Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

Windows Police Pro, can't run mba..

Thread Solved

« First

Last »

•

Join Date: Dec 2006

Posts: 922

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 43

PhilliePhan PhilliePhan is offline

Offline

Posting Shark

Re: Windows Police Pro, can't run mba..

#21

Sep 1st, 2009

•

Originally Posted by Sisaly

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

The stuff that is hard to kill is more fun for us Forum volunteers

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...

Best Luck

In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#22

Sep 1st, 2009

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

I'm going bald.

Last edited by Sisaly; Sep 1st, 2009 at 8:47 pm.

•

Join Date: Dec 2006

Posts: 922

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 43

PhilliePhan PhilliePhan is offline

Offline

Posting Shark

Re: Windows Police Pro, can't run mba..

#23

Sep 1st, 2009

•

Originally Posted by Sisaly

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

Copy and paste the everything in red including "files to move."

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Try again and see if that works and then do the rest.

PP

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#24

Sep 1st, 2009

Opps, my bad. Got it now...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Completed script processing.

*******************

Finished! Terminate.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:37:37 2009

18:37:37: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:38:50 2009

18:38:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#25

Sep 1st, 2009

All right got the next log. Tried mbam tried to update and got a blue screen crash.

Log file is located at: C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txtRemoving all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\addins\addinsFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpFound mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\temp\tempFound mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\tmp\tmpFound mount point : C:\WINDOWS\AU_Temp\AU_TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\AU_Temp\AU_TempFound mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Config\ConfigFound mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Connection Wizard\Connection WizardFound mount point : C:\WINDOWS\Debug\UserMode\UserModeMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Debug\UserMode\UserModeFound mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp\applets\appletsFound mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp98\imejp98Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsFound mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\classes\classesFound mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\trustlib\trustlibFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesFound mount point : C:\WINDOWS\Minidump\MinidumpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Minidump\MinidumpFound mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\msapps\msinfo\msinfoFound mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\mui\muiFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFFound mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHCannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exeAttempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe[1] 2003-03-31 14:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointFound mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesFound mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMFound mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempFound mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PIF\PIFFound mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLogFound mount point : C:\WINDOWS\security\logs\logsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\security\logs\logsFound mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedFound mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentFound mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1025\1025Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1028\1028Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1031\1031Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1037\1037Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1041\1041Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1042\1042Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1054\1054Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\2052\2052Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3076\3076Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiFound mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopFound mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEFound mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsFound mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentFound mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\dhcp\dhcpFound mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdnFound mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\export\exportFound mount point : C:\WINDOWS\system32\inetsrv\inetsrvMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrvFound mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFFound mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\Macromed\update\updateFound mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspecFound mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupFound mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustFound mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwFound mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregFound mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\sample\sampleFound mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExtFound mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAFound mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSFound mount point : C:\WINDOWS\system32\wbem\Logs\LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\Logs\LogsFound mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\badFound mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmpFound mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wins\winsFound mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\xircom\xircomFound mount point : C:\WINDOWS\Temp\Cookies\CookiesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Cookies\CookiesFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsFound mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorFound mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpFound mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpFound mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpFound mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpFound mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpFound mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpFound mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FFound mount point : C:\WINDOWS\Temp\WMD\WMDMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMD\WMDFound mount point : C:\WINDOWS\Temp\WMFA\WMFAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMFA\WMFAFound mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Finished!

•

Join Date: Dec 2006

Posts: 922

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 43

PhilliePhan PhilliePhan is offline

Offline

Posting Shark

Re: Windows Police Pro, can't run mba..

#26

Sep 1st, 2009

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/i...howtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#27

Sep 1st, 2009

Running now.....

•

Join Date: Dec 2006

Posts: 922

Reputation: PhilliePhan will become famous soon enough

Solved Threads: 43

PhilliePhan PhilliePhan is offline

Offline

Posting Shark

Re: Windows Police Pro, can't run mba..

#28

Sep 1st, 2009

•

Originally Posted by Sisaly

Running now.....

All right . . . Now we are cooking with gas . . . or something like that.

I am calling it a night - My eyes are killing me + have some actual paying work to do.

Post the combofix log for me and I'll have a look at it first chance I get.

Cheers

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#29

Sep 1st, 2009

All right Phil!

Here we go....

