Help! Interference with Antivirus, Spybot, HJT

[mandypie4]

Hey Ken,
I ran the rkill program and it worked as it is supposed to but when I tried to run Combofix again, the same thing happened. A bar was shown to be loading Combofix but after it finished and disappeared from the screen, I received no further prompts. All of this was done in Safe Mode with Networking.

 

[ken545]

Mandy, first I would like you to drag your copy of Combofix to the Recycle Bin, then follow these instructions to download and rename it. I am posting two sets of instructions, if Combofix renamed still will not run in normal windows or safemode, then follow my second set of instructions. If Combofix runs then disregard them.


Instructions Number One


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.




Instructions Number Two


We need to find this file cngaudit.dll, it may be what is preventing Combofix from running.

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE


Click Start > Computer > C: Drive > Windows > winsxw folder to open it. Then up at the top click on View and select Details.

Then look for this folder and open it and inside you will see cngaudit.dll
C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll <--This folder

Right click on cngaudit.dll and select COPY ( DO NOT SELECT CUT )

Then go back to your C:\ drive , go up to the top and select Edit > Paste.

So now you should have a copy of that file on your C: drive



Then.....

1. Please download The Avenger by Swandog46 and SAVE it to your Desktop.

• After download has completed,
• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the lines of text in the code box below (including blank lines and comments) to your Clipboard by highlighting them with your mouse, then Right clicking and choosing Copy:

Files to move:
c:\cngaudit.dll | c:\windows\system32\cngaudit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage your system!



3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

3. The Avenger will automatically do the following:

• It will Restart your computer.
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
• Please delete C:\avenger <=this folder; Do NOT delete C:\avenger.txt <=this file

Please post the contents of C:\Avenger.txt; and a new HJT log please

 

[mandypie4]

I tried the first set of instructions but it didn't work so I moved onto the second set of instructions.

However, when I started The Avenger, the screen described didn't show up. I didn't get:

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script

Instead it went right to a screen that says to "Input Script Here" and gives a blank box to do that. It has an execute button. At the top there are buttons with the options to "Load script from File..." "Load Script from Internet URL" and "Paste Script from Clipboard." It has checkboxes on the bottom to check or uncheck that say "Scan for rootkits" and "Automatically disable any rootkits found." "Scan for rootkits" is checked already.

Since this sounds different than what was described I wanted to make sure things are okay before going forward. My computer apparently doesn't want to cooperate with much it seems.

 

[ken545]

This will be fine Mandy,

Input Script Here

Paste Script from Clipboard

Scan for rootkits"

 

[mandypie4]

Thanks Ken
Here the avenger.txt log. However I was unable to run HijackThis still. I got the same "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" message when I tried.


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\cngaudit.dll|c:\windows\system32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[ken545]

OK, Mandy, Combofix should run now, try it in normal windows or safemode if normal windows won't run

 

[mandypie4]

Hey Ken,
It's working right :yahoo: but it it says that Norton Internet Security is active and will interfere with ComboFix. However, I'm in Safe Mode and can't disable Norton the ordinary way. Thought it was already disabled, truth be told, but I guess not.

I'm hoping there's some other way to disable it from where I am. Or should I shut down ComboFix and try to disable Norton and run ComboFix in normal mode? (Normal mode was massively slow and freezing for me the last time I tried but I didn't get the blue screen of death, at least)

 

[ken545]

let it run we're making headway

 

[mandypie4]

Okay, now I'm scared.

ComboFix ran and was working okay. Then it restarted during the process which I think it was supposed to do but when it restarted it went to the normal mode even though I pressed F8. As I got to the "Preparing Log Report: Do not run any programs until ComboFix is finished" I got the stupid Blue Screen of Death. Then it kicked me off and went through the F8 "Pick Safe Mode or Normal" screen really quickly and then started back up in Normal mode!! Now I either have to pick a User account and go through Normal Mode or Restart and try F8 again (which I'm sure I'm not supposed to do). Yikes!!

 

[ken545]

You should have just left it alone and let it boot to normal mode

 

[mandypie4]

Yikes!! I'm sorry. :S

It had restarted in Normal Mode though and was running correctly when I got that Blue Screen thing appeared (like I was getting in Normal Mode before) and it kicked me off. I'm pretty sure I pressed F8 too late into the reboot which is why it booted normally.

It's also waiting for me to choose a User Account in Normal Mode right now. Should I choose my account so it'll start up there? Or have I screwed things up too badly?

 

[ken545]

Choose your usually account that you use to boot to windows

 

[mandypie4]

I started it up under my account. Everything came up normally. But as expected since the Blue Screen came up while ComboFix was processing logs, there is no log from it. I haven't tried to do anything other than look for the log.

