Malwarebyte & HJT don't work. msa.exe; a.exe; b.exe found

[ds123456]

My Internet Explorer was hijacked: links from google were redirected to incorrect sites. AVG found msa.exe, a.exe and b.exe but couldn't remove them. After manually deleting these files, IE seems to work fine.

But when I tried to use Windows Live Messenger, there was always an error message saying 'Windows Live Communications platform has encountered an error...'.

Installed Hijackthis and Malwarebyte but the programmes were terminated and afterwards they couldn't even start. ('Windows cannot access...')

Any advice/help would be really appreciated.

 

[Shaba]

Hi ds123456

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

 

[ds123456]

Hi Shaba,

Thanks for the reply. The Win32kDiag.txt is as follows:Running from: C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP111.tmp\ZAP111.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2.tmp\ZAP2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP269.tmp\ZAP269.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0.tmp\ZAPD0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF.tmp\ZAPF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

 

[Shaba]

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

 

[ds123456]

Here it is.

Running from: C:\Documents and Settings\Weihong Ma\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB890046\KB890046

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP111.tmp\ZAP111.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP111.tmp\ZAP111.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2.tmp\ZAP2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2.tmp\ZAP2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP269.tmp\ZAP269.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP269.tmp\ZAP269.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0.tmp\ZAPD0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD0.tmp\ZAPD0.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF.tmp\ZAPF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF.tmp\ZAPF.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\PreviewSoft\PreviewSoft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PreviewSoft\PreviewSoft

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\10\policy\policy

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\backup\asms\70\70

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 13:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 13:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

Thanks!

 

[Shaba]

Please run it again, log looks weird

 

[ds123456]

Hi, this time I run "%userprofile%\desktop\win32kdiag.exe" -f -r from Start->Run again. Please let me know if I did anything wrong.

The new log is:

Running from: C:\Documents and Settings\Weihong Ma\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2008-04-14 01:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 13:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 13:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)





Finished!

 

[Shaba]

That looks better, one file needs to be replaced though

We continue begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

 

[ds123456]

Ran ComboFix. For some reasons the report contains Chinese characters - I can translate those words into English if they affect understanding. Just let me know... :thanks:

ComboFix 09-09-23.02 - Weihong Ma 24/09/2009 8:35.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.502.148 [GMT 1:00]
执行位置: c:\documents and settings\Weihong Ma\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

