"{05CCF084-11DF-46F8-8C2E-984735055377}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:Sony Ericsson Media Manager 1.2
"TCP Query User{640A9E44-1C67-4E20-9706-724194494D9A}c:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"UDP Query User{5311A6B2-221E-4080-86EC-9D3F1C8E9770}c:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:c:\program files\sony ericsson\update service\update service.exe:Update Service
"{ADF28531-FB3C-48D7-A9A7-84C7D43FEE51}"= UDP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{32F57E29-E5BE-4282-B5A5-27580D21F0C8}"= TCP:c:\program files\AVG\AVG8\avgtray.exe:AVG Free Tray Icon
"{B8069E41-9C04-443F-9423-BF6D6A870D46}"= UDP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{0EFB4AB5-0B1B-4EA4-AB05-3CC5CEA7C6E6}"= TCP:c:\program files\AVG\AVG8\avgui.exe:AVG Free User Interface
"{906FA583-4ECB-4F7F-B247-B61C0B68F1CE}"= UDP:c:\program files\Adobe\Adobe Bridge CS3\Bridge.exe:Adobe Bridge CS3
"{76D05A7B-954A-4D83-8DFB-D3B132B5A34D}"= TCP:c:\program files\Adobe\Adobe Bridge CS3\Bridge.exe:Adobe Bridge CS3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [24/09/2008 19:06 598856]
R3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\System32\drivers\netr73.sys [26/02/2008 09:17 493568]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\System32\drivers\ggflt.sys [24/01/2009 21:24 10976]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\System32\drivers\s1018bus.sys [24/01/2009 20:15 90408]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\System32\drivers\s1018mdfl.sys [24/01/2009 20:15 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\System32\drivers\s1018mdm.sys [24/01/2009 20:15 122024]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s1018mgmt.sys [24/01/2009 20:15 115368]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\System32\drivers\s1018nd5.sys [24/01/2009 20:15 25768]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\System32\drivers\s1018obex.sys [24/01/2009 20:15 111784]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\System32\drivers\s1018unic.sys [24/01/2009 20:15 117544]
S3 wrssweep;Webroots Volume Access Driver;c:\program files\Webroot\Washer\wrSSweep.sys [04/10/2008 10:32 21832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 08:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {532F6469-0149-478F-969C-4C7D1B33DEDC} = 194.168.4.100,194.168.8.100
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 13:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-02 13:39
ComboFix-quarantined-files.txt 2009-10-02 12:38
ComboFix2.txt 2009-09-24 12:06

Pre-Run: 17,607,471,104 bytes free
Post-Run: 17,360,404,480 bytes free

211 --- E O F --- 2009-07-06 16:46
............................................................................................................
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:59, on 02/10/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\TouchFreeze\TouchFreeze.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Imran\Desktop\HJT.exe.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{532F6469-0149-478F-969C-4C7D1B33DEDC}: NameServer = 194.168.4.100,194.168.8.100
O20 - AppInit_DLLs: C:\Windows\System32\acaptuser32.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6432 bytes
............................................................................................................
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.0.6001 Service Pack 1

02/10/2009 13:50:47
mbam-log-2009-10-02 (13-50-47).txt

Scan type: Quick Scan
Objects scanned: 99276
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Mcx1\Desktop\AV Care.lnk (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
............................................................................................................

I hope these help, I have also posted in the advised site re: my internet connection.

ken545 · Oct 2, 2009

Thanks for the reports, Malwarebytes found more junk and removed it.

When WhattheTech gets you internet access , post back here and we will run a online scan to check for leftovers.

Outside of no internet, how are things running now ?

Browser Hijack, no removal programmes will run!

silver-tongue

New member

ken545

Emeritus-Security Expert

silver-tongue

New member

ken545

Emeritus-Security Expert

silver-tongue

New member

ken545

Emeritus-Security Expert

silver-tongue

New member

ken545

Emeritus-Security Expert

ken545

Emeritus-Security Expert

silver-tongue

New member

ken545

Emeritus-Security Expert