Something just popped up as I was typing this. It's titled pctsTray.exe
It says an error occurred in the application and it gives me these options:
Send Bug Report
Show Bug Report
Restart Application
Close Application

 

[ken545]

That error is from Spyware Doctor.

C:\ComboFix.txt <--Look here for the log

 

[mandypie4]

Thank you!! Got the report and pasting it here:

ComboFix 09-10-30.01 - EliasFamily 10/31/2009 13:47:01.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.1452 [GMT -5:00]
Running from: C:\Users\EliasFamily\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$RECYCLE.BIN\S-1-5-21-129073205-3625971405-908230985-500
C:\$RECYCLE.BIN\S-1-5-21-4055113683-2864743704-3741799464-500
C:\Users\EliasFamily\AppData\Roaming\.#
C:\Windows\system32\oem66.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.

2009-10-31 19:01:41 . 2009-10-31 19:08:26 0 d-----w- C:\Users\EliasFamily\AppData\Local\temp
2009-10-31 19:01:41 . 2009-10-31 19:01:41 0 d-----w- C:\Users\Ginger\AppData\Local\temp
2009-10-31 19:01:41 . 2009-10-31 19:01:41 0 d-----w- C:\Users\Default\AppData\Local\temp
2009-10-31 03:08:40 . 2009-10-31 03:08:40 552 ----a-w- C:\Users\EliasFamily\AppData\Local\d3d8caps.dat
2009-10-30 19:34:22 . 2009-10-31 03:13:10 0 d-----w- C:\32788R22FWJFW.1.tmp
2009-10-25 22:56:28 . 2009-10-25 22:56:41 0 d-----w- C:\Program Files\ERUNT
2009-10-25 18:44:07 . 2009-10-25 18:44:07 0 d-----w- C:\ProgramData\WindowsSearch
2009-10-25 18:17:22 . 2009-10-25 18:17:22 0 d-----w- C:\Program Files\Trend Micro
2009-10-25 07:10:50 . 2009-10-25 07:10:50 0 d-----w- C:\ProgramData\SUPERAntiSpyware.com
2009-10-25 07:07:52 . 2009-10-31 18:58:28 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-10-25 07:07:52 . 2009-10-25 07:07:52 0 d-----w- C:\Users\EliasFamily\AppData\Roaming\SUPERAntiSpyware.com
2009-10-25 05:45:46 . 2009-10-25 05:45:46 0 d-----w- C:\Users\EliasFamily\AppData\Roaming\PC Tools
2009-10-25 05:45:46 . 2009-10-25 05:45:46 0 d-----w- C:\ProgramData\PC Tools
2009-10-25 02:16:31 . 2009-10-30 19:17:32 0 ----a-w- C:\Windows\win32k.sys
2009-10-24 23:53:33 . 2009-10-24 23:53:33 0 d-----w- C:\ProgramData\Merscom
2009-10-24 22:00:50 . 2009-10-25 09:06:27 0 d-----w- C:\Program Files\iWin Games
2009-10-24 20:47:20 . 2009-10-24 20:47:49 0 d-----w- C:\Program Files\Kitchen Brigade
2009-10-24 19:37:21 . 2009-10-24 19:37:59 0 d-----w- C:\Program Files\Avenue Flo
2009-10-24 03:54:27 . 2009-10-31 15:31:51 0 d-----w- C:\Users\EliasFamily\Tracing
2009-10-24 03:52:49 . 2009-10-24 03:52:49 0 d-----w- C:\Program Files\Microsoft Sync Framework
2009-10-24 03:51:14 . 2009-10-24 03:51:14 0 d-----w- C:\Program Files\Microsoft
2009-10-24 03:50:55 . 2009-10-24 03:50:55 0 d-----w- C:\Program Files\Windows Live SkyDrive
2009-10-24 03:46:34 . 2009-10-24 03:46:34 0 d-----w- C:\Program Files\Common Files\Windows Live
2009-10-14 04:12:47 . 2009-10-14 04:12:47 0 d-sh--w- C:\Windows\system32\%APPDATA%
2009-10-13 20:08:38 . 2009-09-10 17:30:12 213504 ----a-w- C:\Windows\system32\msv1_0.dll
2009-10-13 20:08:32 . 2009-08-05 14:22:41 3597896 ----a-w- C:\Windows\system32\ntkrnlpa.exe
2009-10-13 20:08:32 . 2009-08-05 14:22:41 3546184 ----a-w- C:\Windows\system32\ntoskrnl.exe
2009-10-13 20:02:30 . 2009-08-31 13:55:46 428544 ----a-w- C:\Windows\system32\EncDec.dll
2009-10-13 20:02:26 . 2009-08-31 13:55:50 293376 ----a-w- C:\Windows\system32\psisdecd.dll
2009-10-13 19:56:47 . 2009-09-14 09:44:57 144896 ----a-w- C:\Windows\system32\drivers\srv2.sys
2009-10-13 19:56:41 . 2009-09-04 12:24:34 61440 ----a-w- C:\Windows\system32\msasn1.dll
2009-10-13 19:56:33 . 2009-04-02 12:37:02 604672 ----a-w- C:\Windows\system32\WMSPDMOD.DLL
2009-10-11 06:09:30 . 2009-10-11 06:09:30 0 d-----w- C:\Users\EliasFamily\AppData\Local\Unity
2009-10-11 06:09:24 . 2009-10-25 18:01:59 0 d-----w- C:\Program Files\Unity
2009-10-02 20:00:22 . 2009-10-01 15:29:14 195440 ------w- C:\Windows\system32\MpSigStub.exe
2009-10-01 19:13:08 . 2009-10-01 19:13:08 0 d-----w- C:\Users\Ginger\AppData\Roaming\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 19:06:02 . 2009-10-25 05:45:46 0 d-----w- C:\Program Files\Spyware Doctor
2009-10-29 19:35:27 . 2008-12-25 19:11:06 6648 ----a-w- C:\Users\EliasFamily\AppData\Local\d3d9caps.dat
2009-10-27 19:17:05 . 2008-11-27 21:47:31 0 d-----w- C:\Program Files\Lx_cats
2009-10-26 01:28:52 . 2007-12-25 05:17:05 0 d-----w- C:\Users\EliasFamily\AppData\Roaming\Apple Computer
2009-10-25 23:05:00 . 2009-05-18 00:52:14 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-25 23:00:01 . 2008-01-15 04:24:02 0 d-----w- C:\Program Files\Norton Security Scan