注意 - 这台电脑没有安装恢复控制台 ！！
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Weihong Ma\Application Data\BITS
c:\documents and settings\Weihong Ma\Application Data\BITS\BITS.ini
c:\documents and settings\Weihong Ma\Application Data\BITS\DHTTable.dat
c:\documents and settings\Weihong Ma\Application Data\BITS\ProxyList.ini
c:\documents and settings\Weihong Ma\Application Data\BITS\UPnP.ini
c:\documents and settings\Weihong Ma\Application Data\FlashGetBHO
c:\documents and settings\Weihong Ma\Application Data\FlashGetBHO\FlashGetBHO3.dll
c:\documents and settings\Weihong Ma\Application Data\FlashGetBHO\GetAllUrl.htm
c:\documents and settings\Weihong Ma\Application Data\FlashGetBHO\GetUrl.htm
c:\program files\Common Files\Real\WeatherBug\MiniBugTransporter.dll
c:\program files\FlashGet Network
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1417001333-838170752-725345543-500
c:\recycler\S-1-5-21-2643358392-977539291-756424607-1003
c:\recycler\S-1-5-21-3734686440-1256749900-2985986264-1003
c:\windows\Installer\1608c80.msp
c:\windows\Installer\17b41d.msp
c:\windows\Installer\1a8ed.msp
c:\windows\Installer\1de16.msp
c:\windows\Installer\1fa1724.msp
c:\windows\Installer\1fd6d83.msp
c:\windows\Installer\29d5f.msp
c:\windows\Installer\29f63.msp
c:\windows\Installer\2a91b4.msp
c:\windows\Installer\2b39ddf.msi
c:\windows\Installer\2c02f7.msp
c:\windows\Installer\3039d3.msp
c:\windows\Installer\329d0ce.msp
c:\windows\Installer\3472c.msp
c:\windows\Installer\353fab0.msp
c:\windows\Installer\3710eb8.msp
c:\windows\Installer\37e6005.msp
c:\windows\Installer\389a3.msp
c:\windows\Installer\3a35b00.msp
c:\windows\Installer\3a598.msp
c:\windows\Installer\3af3c.msp
c:\windows\Installer\3b4bb.msp
c:\windows\Installer\3b910.msp
c:\windows\Installer\3c1bf0.msp
c:\windows\Installer\3c3ed.msp
c:\windows\Installer\3c6bc.msp
c:\windows\Installer\3cbec.msp
c:\windows\Installer\3cd15.msp
c:\windows\Installer\3e06e.msp
c:\windows\Installer\3e64bd7.msp
c:\windows\Installer\3f450b5.msp
c:\windows\Installer\401d1.msp
c:\windows\Installer\40884f3.msp
c:\windows\Installer\40a0fe8.msp
c:\windows\Installer\41506ac.msp
c:\windows\Installer\42984c4.msp
c:\windows\Installer\429bc.msp
c:\windows\Installer\429bd.msp
c:\windows\Installer\4488e.msp
c:\windows\Installer\45ef42.msp
c:\windows\Installer\46609.msp
c:\windows\Installer\466e4.msp
c:\windows\Installer\46c43.msp
c:\windows\Installer\46cf90.msp
c:\windows\Installer\4acb7.msp
c:\windows\Installer\4d04c.msp
c:\windows\Installer\4e28c.msp
c:\windows\Installer\4e933.msp
c:\windows\Installer\4f326.msp
c:\windows\Installer\531b6.msp
c:\windows\Installer\537329b.msp
c:\windows\Installer\545e9b2.msp
c:\windows\Installer\54aea6.msp
c:\windows\Installer\5518f53.msp
c:\windows\Installer\552ab.msp
c:\windows\Installer\554ce.msp
c:\windows\Installer\5590164.msp
c:\windows\Installer\56da6.msp
c:\windows\Installer\5e6548.msp
c:\windows\Installer\5eb90.msp
c:\windows\Installer\5f3f6c.msp
c:\windows\Installer\61a22.msp
c:\windows\Installer\62f6f.msp
c:\windows\Installer\62f928.msp
c:\windows\Installer\65815.msp
c:\windows\Installer\674f24.msp
c:\windows\Installer\6768a.msp
c:\windows\Installer\6e002.msp
c:\windows\Installer\6e6e8.msp
c:\windows\Installer\71105.msp
c:\windows\Installer\725ffcc.msp
c:\windows\Installer\760cb.msp
c:\windows\Installer\788e4.msp
c:\windows\Installer\790f3.msp
c:\windows\Installer\7ed462.msp
c:\windows\Installer\7ed468.msp
c:\windows\Installer\8117d.msp
c:\windows\Installer\81d06.msp
c:\windows\Installer\8b474.msp
c:\windows\Installer\9358276.msp
c:\windows\Installer\9427079.msp
c:\windows\Installer\9ce41.msp
c:\windows\Installer\abc2b.msp
c:\windows\Installer\ff5b1.msp
c:\windows\Installer\ff5f2.msp
c:\windows\NT.Config`.exe
c:\windows\system32\secustat.dat

c:\windows\system32\eventlog.dll . . . 受感染！！

.
((((((((((((((((((((((((((((((((((((((( 驱动/服务 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( 2009-08-24 至 2009-09-24 的新的档案 )))))))))))))))))))))))))))))))
.