ComboFix 09-09-01.04 - Rachel 09/01/2009 19:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.200 [GMT -5:00]
Running from: c:\documents and settings\Rachel\Desktop\Bunnyfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394.exe
c:\documents and settings\All Users\Application Data\15977394\pc15977394ins
c:\documents and settings\All Users\Application Data\esacomub.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Rachel\Cookies\josi.pif
c:\recycler\NPROTECT
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Fonts\HELSM___.TTF
c:\windows\Fonts\INK2METR.TTF
c:\windows\Fonts\OPUSM___.TTF
c:\windows\Installer\18c019.msp
c:\windows\Installer\20a96.msi
c:\windows\patch.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dahovibo.dll
c:\windows\system32\delejome.dll
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\kbiwkmmetjimqx.sys
c:\windows\system32\hatakuvu.dll
c:\windows\system32\kbiwkmbvsmrril.dll
c:\windows\system32\kbiwkmjklypdur.dll
c:\windows\system32\kbiwkmldyiuwyr.dat
c:\windows\system32\kbiwkmxvakcdpq.dat
c:\windows\system32\lolapeva.dll
c:\windows\system32\mdm.exe
c:\windows\system32\naluwota.dll
c:\windows\system32\nepusenu.dll
c:\windows\system32\simejufa.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\terovozo.dll
c:\windows\system32\tuviloko.exe
c:\windows\system32\volosejo.dll
c:\windows\system32\vovugesi.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\yavayusa.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.97
c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_kbiwkmbqvmttap

