Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected Computer won't run anti-virus programs [Solved]

Started by StephenYu , Sep 16 2009 01:18 PM

  • This topic is locked This topic is locked

#1
StephenYu
Posted 16 September 2009 - 01:18 PM

StephenYu

    New Member

  • Member
  • Pip
  • 5 posts
I believe my computer is infected with a virus and it won't let me run any anti-virus programs. When I try to run MalwareBytes, it terminates after about 3 seconds of scanning. I am unable to uninstall MalwareBytes as well. I am running Vista Home Premium in safe mode right now. I did a search on my computer and deleted all the files created after the infection. Before, I was unable to run taskmgr or regedit, but I have since fixed that problem. I have already followed the steps in the Malware and Spyware Cleaning Guide. Please help me get rid of the virus ): Thanks!

1. I am unable to run or uninstall MalwareBytes
2. I am unable to create a system restore point
3. The rootkit detection and OTL log are attached

Attached File  RootRepeal_report_09_16_09__12_44_35_.txt   636bytes   112 downloads
Attached File  OTL.Txt   66.9KB   215 downloads
Attached File  Extras.Txt   55.97KB   630 downloads

Attached Files


Edited by StephenYu, 16 September 2009 - 01:57 PM.

  • 0

Advertisements

#2
Essexboy
Posted 16 September 2009 - 02:27 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there

OK lets start to kill, please follow these steps in order

@echo off
copy C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll c:\
exit

First you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file Posted Image

Then run fix.bat by double clicking you may see a black box appear this is normal

THEN

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


NEXT


1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to move:
c:\cngaudit.dll | C:\Windows\System32\cngaudit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

FINALLY

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a OTL log so we can continue cleaning the system.

  • 0

#3
StephenYu
Posted 16 September 2009 - 03:14 PM

StephenYu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you for your quick reply!

Win32kdiag.txt

Running from: C:\Users\Admin\Desktop\win32kdiag.exe

Log file at : C:\Users\Admin\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED79.tmp\ZAPED79.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED79.tmp\ZAPED79.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF24A.tmp\ZAPF24A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF24A.tmp\ZAPF24A.tmp

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\temp\temp

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\assembly\tmp\tmp

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Help\Corporate\Corporate

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Minidump\Minidump

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\nap\configuration\configuration

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Panther\setup.exe\setup.exe

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PIF\PIF

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\PLA\Templates\Templates

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Registration\CRMLog\CRMLog

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SchCache\SchCache

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\logs\logs

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\security\templates\templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Found mount point : C:\Windows\SolidWorks\SolidWorks

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\SolidWorks\SolidWorks

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment

Found mount point : C:\Windows\System32\0409\0409

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\0409\0409

Found mount point : C:\Windows\System32\Branding\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Branding\en-US\en-US

Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}

Cannot access: C:\Windows\System32\cngaudit.dll

Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 02:46:03 62464 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Found mount point : C:\Windows\System32\com\dmp\dmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\com\dmp\dmp

Found mount point : C:\Windows\System32\config\Journal\Journal

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\Journal\Journal

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\Recovery

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\Recovery

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\System\System

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\System\System

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\User\User

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\User\User

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\Virtualized

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\Virtualized

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Hewlett-Packard\HP Software UI\cee\cee

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Hewlett-Packard\HP Software UI\cee\cee

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3V5PT54K\3V5PT54K

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3V5PT54K\3V5PT54K

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\IECompatCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\IECompatCache

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\Low\Low

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\Low\Low

Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\Low

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\Low

Found mount point : C:\Windows\System32\DriverStore\Temp\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\DriverStore\Temp\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}

Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers

Found mount point : C:\Windows\System32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\inetsrv\inetsrv

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Found mount point : C:\Windows\System32\MUI\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\MUI\dispspec\dispspec

Found mount point : C:\Windows\System32\setup\en-US\en-US

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\setup\en-US\en-US

Found mount point : C:\Windows\System32\SMI\Manifests\Manifests

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\SMI\Manifests\Manifests

Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\drivers\IA64\IA64

Found mount point : C:\Windows\System32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\Windows\System32\spool\drivers\x64\x64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\drivers\x64\x64