2009-09-20 13:21 . 2009-09-20 13:21 -------- d-----w- c:\documents and settings\Weihong Ma\Application Data\Malwarebytes
2009-09-20 13:20 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:20 . 2009-09-20 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 13:20 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-20 13:20 . 2009-09-20 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 12:57 . 2009-09-20 12:57 -------- d-----w- c:\program files\Trend Micro
2009-09-20 12:45 . 2009-09-20 12:45 0 ----a-w- c:\windows\nsreg.dat
2009-09-20 12:45 . 2009-09-20 12:45 -------- d-----w- c:\documents and settings\Weihong Ma\Local Settings\Application Data\Mozilla
2009-09-19 22:53 . 2009-09-24 07:07 0 ----a-r- c:\windows\win32k.sys
2009-08-28 16:00 . 2009-08-28 16:00 -------- d-----w- c:\program files\Pearson VUE
2009-08-26 07:32 . 2009-08-26 07:32 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 17:00 . 2005-12-26 22:48 -------- d-----w- c:\program files\BitComet
2009-09-23 16:58 . 2006-01-04 13:32 -------- d-----w- c:\program files\eMule
2009-09-05 17:55 . 2007-03-13 18:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation
2009-08-27 06:35 . 2005-07-11 16:29 -------- d-----w- c:\program files\Java
2009-08-26 17:40 . 2007-08-02 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 07:34 . 2008-03-02 20:38 -------- d-----w- c:\program files\Windows Live
2009-08-22 21:10 . 2009-03-05 21:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 21:10 . 2009-03-05 21:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 21:10 . 2009-03-05 21:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 17:34 . 2005-07-11 16:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 17:33 . 2005-07-11 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-18 17:31 . 2005-07-11 16:33 -------- d-----w- c:\program files\Google
2009-08-17 06:30 . 2005-12-12 11:29 81952 -c--a-w- c:\documents and settings\Weihong Ma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 02:21 . 2009-08-17 02:21 -------- d-----w- c:\program files\MSBuild
2009-08-17 02:21 . 2009-08-17 02:21 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 02:03 . 2009-08-17 02:03 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2005-07-11 04:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-25 04:23 . 2008-12-05 07:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 18:55 . 2005-07-11 04:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2005-07-11 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-07-11 04:48 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-07-11 04:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-07-11 04:48 17408 ----a-w- c:\windows\system32\corpol.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[-] 2004-08-04 12:00 . 028C3E9C06BBEE764908254C0A9270D8 . 61952 . . [------] . . c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Lab\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Weihong Ma\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-1-31 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 21:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17502:TCP"= 17502:TCP:BitComet 17502 TCP
"17502:UDP"= 17502:UDP:BitComet 17502 UDP
"16881:TCP"= 16881:TCP:BitComet 16881 TCP
"16881:UDP"= 16881:UDP:BitComet 16881 UDP
"12764:TCP"= 12764:TCP:BitComet 12764 TCP
"12764:UDP"= 12764:UDP:BitComet 12764 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/03/2009 22:25 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/03/2009 22:25 108552]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 04:47 98304]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/06/2009 18:51 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 03:40 118784]
S3 hama1394;Hamamatsu IIDC 1394-based OHCI Digital Camera Driver;c:\windows\system32\drivers\hama1394.sys [10/07/2006 17:28 240512]
S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [04/08/2004 00:09 25472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
‘计划任务’ 文件夹 里的内容

2009-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]

2009-09-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-05-03 17:38]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://static.mediazone.com/player/1.0.0.64/MZPlayer.CAB
DPF: {EC0978ED-24E3-403C-AB7A-060E388553E6} - hxxp://121.9.248.179/software/BoBo_ActiveX_V3.ocx
DPF: {F3E92562-1B4D-4BFA-B2D4-E9BCABE3B6A3} - hxxps://ebanks.spdb.com.cn/per/gb/js/iesign.ocx
FF - ProfilePath - c:\documents and settings\Weihong Ma\Application Data\Mozilla\Firefox\Profiles\lv2img8h.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 08:56
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3504)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
完成时间: 2009-09-24 9:04 - 电脑已重新启动
ComboFix-quarantined-files.txt 2009-09-24 08:03

Pre-Run: 4,019,998,720 bytes free
Post-Run: 4,167,712,768 bytes free

336 --- E O F --- 2009-09-20 18:18

 

[Shaba]

Could you please translate this?

c:\windows\system32\eventlog.dll . . . 受感染！！

 

[ds123456]

Sure. It says:

c:\windows\system32\eventlog.dll . . is infected!!

 

[Shaba]

Thanks for that

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  FCopy::
  C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

[ds123456]

Just done it. Again, sorry for the Chinese characters.

ComboFix 09-09-23.02 - Weihong Ma 24/09/2009 20:24.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.936.86.1033.18.502.230 [GMT 1:00]
执行位置: c:\documents and settings\Weihong Ma\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Weihong Ma\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\logevent.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( 2009-08-24 至 2009-09-24 的新的档案 )))))))))))))))))))))))))))))))
.