2009-10-25 18:29:04 . 2008-03-02 04:53:29 0 d-----w- C:\ProgramData\Spybot - Search & Destroy
2009-10-25 17:58:33 . 2008-03-24 02:39:39 0 d-----w- C:\Program Files\iWin.com
2009-10-25 09:39:13 . 2008-03-02 04:53:29 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-10-25 09:27:20 . 2009-05-21 20:39:34 0 d-----w- C:\Program Files\Spybot - Search & Destroy1
2009-10-25 07:29:12 . 2008-03-05 00:57:48 0 d-----w- C:\Program Files\Messenger Plus! Live
2009-10-25 07:05:51 . 2008-11-28 20:39:26 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-10-06 21:31:30 . 2009-10-25 05:46:28 87784 ----a-w- C:\Windows\system32\drivers\PCTAppEvent.sys
2009-10-02 19:19:04 . 2009-10-25 05:48:10 1152470 ----a-w- C:\Windows\UDB.zip
2009-10-01 19:23:09 . 2009-09-30 23:06:51 0 d-----w- C:\Users\EliasFamily\AppData\Roaming\Move Networks
2009-10-01 19:09:51 . 2008-08-10 00:18:38 93552 ----a-w- C:\Users\Ginger\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-30 00:12:19 . 2009-09-30 00:10:56 0 d-----w- C:\Program Files\iTunes
2009-09-30 00:11:01 . 2009-09-30 00:11:01 0 d-----w- C:\Program Files\iPod
2009-09-30 00:10:59 . 2007-12-25 05:13:22 0 d-----w- C:\Program Files\Common Files\Apple
2009-09-24 13:55:46 . 2009-10-25 05:46:34 97208 ----a-w- C:\Windows\system32\drivers\pctwfpfilter.sys
2009-09-24 13:55:46 . 2009-10-25 05:46:34 229304 ----a-w- C:\Windows\system32\drivers\pctgntdi.sys
2009-09-23 21:10:06 . 2009-10-25 05:46:28 207280 ----a-w- C:\Windows\system32\drivers\PCTCore.sys
2009-09-23 03:02:41 . 2008-03-05 12:43:16 0 d-----w- C:\ProgramData\Messenger Plus!
2009-09-16 08:20:50 . 2009-10-25 05:46:28 7383 ----a-w- C:\Windows\system32\drivers\pctcore.cat
2009-09-15 11:20:46 . 2009-10-25 05:46:11 7383 ----a-w- C:\Windows\system32\drivers\pctplsg.cat
2009-09-15 07:12:04 . 2009-10-25 05:46:28 7412 ----a-w- C:\Windows\system32\drivers\PCTAppEvent.cat
2009-09-15 06:01:44 . 2009-10-25 05:46:35 7387 ----a-w- C:\Windows\system32\drivers\pctgntdi.cat
2009-09-14 11:38:13 . 2009-09-14 11:38:13 0 d-----w- C:\Program Files\Common Files\Adobe AIR
2009-09-14 11:37:15 . 2009-09-14 11:37:15 0 d-----w- C:\Users\EliasFamily\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-12 03:19:48 . 2009-09-12 03:18:40 0 d-----w- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 03:16:16 . 2009-09-12 03:15:28 0 d-----w- C:\Program Files\QuickTime
2009-09-10 20:38:56 . 2007-05-14 12:30:49 0 d-----w- C:\Program Files\Java
2009-09-10 19:54:06 . 2009-05-18 00:52:16 38224 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53:50 . 2009-05-18 00:52:19 19160 ----a-w- C:\Windows\system32\drivers\mbam.sys
2009-09-09 23:37:28 . 2008-03-23 03:45:03 0 d-----w- C:\Program Files\RealArcade
2009-09-09 23:36:18 . 2009-09-09 23:36:18 0 d-----w- C:\ProgramData\RealArcade
2009-09-07 00:11:56 . 2009-09-07 00:11:54 0 d-----w- C:\Program Files\Walmart MP3 Music Downloads
2009-09-03 14:45:12 . 2009-10-25 05:46:11 70408 ----a-w- C:\Windows\system32\drivers\pctplsg.sys
2009-08-28 12:39:07 . 2009-09-02 23:10:15 28672 ----a-w- C:\Windows\system32\Apphlpdm.dll
2009-08-28 10:15:30 . 2009-09-02 23:10:13 4240384 ----a-w- C:\Windows\system32\GameUXLegacyGDFs.dll
2009-08-27 05:22:28 . 2009-10-13 20:01:19 916480 ----a-w- C:\Windows\system32\wininet.dll
2009-08-27 05:17:43 . 2009-10-13 20:01:16 109056 ----a-w- C:\Windows\system32\iesysprep.dll
2009-08-27 05:17:43 . 2009-10-13 20:01:14 71680 ----a-w- C:\Windows\system32\iesetup.dll
2009-08-27 03:42:29 . 2009-10-13 20:01:16 133632 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-08-18 04:33:52 . 2009-08-18 04:33:52 1193832 ----a-w- C:\Windows\system32\FM20.DLL
2009-08-14 17:07:56 . 2009-09-08 19:56:55 897608 ----a-w- C:\Windows\system32\drivers\tcpip.sys
2009-08-14 16:29:41 . 2009-09-08 19:56:54 17920 ----a-w- C:\Windows\system32\netevent.dll
2009-08-14 16:29:41 . 2009-09-08 19:56:54 104960 ----a-w- C:\Windows\system32\netiohlp.dll
2009-08-14 14:16:55 . 2009-09-08 19:56:54 9728 ----a-w- C:\Windows\system32\TCPSVCS.EXE
2009-08-14 14:16:55 . 2009-09-08 19:56:54 17920 ----a-w- C:\Windows\system32\ROUTE.EXE
2009-08-14 14:16:52 . 2009-09-08 19:56:54 11264 ----a-w- C:\Windows\system32\MRINFO.EXE
2009-08-14 14:16:51 . 2009-09-08 19:56:54 27136 ----a-w- C:\Windows\system32\NETSTAT.EXE
2009-08-14 14:16:50 . 2009-09-08 19:56:54 19968 ----a-w- C:\Windows\system32\ARP.EXE
2009-08-14 14:16:49 . 2009-09-08 19:56:54 8704 ----a-w- C:\Windows\system32\HOSTNAME.EXE
2009-08-14 14:16:49 . 2009-09-08 19:56:54 10240 ----a-w- C:\Windows\system32\finger.exe
2009-08-11 18:19:25 . 2007-11-27 03:05:45 93552 ----a-w- C:\Users\EliasFamily\AppData\Local\GDIPFONTCACHEV1.DAT