Found mount point : C:\Windows\System32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\PRINTERS\PRINTERS

Found mount point : C:\Windows\System32\spool\SERVERS\STEPHEN\STEPHEN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\STEPHEN\STEPHEN

Found mount point : C:\Windows\System32\spool\SERVERS\WINSTON-PC\WINSTON-PC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\spool\SERVERS\WINSTON-PC\WINSTON-PC

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter

Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar

Found mount point : C:\Windows\System32\wbem\MOF\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\wbem\MOF\bad\bad

Found mount point : C:\Windows\System32\wbem\MOF\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\wbem\MOF\good\good

Found mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}

Found mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}

Cannot access: C:\Windows\System32\WerFault.exe

Attempting to restore permissions of : C:\Windows\System32\WerFault.exe

Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp



Finished!



Avenger.txt

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:45:16 2009

13:45:15: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:45:30 2009

13:45:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:46:08 2009

13:46:08: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.



Right before combofix.exe rebooted my computer, an error came up. I could not catch what it said nor did I have time to "press OK to terminate this application".

At the end of combo-fix.exe, this log appeared.

ComboFix 09-09-14.02 - Admin 09/16/2009 13:53.1.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2999 [GMT -7:00]
Running from: F:\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1061942412-1823489271-1393647071-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-4235296297-4181994746-4189477521-500
C:\cleanup.exe
c:\windows\system32\drivers\OCA_LOG.TXT
c:\windows\SYSTEM32\haligogu.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nsprs.dll
c:\windows\SYSTEM32\pukayane.dll
c:\windows\SYSTEM32\refayuze.dll
c:\windows\SYSTEM32\sefofele.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\ygsuhdf83id.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 21:00 . 2009-09-16 21:02 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-09-16 20:46 . 2009-09-16 20:46 574 ----a-w- C:\cleanup.bat
2009-09-16 20:46 . 2009-09-16 20:46 135168 ----a-w- C:\zip.exe
2009-09-16 19:37 . 2009-09-16 19:37 -------- d-----w- c:\program files\ERUNT
2009-09-16 18:56 . 2009-09-16 19:00 -------- d-----w- c:\program files\Spybot2
2009-09-16 18:31 . 2009-09-16 19:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-16 18:31 . 2009-09-16 18:38 -------- d-----w- c:\program files\Spybot
2009-09-16 18:30 . 2009-09-16 18:30 -------- d-----w- c:\program files\Includes
2009-09-16 08:59 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 08:59 . 2009-09-16 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 08:59 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:52 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 02:46 . 2009-09-12 07:07 -------- d-----w- c:\program files\Heroes of Newerth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 11:46 . 2009-07-29 07:07 -------- d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-09-16 11:38 . 2007-09-20 05:36 1356 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-09-16 09:31 . 2009-07-28 09:01 -------- d-----w- c:\program files\Microsoft Windows Feedback Panel
2009-09-16 09:31 . 2008-06-26 02:14 -------- d-----w- c:\programdata\WFP
2009-09-16 09:31 . 2007-09-11 19:18 -------- d-----w- c:\programdata\NVIDIA
2009-09-15 18:46 . 2007-09-11 18:59 94936 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-15 08:13 . 2008-07-10 00:33 -------- d-----w- c:\program files\SolidWorks
2009-09-14 15:55 . 2009-07-03 07:22 -------- d-----w- c:\users\Guest\AppData\Roaming\vlc
2009-09-12 20:45 . 2008-01-06 05:47 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-08 20:39 . 2008-01-06 05:32 -------- d-----w- c:\users\Admin\AppData\Roaming\Nero
2009-09-08 20:30 . 2008-01-06 05:30 -------- d-----w- c:\program files\Common Files\Nero
2009-09-08 20:29 . 2008-01-06 05:30 -------- d-----w- c:\program files\Nero
2009-09-08 20:28 . 2008-01-06 05:30 -------- d-----w- c:\programdata\Nero
2009-08-09 08:06 . 2007-12-21 08:25 -------- d-----w- c:\users\Admin\AppData\Roaming\U3
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-06 15:47 . 2008-06-17 22:17 107016 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-04 08:47 . 2009-08-04 08:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-04 08:37 . 2007-10-25 08:21 -------- d-----w- c:\program files\WC3Banlist
2009-08-04 08:36 . 2007-06-08 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 02:32 . 2007-09-20 06:02 -------- d-----w- c:\program files\Warcraft III
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-31 01:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-31 01:09 . 2008-08-13 23:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:06 . 2007-09-23 03:52 -------- d-----w- c:\programdata\Microsoft Help
2009-07-31 01:04 . 2007-06-08 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-07-24 03:39 . 2009-07-24 03:39 93 ----a-w- c:\users\Admin\AppData\Local\fusioncache.dat
2009-07-21 21:52 . 2009-07-31 01:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-31 01:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-31 01:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-31 01:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 08:13 . 2009-07-19 08:13 -------- d-----w- c:\users\Admin\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-07-17 13:54 . 2009-08-30 03:50 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-30 03:50 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-30 03:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-30 03:50 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-30 03:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 21:37 . 2009-08-07 01:36 66056 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_HelperSvc.exe