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 00:19 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 00:19 . 2009-09-02 00:19 -------- d-----w- C:\ILU
2009-09-02 00:19 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 22:43 . 2009-09-01 22:43 -------- d---a-w- C:\KILLBAD
2009-09-01 02:48 . 2009-09-01 12:21 -------- d-----w- C:\suckmydick
2009-09-01 00:43 . 2009-09-01 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-09-01 00:35 . 2009-09-01 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 00:18 . 2009-09-01 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-08-31 06:48 . 2009-08-31 06:48 -------- d---a-w- C:\PKBOO
2009-08-31 05:55 . 2009-08-31 05:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-31 05:25 . 2009-08-31 05:25 -------- d-----w- c:\program files\CCleaner
2009-08-31 03:49 . 2009-08-31 03:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-31 03:07 . 2009-08-31 03:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-31 02:36 . 2009-08-31 02:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-23 00:13 . 2009-08-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-08-23 00:12 . 2009-08-23 00:13 -------- d-----w- c:\program files\TVUPlayer
2009-08-20 00:49 . 2009-08-20 00:49 -------- d-----w- c:\documents and settings\Rachel\fontconfig
2009-08-20 00:41 . 2009-08-31 05:00 -------- d-----w- c:\program files\MPlayer for Windows
2009-08-20 00:12 . 2009-08-20 00:12 -------- d-----w- c:\program files\Common Files\NSV
2009-08-15 01:23 . 2009-08-15 01:24 -------- d-----w- C:\REPSPL
2009-08-12 02:14 . 2009-08-12 02:15 5519752 ----a-w- c:\documents and settings\Rachel\Application Data\TVU networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-08-11 23:55 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-08 12:02 . 2009-08-08 12:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-08 08:14 . 2009-08-08 08:14 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\MSBuild
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 08:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-08 08:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-08 08:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-08 08:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-08 08:11 . 2009-08-08 08:12 -------- d-----w- C:\a6934de93bf88e0a3bce6630233dd5
2009-08-08 08:02 . 2009-08-08 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 08:01 . 2009-08-05 08:01 56972 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 22:41 . 2009-06-24 01:05 -------- d-----w- c:\program files\McAfee
2009-09-01 22:36 . 2009-06-01 22:35 88576 --sha-w- c:\windows\system32\huverego.dll
2009-09-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ziperame.dll
2009-09-01 06:16 . 2007-12-01 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\luliwedo.dll
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\wimavapa.dll
2009-08-31 03:31 . 2009-06-28 02:44 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 02:23 . 2009-08-31 02:23 16669 ----a-w- c:\documents and settings\All Users\Application Data\icyw.dat
2009-08-29 22:13 . 2009-06-24 01:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-15 01:23 . 2009-07-12 13:20 737280 ----a-w- c:\windows\iun6002.exe
2009-08-14 12:33 . 2008-12-27 03:14 -------- d-----w- c:\documents and settings\Rachel\Application Data\uTorrent
2009-08-09 09:20 . 2005-11-18 06:46 74424 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2003-03-31 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 03:09 . 2006-02-24 20:09 -------- d-----w- c:\documents and settings\Rachel\Application Data\Apple Computer
2009-07-27 23:35 . 2009-07-27 23:34 -------- d-----w- c:\program files\iTunes
2009-07-27 23:34 . 2006-10-04 16:16 -------- d-----w- c:\program files\iPod
2009-07-27 23:33 . 2007-10-22 19:48 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 23:13 . 2009-07-27 23:13 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-21 00:31 . 2008-12-13 19:37 -------- d-----w- c:\program files\Veetle
2009-07-20 09:04 . 2009-07-20 09:00 -------- d-----w- c:\program files\Image-Line
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-17 18:55 . 2003-03-31 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 10:00 . 2009-01-31 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-14 04:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 07:46 . 2007-12-01 06:27 -------- d-----w- c:\program files\Google
2009-07-13 07:45 . 2006-06-02 20:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-12 13:19 . 2009-07-12 13:19 -------- d-----w- c:\program files\Replay Converter
2009-07-03 17:09 . 2005-06-18 05:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 00:14 . 2009-06-30 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2003-03-31 19:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2003-03-31 19:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-03-31 19:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-03-31 19:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2003-03-31 19:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 00:01 . 2009-06-25 00:01 127872 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\uninstall.exe
2009-06-25 00:01 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-25 00:00 . 2009-06-25 00:00 1686272 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-06-22 11:34 . 2003-03-31 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-03-31 19:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-03-31 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-12 15:06 . 2009-06-12 15:06 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\BindBins.exe
2009-06-12 15:06 . 2009-06-12 15:06 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe
2009-06-12 15:05 . 2009-06-12 15:05 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-06-12 15:05 . 2009-06-12 15:05 1179648 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_adafe\EasyShrx.Dll
2009-06-12 15:05 . 2009-06-12 15:05 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.8.20.2.dll
2009-06-12 11:50 . 2003-03-31 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-03-31 19:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2003-03-31 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2005-11-16 18:40 655872 ----a-w- c:\windows\system32\mstscax.dll
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\guderasa.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ririzaki.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 106496]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]
"OxigenClientAdmin"="c:\program files\Oxigen\bin\Oxigen.exe" [2007-06-23 887264]
"OxigenTrayIcon"="c:\program files\Oxigen\bin\OxiTray.exe" [2007-06-23 557536]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"vamanipetu"="c:\windows\system32\ririzaki.dll" [2009-06-01 49152]
"midalolis"="c:\windows\system32\huverego.dll" [2009-09-01 88576]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-17 782412]
D-Link REG Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-17 24576]
FirePod Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FirePod\FirePod.exe [2008-12-2 1126400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{c3ee902a-027d-4d77-829b-1697267ddd6c}"= "c:\windows\system32\huverego.dll" [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"metotozon"= {c3ee902a-027d-4d77-829b-1697267ddd6c} - c:\windows\system32\huverego.dll [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HPQ\\Notebook Utilities\\HPWirelessCfg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Oxigen\\bin\\OxiProc.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/23/2009 8:11 PM 203280]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [11/16/2005 1:53 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/16/2005 1:53 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 9:01 PM 28280]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\W35UND.SYS [9/12/2006 5:18 PM 117632]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-01 23:47]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{19c97a07-5c6d-464d-8765-8d59d54aa792} - c:\windows\system32\nepusenu.dll
HKLM-Run-CPM5b294dbd - c:\windows\system32\lolapeva.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Rachel\Application Data\Mozilla\Firefox\Profiles\0bpq0kpp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?7?7?0??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
"imagepath"="\systemroot\system32\drivers\kbiwkmmetjimqx.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmmetjimqx.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\Macrogaming\SweetIM\mgAdaptersProxy.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ririzaki.dll
c:\windows\system32\huverego.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPConfig.exe
c:\program files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-02 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 01:29

Pre-Run: 14,684,491,776 bytes free
Post-Run: 14,734,770,176 bytes free

346 --- E O F --- 2009-08-27 08:01

•

Join Date: Aug 2009

Posts: 23

Reputation: Sisaly is an unknown quantity at this point

Solved Threads: 0

Sisaly

Offline

Newbie Poster

Re: Windows Police Pro, can't run mba..

#30

Sep 1st, 2009

PHIL....MBAM IS SCANNING!

In the first 10 seconds it found 6 infected objects, now it's at 13.

That combofix did the trick.

I uninstalled mbam, ran ccleaner, and reinstalled and updated. Is running great.
Go baby GO!!!