 

[ken545]

Hello Mandy,

Thats not the entire report, I need to see the whole thing. Open it again , it opens in Notepad. Go to Edit > Select All.........Edit> Copy and paste in please.

Do that first and while I am looking it over do this.

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Please download Malwarebytes from Here or Here

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report and also a new HJT log please

 

[mandypie4]

I did what you instructed to make sure I had copied it all and when I pasted it in here it was the same thing. Maybe it didn't finish the log because because the Blue Screen interrupted it when it was processing the log? Sorry about all this. :sad:

 

[ken545]

Ok Mandy, not to worry, go ahead and run TFC and Malwarebytes

 

[mandypie4]

Okay, these things seemed to go okay. Pasting MalwareBytes and HJT logs:

Malwarebytes' Anti-Malware 1.41
Database version: 3072
Windows 6.0.6001 Service Pack 1

10/31/2009 8:34:36 PM
mbam-log-2009-10-31 (20-34-36).txt

Scan type: Quick Scan
Objects scanned: 102116
Time elapsed: 15 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:03 PM, on 10/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Vongo\Tray.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\EliasFamily\Desktop\HijackThis1.exe
C:\Windows\system32\Taskmgr.exe

O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe

--
End of file - 2290 bytes

 

[ken545]

This cant be your entire log is it ?

• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.