2009-07-14 21:37 . 2009-08-07 01:36 32456 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-07-14 21:37 . 2009-08-07 01:36 242272 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-07-14 21:37 . 2009-08-07 01:36 22848 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-07-14 21:37 . 2009-08-07 01:36 18776 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-06-30 21:26 . 2009-06-30 21:22 1915520 ----a-w- c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2007-09-11 21:24 . 2007-09-11 21:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-06-16 12:41 . 2009-06-16 12:41 2713 --sh--w- c:\windows\System32\dasakebe.exe
2009-04-14 08:09 . 2009-04-14 08:09 848 --sha-w- c:\windows\System32\KGyGaAvL.sys
2009-06-16 08:35 . 2009-06-16 08:35 49152 --sha-w- c:\windows\System32\lutokujo.dll
2009-06-16 08:35 . 2009-06-16 08:35 49152 --sha-w- c:\windows\System32\wukahuro.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Mouse and Keyboard Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\WfpRescover\wfprescover.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"VistaSp2"=hex(b):74,32,b9,f3,80,11,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{54A45CBD-8D84-4EDC-BEC8-62B9E5985BFA}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0784761A-E1A2-486E-8D9C-B1E863B8A10E}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A3D7F7AC-36A4-4D45-AFCE-E0177A9BC060}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E93AE87D-76BF-4B3E-8735-3C4566B78EAB}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E236F62F-DD1B-454E-9D3B-BA6F963B15EA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{88652854-FF22-4D2D-8912-7253A7A33944}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3BE6EBAC-0D80-4DBE-8AA5-2109389A0380}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4B2F6E24-1698-4BB9-BB28-4EF7188052D3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{5169CE20-2540-4DD1-AF42-374EDF07B588}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{2DF9410E-9D0F-4FDB-98C0-81C94BEF4652}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{8D911C71-A8B3-4322-AED8-34C5F1454A2D}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C9F9A0F3-E2AC-478D-B000-4A7DE1EAD4CC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3060D9C1-0184-415F-9BC7-66FB87E4A09E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E666B6AC-7D13-4AFD-BDCD-802DD4AA5A20}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5DF87D88-914D-4F91-BE39-026CF57C7AFB}"= UDP:25901:BitComet 25901 TCP
"{A45BB9F8-FC48-4F69-A71B-209A86FB531C}"= TCP:25901:BitComet 25901 UDP
"{B1BF435B-C0F0-4372-9B36-A05B85E0F522}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{590228EC-782B-4199-8721-8E881CA7940E}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{6262EFBD-E435-46CC-A086-ECDD74A79C1B}"= UDP:25901:BitComet 25901 TCP
"{BCD7C386-C612-4C57-898F-308DBB92A6CE}"= TCP:25901:BitComet 25901 UDP
"{14E844FE-A113-4817-B7C2-A5FEFFF8DFB4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A075DB20-294C-4367-B380-5748937A8647}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{13405024-6972-458F-8318-DAD16E7EDDC1}"= UDP:8395:League of Legends Launcher
"{CC0B6D01-1E1C-4E8D-9653-150940BBE6B7}"= TCP:8395:League of Legends Launcher
"{2025FCDA-5CFC-49CE-B904-8F8142E1CA8D}"= UDP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{78503524-7292-4A44-8987-2DE49A25E789}"= TCP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{680191BA-EBEB-4B8E-8948-C1D2DFDF7567}"= UDP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{C433AD45-63CF-4F29-8B65-9F040D6A4C8F}"= TCP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{37F64FFF-5711-4411-B943-B49ED5E15A86}"= UDP:8396:League of Legends Launcher
"{C19E2739-E04E-4C8C-AAAE-6915F14F379D}"= TCP:8396:League of Legends Launcher
"{116DD32F-304F-42AE-B489-ED9087C2ADE1}"= UDP:8397:League of Legends Launcher
"{A40CF8AD-4023-43F2-9338-2656F766D6DD}"= TCP:8397:League of Legends Launcher
"{38CFBB17-D87E-4B9F-A72D-CBFE701FFEDA}"= UDP:8398:League of Legends Launcher
"{DF4BF06B-816E-4EEB-A2FC-C775EB201595}"= TCP:8398:League of Legends Launcher
"{B466ACE2-2925-4515-A08D-F1F6AEEC05EE}"= UDP:8399:League of Legends Launcher
"{BD5DACB7-844A-452E-A9AB-71F82705E00A}"= TCP:8399:League of Legends Launcher
"{4120B4DE-72E6-4A37-AA5D-F0DC978C1A98}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{0A5EB31A-9732-4387-8D82-05FF39BB1C74}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{5C08F94F-B5DC-4D56-8FA5-4C6919D320C4}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{640788E3-7CF4-4CAA-BEED-5CB3DEC98C9E}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{25552A7A-19F5-47E8-9BDC-EF9D7E7766FD}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{BE5DF06A-5F06-4B93-A456-90648F9CEC1F}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{489C7B77-5C6E-4F01-BDB3-E538D2DE5C7F}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C2D7F6E2-B070-4BDD-94DF-D32CAE1990C7}"= TCP:c:\windows\System32\wininit.exe:wininit
"{87B79004-29C9-4136-8040-A7EBBE4BAD8D}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2D5947B0-B2D3-410D-9B0B-1D96E91984A9}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 wfpservice;Windows Feedback Panel Background Service;c:\program files\Microsoft Windows Feedback Panel\WFPService.EXE [7/9/2009 3:36 AM 248080]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 PRSUSB;Sony Reader;c:\windows\System32\drivers\PRSUSB.sys [11/21/2006 5:52 PM 18944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winhelper.dll
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.7/TSWeb.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
HKLM-Run-letomoyana - haligogu.dll
HKLM-RunOnce-Cleanup - C:\cleanup.exe
HKLM-RunOnce-<NO NAME> - (no file)
SharedTaskScheduler-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,72,5e,f3,c7,a9,bb,7c,ed,c1,43,9d,ea,b2,07,f8,12,1a,c9,a2,34,3a,b3,
02,28,ba,6e,b4,84,a4,8d,21,cd,75,fe,70,4f,af,db,dc,4f,d9,c4,0d,e7,41,62,9b,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,b9,a1,70,c2,5c,7a,30,45,89,c2,88,05,04,6e,98,38,8a,98,a8,97,
69,49,3c,46,4b,ac,eb,af,ed,15,a2,11,6e,0a,f4,42,6e,0f,54,4e,46,55,7c,d6,88,\
"rkeysecu"=hex:9b,54,29,a0,89,4e,30,e7,db,26,85,97,ff,5f,2a,fa