2009-09-20 13:21 . 2009-09-20 13:21 -------- d-----w- c:\documents and settings\Weihong Ma\Application Data\Malwarebytes
2009-09-20 13:20 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 13:20 . 2009-09-20 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 13:20 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-20 13:20 . 2009-09-20 13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 12:57 . 2009-09-20 12:57 -------- d-----w- c:\program files\Trend Micro
2009-09-20 12:45 . 2009-09-20 12:45 0 ----a-w- c:\windows\nsreg.dat
2009-09-20 12:45 . 2009-09-20 12:45 -------- d-----w- c:\documents and settings\Weihong Ma\Local Settings\Application Data\Mozilla
2009-09-19 22:53 . 2009-09-24 07:07 0 ----a-r- c:\windows\win32k.sys
2009-08-28 16:00 . 2009-08-28 16:00 -------- d-----w- c:\program files\Pearson VUE
2009-08-26 07:32 . 2009-08-26 07:32 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 17:00 . 2005-12-26 22:48 -------- d-----w- c:\program files\BitComet
2009-09-23 16:58 . 2006-01-04 13:32 -------- d-----w- c:\program files\eMule
2009-09-05 17:55 . 2007-03-13 18:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation
2009-08-27 06:35 . 2005-07-11 16:29 -------- d-----w- c:\program files\Java
2009-08-26 17:40 . 2007-08-02 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 07:34 . 2008-03-02 20:38 -------- d-----w- c:\program files\Windows Live
2009-08-22 21:10 . 2009-03-05 21:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-22 21:10 . 2009-03-05 21:25 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 21:10 . 2009-03-05 21:25 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 17:34 . 2005-07-11 16:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 17:33 . 2005-07-11 13:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-18 17:31 . 2005-07-11 16:33 -------- d-----w- c:\program files\Google
2009-08-17 06:30 . 2005-12-12 11:29 81952 -c--a-w- c:\documents and settings\Weihong Ma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-17 02:21 . 2009-08-17 02:21 -------- d-----w- c:\program files\MSBuild
2009-08-17 02:21 . 2009-08-17 02:21 -------- d-----w- c:\program files\Reference Assemblies
2009-08-17 02:03 . 2009-08-17 02:03 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2005-07-11 04:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-25 04:23 . 2008-12-05 07:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 18:55 . 2005-07-11 04:48 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2005-07-11 04:49 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-07-11 04:48 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-07-11 04:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-07-11 04:48 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-24_07.57.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-24 16:55 . 2009-09-24 16:55 16384 c:\windows\Temp\Perflib_Perfdata_114.dat
+ 2005-07-11 04:48 . 2004-08-04 12:00 55808 c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-09 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-23 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-22 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-09-22 14854144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Lab\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\Weihong Ma\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-8-23 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2009-1-31 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-22 21:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"$INSTDIR\\FlvDetector.exe"= c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlvDetector.exe
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17502:TCP"= 17502:TCP:BitComet 17502 TCP
"17502:UDP"= 17502:UDP:BitComet 17502 UDP
"16881:TCP"= 16881:TCP:BitComet 16881 TCP
"16881:UDP"= 16881:UDP:BitComet 16881 UDP
"12764:TCP"= 12764:TCP:BitComet 12764 TCP
"12764:UDP"= 12764:UDP:BitComet 12764 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/03/2009 22:25 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/03/2009 22:25 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [29/06/2009 18:51 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 04:47 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 03:40 118784]
S3 hama1394;Hamamatsu IIDC 1394-based OHCI Digital Camera Driver;c:\windows\system32\drivers\hama1394.sys [10/07/2006 17:28 240512]
S3 sonydcam;Generic 1394 Desktop Camera;c:\windows\system32\drivers\sonydcam.sys [04/08/2004 00:09 25472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
‘计划任务’ 文件夹 里的内容

2009-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]

2009-09-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-05-03 17:38]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CA54D3F-CEAE-48AF-9A2B-31909CB9515D} - hxxps://www.sz1.cmbchina.com/download/CMBEdit.cab
DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} - hxxp://static.mediazone.com/player/1.0.0.64/MZPlayer.CAB
DPF: {EC0978ED-24E3-403C-AB7A-060E388553E6} - hxxp://121.9.248.179/software/BoBo_ActiveX_V3.ocx
DPF: {F3E92562-1B4D-4BFA-B2D4-E9BCABE3B6A3} - hxxps://ebanks.spdb.com.cn/per/gb/js/iesign.ocx
FF - ProfilePath - c:\documents and settings\Weihong Ma\Application Data\Mozilla\Firefox\Profiles\lv2img8h.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 20:31
Windows 5.1.2600 Service Pack 2 NTFS

扫描被隐藏的进程 。。。

扫描被隐藏的启动组 。。。

扫描被隐藏的文件 。。。

扫描完成
被隐藏的档案: 0

**************************************************************************
.
--------------------- 运行进程下的动态链接库 ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
完成时间: 2009-09-24 20:34
ComboFix-quarantined-files.txt 2009-09-24 19:33
ComboFix2.txt 2009-09-24 08:04

Pre-Run: 4,176,297,984 bytes free
Post-Run: 4,142,002,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-CHS.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

215 --- E O F --- 2009-09-20 18:18

 

[Shaba]

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

 

[ds123456]

Tried to run Hijackthis 2.0.2 but it didn't start. Given an error message:

'Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.'

 

[Shaba]

Please then rerun win32kdiag.exe normally and post back fresh log.

 

[ds123456]

The win32kdiag log is very short this time.

Running from: C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Weihong Ma\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

 

[Shaba]

Please then uninstall/reinstall HijackThis and let me know if it now works.

 

[ds123456]

Hi,

I can't delete the hijackthis.exe file. Was given an error message:
'Cannot delete HijackThis: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.'

I also tried reinstalling it (without uninstalling as I couldn't) but the programme still didn't start.

 

[Shaba]

Please try to delete it in safe mode and let me know how it went.