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\HelpPane.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-16 14:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 21:05

Pre-Run: 116,836,712,448 bytes free
Post-Run: 116,500,144,128 bytes free

289 --- E O F --- 2009-08-30 03:52


When I try to run OTL.exe again, I get the message:
"Illegal operation attempted ona registry key that has been marked for deletion"

I am also unable to open .txt files on the infected machine. I forgot to mention that I have disconnected the infected system from the internet and am currently shuttling programs to and from another computer via USB. I ran combo-fix.exe from the USB which might have caused some complications. Thanks again for your help! I really appreciate it.
  • 0

#4
Essexboy
Posted 16 September 2009 - 03:22 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem we will see what happens after this. Let me know your symptoms on completion of this

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\System32\dasakebe.exe
c:\windows\System32\lutokujo.dll
c:\windows\System32\wukahuro.dll

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

I will now try a slightly different programme

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - File Associations
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#5
StephenYu
Posted 16 September 2009 - 03:42 PM

StephenYu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I was unable to load the script via dragging and dropping because of the same error. I manually rebooted to see if that would fix the problem. (My computer was set using msconfig to always boot in Minimal Safemode. From now on I will run all programs from the desktop, not the flash drive.) After rebooting, dragging and dropping the script worked and combo-fix ran. Combo-fix has requested that I connect to the internet before pressing OK. I cannot connect to the internet in safemode because the network drivers appear to be disabled. I left this dialogue open.

Combo-fix.txt

ComboFix 09-09-14.02 - Admin 09/16/2009 14:29.2.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.3112 [GMT -7:00]
Running from: c:\users\Admin\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Admin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\System32\dasakebe.exe"
"c:\windows\System32\lutokujo.dll"
"c:\windows\System32\wukahuro.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\dasakebe.exe
c:\windows\System32\lutokujo.dll
c:\windows\System32\wukahuro.dll

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-16 20:46 . 2009-09-16 20:46 574 ----a-w- C:\cleanup.bat
2009-09-16 20:46 . 2009-09-16 20:46 135168 ----a-w- C:\zip.exe
2009-09-16 19:37 . 2009-09-16 19:37 -------- d-----w- c:\program files\ERUNT
2009-09-16 18:56 . 2009-09-16 19:00 -------- d-----w- c:\program files\Spybot2
2009-09-16 18:31 . 2009-09-16 19:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-16 18:31 . 2009-09-16 18:38 -------- d-----w- c:\program files\Spybot
2009-09-16 18:30 . 2009-09-16 18:30 -------- d-----w- c:\program files\Includes
2009-09-16 08:59 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 08:59 . 2009-09-16 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 08:59 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:52 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 02:46 . 2009-09-12 07:07 -------- d-----w- c:\program files\Heroes of Newerth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 11:46 . 2009-07-29 07:07 -------- d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-09-16 11:38 . 2007-09-20 05:36 1356 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-09-16 09:31 . 2009-07-28 09:01 -------- d-----w- c:\program files\Microsoft Windows Feedback Panel
2009-09-16 09:31 . 2008-06-26 02:14 -------- d-----w- c:\programdata\WFP
2009-09-16 09:31 . 2007-09-11 19:18 -------- d-----w- c:\programdata\NVIDIA
2009-09-15 18:46 . 2007-09-11 18:59 94936 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-15 08:13 . 2008-07-10 00:33 -------- d-----w- c:\program files\SolidWorks
2009-09-14 15:55 . 2009-07-03 07:22 -------- d-----w- c:\users\Guest\AppData\Roaming\vlc
2009-09-12 20:45 . 2008-01-06 05:47 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-08 20:39 . 2008-01-06 05:32 -------- d-----w- c:\users\Admin\AppData\Roaming\Nero
2009-09-08 20:30 . 2008-01-06 05:30 -------- d-----w- c:\program files\Common Files\Nero
2009-09-08 20:29 . 2008-01-06 05:30 -------- d-----w- c:\program files\Nero
2009-09-08 20:28 . 2008-01-06 05:30 -------- d-----w- c:\programdata\Nero
2009-08-09 08:06 . 2007-12-21 08:25 -------- d-----w- c:\users\Admin\AppData\Roaming\U3
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-06 15:47 . 2008-06-17 22:17 107016 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-04 08:47 . 2009-08-04 08:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-04 08:37 . 2007-10-25 08:21 -------- d-----w- c:\program files\WC3Banlist
2009-08-04 08:36 . 2007-06-08 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 02:32 . 2007-09-20 06:02 -------- d-----w- c:\program files\Warcraft III
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-31 01:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-31 01:09 . 2008-08-13 23:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:06 . 2007-09-23 03:52 -------- d-----w- c:\programdata\Microsoft Help
2009-07-31 01:04 . 2007-06-08 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-07-24 03:39 . 2009-07-24 03:39 93 ----a-w- c:\users\Admin\AppData\Local\fusioncache.dat
2009-07-21 21:52 . 2009-07-31 01:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-31 01:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-31 01:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-31 01:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 08:13 . 2009-07-19 08:13 -------- d-----w- c:\users\Admin\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-07-17 13:54 . 2009-08-30 03:50 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-30 03:50 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-30 03:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-30 03:50 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-30 03:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 21:37 . 2009-08-07 01:36 66056 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_HelperSvc.exe
2009-07-14 21:37 . 2009-08-07 01:36 32456 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-07-14 21:37 . 2009-08-07 01:36 242272 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-07-14 21:37 . 2009-08-07 01:36 22848 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-07-14 21:37 . 2009-08-07 01:36 18776 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-06-30 21:26 . 2009-06-30 21:22 1915520 ----a-w- c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2007-09-11 21:24 . 2007-09-11 21:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-04-14 08:09 . 2009-04-14 08:09 848 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-16_21.02.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 10:33 . 2009-09-16 21:34 633102 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-16 20:57 633102 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-16 21:34 116660 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-09-16 20:57 116660 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Mouse and Keyboard Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\WfpRescover\wfprescover.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"VistaSp2"=hex(b):74,32,b9,f3,80,11,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{54A45CBD-8D84-4EDC-BEC8-62B9E5985BFA}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0784761A-E1A2-486E-8D9C-B1E863B8A10E}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A3D7F7AC-36A4-4D45-AFCE-E0177A9BC060}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E93AE87D-76BF-4B3E-8735-3C4566B78EAB}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E236F62F-DD1B-454E-9D3B-BA6F963B15EA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{88652854-FF22-4D2D-8912-7253A7A33944}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3BE6EBAC-0D80-4DBE-8AA5-2109389A0380}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4B2F6E24-1698-4BB9-BB28-4EF7188052D3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{5169CE20-2540-4DD1-AF42-374EDF07B588}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{2DF9410E-9D0F-4FDB-98C0-81C94BEF4652}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{8D911C71-A8B3-4322-AED8-34C5F1454A2D}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C9F9A0F3-E2AC-478D-B000-4A7DE1EAD4CC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3060D9C1-0184-415F-9BC7-66FB87E4A09E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E666B6AC-7D13-4AFD-BDCD-802DD4AA5A20}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5DF87D88-914D-4F91-BE39-026CF57C7AFB}"= UDP:25901:BitComet 25901 TCP
"{A45BB9F8-FC48-4F69-A71B-209A86FB531C}"= TCP:25901:BitComet 25901 UDP
"{B1BF435B-C0F0-4372-9B36-A05B85E0F522}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{590228EC-782B-4199-8721-8E881CA7940E}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{6262EFBD-E435-46CC-A086-ECDD74A79C1B}"= UDP:25901:BitComet 25901 TCP
"{BCD7C386-C612-4C57-898F-308DBB92A6CE}"= TCP:25901:BitComet 25901 UDP
"{14E844FE-A113-4817-B7C2-A5FEFFF8DFB4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A075DB20-294C-4367-B380-5748937A8647}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{13405024-6972-458F-8318-DAD16E7EDDC1}"= UDP:8395:League of Legends Launcher
"{CC0B6D01-1E1C-4E8D-9653-150940BBE6B7}"= TCP:8395:League of Legends Launcher
"{2025FCDA-5CFC-49CE-B904-8F8142E1CA8D}"= UDP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{78503524-7292-4A44-8987-2DE49A25E789}"= TCP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{680191BA-EBEB-4B8E-8948-C1D2DFDF7567}"= UDP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{C433AD45-63CF-4F29-8B65-9F040D6A4C8F}"= TCP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{37F64FFF-5711-4411-B943-B49ED5E15A86}"= UDP:8396:League of Legends Launcher
"{C19E2739-E04E-4C8C-AAAE-6915F14F379D}"= TCP:8396:League of Legends Launcher
"{116DD32F-304F-42AE-B489-ED9087C2ADE1}"= UDP:8397:League of Legends Launcher
"{A40CF8AD-4023-43F2-9338-2656F766D6DD}"= TCP:8397:League of Legends Launcher
"{38CFBB17-D87E-4B9F-A72D-CBFE701FFEDA}"= UDP:8398:League of Legends Launcher
"{DF4BF06B-816E-4EEB-A2FC-C775EB201595}"= TCP:8398:League of Legends Launcher
"{B466ACE2-2925-4515-A08D-F1F6AEEC05EE}"= UDP:8399:League of Legends Launcher
"{BD5DACB7-844A-452E-A9AB-71F82705E00A}"= TCP:8399:League of Legends Launcher
"{4120B4DE-72E6-4A37-AA5D-F0DC978C1A98}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{0A5EB31A-9732-4387-8D82-05FF39BB1C74}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{5C08F94F-B5DC-4D56-8FA5-4C6919D320C4}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{640788E3-7CF4-4CAA-BEED-5CB3DEC98C9E}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{25552A7A-19F5-47E8-9BDC-EF9D7E7766FD}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{BE5DF06A-5F06-4B93-A456-90648F9CEC1F}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{489C7B77-5C6E-4F01-BDB3-E538D2DE5C7F}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C2D7F6E2-B070-4BDD-94DF-D32CAE1990C7}"= TCP:c:\windows\System32\wininit.exe:wininit
"{87B79004-29C9-4136-8040-A7EBBE4BAD8D}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2D5947B0-B2D3-410D-9B0B-1D96E91984A9}"= TCP:c:\windows\System32\wininit.exe:wininit

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

S2 wfpservice;Windows Feedback Panel Background Service;c:\program files\Microsoft Windows Feedback Panel\WFPService.EXE [7/9/2009 3:36 AM 248080]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 PRSUSB;Sony Reader;c:\windows\System32\drivers\PRSUSB.sys [11/21/2006 5:52 PM 18944]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winhelper.dll
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.7/TSWeb.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 14:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,72,5e,f3,c7,a9,bb,7c,ed,c1,43,9d,ea,b2,07,f8,12,1a,c9,a2,34,3a,b3,
02,28,ba,6e,b4,84,a4,8d,21,cd,75,fe,70,4f,af,db,dc,4f,d9,c4,0d,e7,41,62,9b,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,b9,a1,70,c2,5c,7a,30,45,89,c2,88,05,04,6e,98,38,8a,98,a8,97,
69,49,3c,46,4b,ac,eb,af,ed,15,a2,11,6e,0a,f4,42,6e,0f,54,4e,46,55,7c,d6,88,\
"rkeysecu"=hex:9b,54,29,a0,89,4e,30,e7,db,26,85,97,ff,5f,2a,fa

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-16 14:37
ComboFix-quarantined-files.txt 2009-09-16 21:37
ComboFix2.txt 2009-09-16 21:06

Pre-Run: 116,569,800,704 bytes free
Post-Run: 116,438,888,448 bytes free

278 --- E O F --- 2009-08-30 03:52


Combo-Fix did not reboot my computer. Since your next instruction requires that I close all other programs, including combo-fix, I have not completed that step yet. What is my next step? I appreciate your amazingly fast replies.


Edit: I just pressed OK on the file submission prompt and it told me to upload it later.

Upon running OTS, an error appears:

Access violation at address 0053A9E5 in module 'OTS.exe'. Read of address 00000000.


I rebooted and tried to run OTS again.

Attached File  OTS.Txt   138.34KB   375 downloads

Edit: Since you're reply is taking a little longer than usual :) , I went ahead and uninstalled + reinstalled MalwareBytes (it works!) and ran a quick scan and a full system scan. Logs are below.
Attached File  mbam_log_2009_09_16__15_40_02_.txt   979bytes   114 downloads
Attached File  mbam_log_2009_09_16__17_40_35_.txt   1.01KB   202 downloads

Edited by StephenYu, 16 September 2009 - 06:52 PM.

  • 0

#6
Essexboy
Posted 17 September 2009 - 02:56 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks a lot better - could you run this fix and then go to normal mode and let me know how your computer is running :)

My time zone is GMT

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> hukudube -> C:\Windows\System32\hukudube
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#7
StephenYu
Posted 17 September 2009 - 03:27 AM

StephenYu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Essexboy, thanks again for the reply. Everything is working much better now! While you were out, I also ran CCleaner for temp files and registry.

Here is the OTS fix log.

OTS Fix log

All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Windows\System32\hukudube moved successfully.
[Empty Temp Folders]


User: Admin
->Temp folder emptied: 343128 bytes
->Temporary Internet Files folder emptied: 517667 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 89492481 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\TMP00000040939E0471999114D6 scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\TMP000000423702BC4CF6345EF3 scheduled to be deleted on reboot.
Windows Temp folder emptied: 527128 bytes
RecycleBin emptied: 2526 bytes

Total Files Cleaned = 86.67 mb

< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09172009_020613

Files\Folders moved on Reboot...
C:\Windows\temp\TMP00000040939E0471999114D6 moved successfully.
C:\Windows\temp\TMP000000423702BC4CF6345EF3 moved successfully.

Registry entries deleted on Reboot...


Even after two reboots, when I try to run an OTS scan with those 5 boxes checked, I get the following error:

Access violation at address 0053A9E5 in module 'OTS.exe'. Read of address 00000000


Also, when I boot in normal mode, Windows prompts me for a product key. Entering the Vista Home Premium product key on the tower sticker has no effect. I talked at great length to HP tech support and the technician recommended that I do a full system recovery. Any ideas?

One more thing, I installed and tried to uninstall Spybot Search & Destroy while I had the virus. The virus wouldn't let me run or uninstall the program. I manually deleted the program's folder, all except spybot.exe. Before, the file did not even show up even when I am viewing hidden files. Now it shows up but I am still unable to delete it because it is in use. I cannot figure out what is still using it. Thank you for your help.

Edited by StephenYu, 17 September 2009 - 03:39 AM.

  • 0

#8
Essexboy
Posted 17 September 2009 - 01:15 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK for the programmes that don't want to play please do the following

Download this programme

Drag each of the exe files that you are unable to run into Inherit.exe.

Then wait for it to say "OK"

Do this for all the programmes that do not want to run and it is the exe file and not the shortcut

Download the jellybean key finder and determine if both id's are the same

Let me know of any further problems before I remove my tools :)
  • 0

#9
StephenYu
Posted 17 September 2009 - 10:36 PM

StephenYu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Wow! Your inherit.exe program really did the trick. I was able to delete the spybotsd.exe file that was always in use. I downloaded the jellybean key finder and the key it finds does not match up with the sticker key on my case. Neither of them work to validate Windows. I've been searching Google for an answer to my key problem but no luck so far. I've been searching:

This copy of windows is not activated. Click here to activate windows now.

0xC004E003 error

My windows does not have a countdown period until I have to activate it either, so other than periodic annoying messages, it appears to be working fine. I really appreciate your help in removing that pesky virus from my system :) . Is there anything else I need to do?

I'd like to show my appreciation by making a donation and I noticed that you have a PayPal link on your signature. Could you confirm that the donation either goes to you or toward the operation of this site? Thanks again!

Edited by StephenYu, 17 September 2009 - 10:37 PM.

  • 0

#10
Essexboy
Posted 18 September 2009 - 11:14 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi the error may be corrected by initiating a windows update, let me know if it does - otherwise I will investigate further :)

:) Any donations come directly to me.

I will remove my tools now and if you could then let me know of the update result

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586-p.exe and select "Run as an Administrator.")


VISTA
To manually create a new Restore Point
  • Go to Control Panel and select System and Maintenance
  • Select System
  • On the left select Advance System Settings and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create
Now we can purge the infected ones
  • Go back to the System and Maintenance page
  • Select Performance Information and Tools
  • On the left select Open Disk Cleanup
  • Select Files from all users and accept the warning if you get one
  • In the drop down box select your main drive i.e. C
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete
You are now done

SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#11
Essexboy
Posted 21 September 2009 - 02:46 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP