954,162 Members — Technology Publication meets Social Media

< 1 2 3 >

Have something to say? Contribute New Article Reply to this Article

0

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

The stuff that is hard to kill is more fun for us Forum volunteers :)

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.

NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...

Best Luck :)
PP

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

I'm going bald.

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

Copy and paste the everything in red including "files to move."Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Try again and see if that works and then do the rest.

PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Opps, my bad. Got it now...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Completed script processing.

*******************

Finished! Terminate.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:37:37 2009

18:37:37: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:38:50 2009

18:38:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!

//////////////////////////////////////////

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

All right got the next log. Tried mbam tried to update and got a blue screen crash.

Log file is located at: C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txtRemoving all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\addins\addinsFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpFound mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\temp\tempFound mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\tmp\tmpFound mount point : C:\WINDOWS\AU_Temp\AU_TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\AU_Temp\AU_TempFound mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Config\ConfigFound mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Connection Wizard\Connection WizardFound mount point : C:\WINDOWS\Debug\UserMode\UserModeMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Debug\UserMode\UserModeFound mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp\applets\appletsFound mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp98\imejp98Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsFound mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\classes\classesFound mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\trustlib\trustlibFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesFound mount point : C:\WINDOWS\Minidump\MinidumpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Minidump\MinidumpFound mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\msapps\msinfo\msinfoFound mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\mui\muiFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFFound mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHCannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exeAttempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe[1] 2003-03-31 14:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointFound mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesFound mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMFound mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempFound mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PIF\PIFFound mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLogFound mount point : C:\WINDOWS\security\logs\logsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\security\logs\logsFound mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedFound mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentFound mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1025\1025Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1028\1028Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1031\1031Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1037\1037Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1041\1041Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1042\1042Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1054\1054Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\2052\2052Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3076\3076Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiFound mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopFound mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEFound mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsFound mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentFound mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\dhcp\dhcpFound mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdnFound mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\export\exportFound mount point : C:\WINDOWS\system32\inetsrv\inetsrvMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrvFound mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFFound mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\Macromed\update\updateFound mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspecFound mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupFound mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustFound mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwFound mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregFound mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\sample\sampleFound mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExtFound mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAFound mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSFound mount point : C:\WINDOWS\system32\wbem\Logs\LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\Logs\LogsFound mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\badFound mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmpFound mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wins\winsFound mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\xircom\xircomFound mount point : C:\WINDOWS\Temp\Cookies\CookiesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Cookies\CookiesFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsFound mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorFound mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpFound mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpFound mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpFound mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpFound mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpFound mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpFound mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FFound mount point : C:\WINDOWS\Temp\WMD\WMDMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMD\WMDFound mount point : C:\WINDOWS\Temp\WMFA\WMFAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMFA\WMFAFound mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Finished!

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

1

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/index.php?showtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Running now.....

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Running now.....

All right . . . Now we are cooking with gas . . . or something like that.

I am calling it a night - My eyes are killing me + have some actual paying work to do.

Post the combofix log for me and I'll have a look at it first chance I get.

Cheers :)
PP

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

All right Phil!

Here we go....

ComboFix 09-09-01.04 - Rachel 09/01/2009 19:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.200 [GMT -5:00]
Running from: c:\documents and settings\Rachel\Desktop\Bunnyfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394.exe
c:\documents and settings\All Users\Application Data\15977394\pc15977394ins
c:\documents and settings\All Users\Application Data\esacomub.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Rachel\Cookies\josi.pif
c:\recycler\NPROTECT
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Fonts\HELSM___.TTF
c:\windows\Fonts\INK2METR.TTF
c:\windows\Fonts\OPUSM___.TTF
c:\windows\Installer\18c019.msp
c:\windows\Installer\20a96.msi
c:\windows\patch.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dahovibo.dll
c:\windows\system32\delejome.dll
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\kbiwkmmetjimqx.sys
c:\windows\system32\hatakuvu.dll
c:\windows\system32\kbiwkmbvsmrril.dll
c:\windows\system32\kbiwkmjklypdur.dll
c:\windows\system32\kbiwkmldyiuwyr.dat
c:\windows\system32\kbiwkmxvakcdpq.dat
c:\windows\system32\lolapeva.dll
c:\windows\system32\mdm.exe
c:\windows\system32\naluwota.dll
c:\windows\system32\nepusenu.dll
c:\windows\system32\simejufa.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\terovozo.dll
c:\windows\system32\tuviloko.exe
c:\windows\system32\volosejo.dll
c:\windows\system32\vovugesi.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\yavayusa.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.97
c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_kbiwkmbqvmttap

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 00:19 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 00:19 . 2009-09-02 00:19 -------- d-----w- C:\ILU
2009-09-02 00:19 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 22:43 . 2009-09-01 22:43 -------- d---a-w- C:\KILLBAD
2009-09-01 02:48 . 2009-09-01 12:21 -------- d-----w- C:\suckmydick
2009-09-01 00:43 . 2009-09-01 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-09-01 00:35 . 2009-09-01 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 00:18 . 2009-09-01 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-08-31 06:48 . 2009-08-31 06:48 -------- d---a-w- C:\PKBOO
2009-08-31 05:55 . 2009-08-31 05:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-31 05:25 . 2009-08-31 05:25 -------- d-----w- c:\program files\CCleaner
2009-08-31 03:49 . 2009-08-31 03:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-31 03:07 . 2009-08-31 03:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-31 02:36 . 2009-08-31 02:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-23 00:13 . 2009-08-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-08-23 00:12 . 2009-08-23 00:13 -------- d-----w- c:\program files\TVUPlayer
2009-08-20 00:49 . 2009-08-20 00:49 -------- d-----w- c:\documents and settings\Rachel\fontconfig
2009-08-20 00:41 . 2009-08-31 05:00 -------- d-----w- c:\program files\MPlayer for Windows
2009-08-20 00:12 . 2009-08-20 00:12 -------- d-----w- c:\program files\Common Files\NSV
2009-08-15 01:23 . 2009-08-15 01:24 -------- d-----w- C:\REPSPL
2009-08-12 02:14 . 2009-08-12 02:15 5519752 ----a-w- c:\documents and settings\Rachel\Application Data\TVU networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-08-11 23:55 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-08 12:02 . 2009-08-08 12:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-08 08:14 . 2009-08-08 08:14 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\MSBuild
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 08:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-08 08:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-08 08:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-08 08:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-08 08:11 . 2009-08-08 08:12 -------- d-----w- C:\a6934de93bf88e0a3bce6630233dd5
2009-08-08 08:02 . 2009-08-08 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 08:01 . 2009-08-05 08:01 56972 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 22:41 . 2009-06-24 01:05 -------- d-----w- c:\program files\McAfee
2009-09-01 22:36 . 2009-06-01 22:35 88576 --sha-w- c:\windows\system32\huverego.dll
2009-09-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ziperame.dll
2009-09-01 06:16 . 2007-12-01 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\luliwedo.dll
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\wimavapa.dll
2009-08-31 03:31 . 2009-06-28 02:44 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 02:23 . 2009-08-31 02:23 16669 ----a-w- c:\documents and settings\All Users\Application Data\icyw.dat
2009-08-29 22:13 . 2009-06-24 01:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-15 01:23 . 2009-07-12 13:20 737280 ----a-w- c:\windows\iun6002.exe
2009-08-14 12:33 . 2008-12-27 03:14 -------- d-----w- c:\documents and settings\Rachel\Application Data\uTorrent
2009-08-09 09:20 . 2005-11-18 06:46 74424 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2003-03-31 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 03:09 . 2006-02-24 20:09 -------- d-----w- c:\documents and settings\Rachel\Application Data\Apple Computer
2009-07-27 23:35 . 2009-07-27 23:34 -------- d-----w- c:\program files\iTunes
2009-07-27 23:34 . 2006-10-04 16:16 -------- d-----w- c:\program files\iPod
2009-07-27 23:33 . 2007-10-22 19:48 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 23:13 . 2009-07-27 23:13 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-21 00:31 . 2008-12-13 19:37 -------- d-----w- c:\program files\Veetle
2009-07-20 09:04 . 2009-07-20 09:00 -------- d-----w- c:\program files\Image-Line
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-17 18:55 . 2003-03-31 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 10:00 . 2009-01-31 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-14 04:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 07:46 . 2007-12-01 06:27 -------- d-----w- c:\program files\Google
2009-07-13 07:45 . 2006-06-02 20:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-12 13:19 . 2009-07-12 13:19 -------- d-----w- c:\program files\Replay Converter
2009-07-03 17:09 . 2005-06-18 05:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 00:14 . 2009-06-30 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2003-03-31 19:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2003-03-31 19:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-03-31 19:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-03-31 19:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2003-03-31 19:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 00:01 . 2009-06-25 00:01 127872 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\uninstall.exe
2009-06-25 00:01 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-25 00:00 . 2009-06-25 00:00 1686272 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-06-22 11:34 . 2003-03-31 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-03-31 19:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-03-31 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-12 15:06 . 2009-06-12 15:06 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\BindBins.exe
2009-06-12 15:06 . 2009-06-12 15:06 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe
2009-06-12 15:05 . 2009-06-12 15:05 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-06-12 15:05 . 2009-06-12 15:05 1179648 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_adafe\EasyShrx.Dll
2009-06-12 15:05 . 2009-06-12 15:05 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.8.20.2.dll
2009-06-12 11:50 . 2003-03-31 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-03-31 19:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2003-03-31 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2005-11-16 18:40 655872 ----a-w- c:\windows\system32\mstscax.dll
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\guderasa.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ririzaki.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 106496]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]
"OxigenClientAdmin"="c:\program files\Oxigen\bin\Oxigen.exe" [2007-06-23 887264]
"OxigenTrayIcon"="c:\program files\Oxigen\bin\OxiTray.exe" [2007-06-23 557536]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"vamanipetu"="c:\windows\system32\ririzaki.dll" [2009-06-01 49152]
"midalolis"="c:\windows\system32\huverego.dll" [2009-09-01 88576]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-17 782412]
D-Link REG Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-17 24576]
FirePod Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FirePod\FirePod.exe [2008-12-2 1126400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{c3ee902a-027d-4d77-829b-1697267ddd6c}"= "c:\windows\system32\huverego.dll" [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"metotozon"= {c3ee902a-027d-4d77-829b-1697267ddd6c} - c:\windows\system32\huverego.dll [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HPQ\\Notebook Utilities\\HPWirelessCfg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Oxigen\\bin\\OxiProc.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/23/2009 8:11 PM 203280]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [11/16/2005 1:53 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/16/2005 1:53 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 9:01 PM 28280]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\W35UND.SYS [9/12/2006 5:18 PM 117632]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-01 23:47]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{19c97a07-5c6d-464d-8765-8d59d54aa792} - c:\windows\system32\nepusenu.dll
HKLM-Run-CPM5b294dbd - c:\windows\system32\lolapeva.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Rachel\Application Data\Mozilla\Firefox\Profiles\0bpq0kpp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?7?7?0??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
"imagepath"="\systemroot\system32\drivers\kbiwkmmetjimqx.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmmetjimqx.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\Macrogaming\SweetIM\mgAdaptersProxy.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ririzaki.dll
c:\windows\system32\huverego.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPConfig.exe
c:\program files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-02 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 01:29

Pre-Run: 14,684,491,776 bytes free
Post-Run: 14,734,770,176 bytes free

346 --- E O F --- 2009-08-27 08:01

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

PHIL....MBAM IS SCANNING!

In the first 10 seconds it found 6 infected objects, now it's at 13.

That combofix did the trick.

I uninstalled mbam, ran ccleaner, and reinstalled and updated. Is running great.
Go baby GO!!!

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Here's the MalwareBytes log.

Malwarebytes' Anti-Malware 1.40
Database version: 2728
Windows 5.1.2600 Service Pack 2

9/1/2009 9:51:47 PM
mbam-log-2009-09-01 (21-51-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171018
Time elapsed: 1 hour(s), 13 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\huverego.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ririzaki.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{19c97a07-5c6d-464d-8765-8d59d54aa792} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{19c97a07-5c6d-464d-8765-8d59d54aa792} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c3ee902a-027d-4d77-829b-1697267ddd6c} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{3cf1638a-499b-4985-b05b-940e200c870b} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cf1638a-499b-4985-b05b-940e200c870b} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmbqvmttap (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vamanipetu (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\midalolis (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c3ee902a-027d-4d77-829b-1697267ddd6c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\metotozon (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\huverego.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\huverego.dll -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ririzaki.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\huverego.dll (Trojan.Vundo.H) -> No action taken.
C:\C3\UNWISE.EXE (Malware.Packer.Morphine) -> No action taken.
C:\C3\NIA\UNWISE.EXE (Malware.Packer.Morphine) -> No action taken.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\15977394\15977394.exe.vir (Rogue.SystemSecurity) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmbvsmrril.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbiwkmjklypdur.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nepusenu.dll.vir (Trojan.Vundo.H) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuviloko.exe.vir (Rogue.SystemSecurity) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir (Trojan.KillAV) -> No action taken.
C:\WINDOWS\system32\guderasa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wimavapa.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ziperame.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\luliwedo.dll (Trojan.Vundo) -> No action taken.

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Sisaly, you didn't have MBA-M remove the items found. You HAVE to do this. Run it again, when it shows you what is found then click the Remove Selected button.

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Here's the MalwareBytes log.

LOL! You let that thing run for over an hour and then you didn't have it remove the baddies? ;) After all they put you through . . . .

Run it again and when the scan is complete, click OK, then Show Results to view the results.Be sure that everything is checked, and click Remove Selected.

I will check back Wednesday evening EST - there are still a bunch of fixes we need to do manually with combofix. I'll post them for you tomorrow.

-- Hey. . . . Don't rip any more hair out over that "Remove Selected" fail........:cool:

PP

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Oh ho ho....I removed them after just posted the first log, and it's rescanning. ;)

So far all system operations functioning normally.

BTW: To anyone reading this, I was able to do all this because my infected laptop is networked to my desktop. And my hubby is the one that infected the sucker and his wifey is fixing the problem.

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Oh ho ho....I removed them after just posted the first log, and it's rescanning. ;)

So far all system operations functioning normally.

BTW: To anyone reading this, I was able to do all this because my infected laptop is networked to my desktop. And my hubby is the one that infected the sucker and his wifey is fixing the problem.

LOL...nothing like a sense of humor to keep things under control. That's hilarious Sisaly! :icon_cheesygrin:

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

LOL...nothing like a sense of humor to keep things under control. That's hilarious Sisaly! :icon_cheesygrin:

Well, I noticed all these guys on here saying their gf/wife infected the thing and they are trying to fix it. Just tellin it like it is.

After the second scan of mbam I had one infection. I would say this is case closed, thank goodness. Hubby can watch his precious soccer again....which is how he got Police Pro to begin with.
Phil, let me know if I need to remove or change anything. Thank you very much, repped you.
Here's that log.....

Malwarebytes' Anti-Malware 1.40
Database version: 2728
Windows 5.1.2600 Service Pack 2

9/1/2009 11:29:30 PM
mbam-log-2009-09-01 (23-29-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170739
Time elapsed: 1 hour(s), 25 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmbqvmttap (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

No, not closed yet. PP for sure has to look at these logs. Especially the combofix log as there may be additional fixes which need to be done with that before the computer can be assured to be clean. This is an especially nasty bug which does have ways of hiding itself all over the computer.
Why not run a full scan with HiJackThis and post that log so the logs will all be here when he gets back tomorrow.
Judy

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

I ran mbam again and am still getting the same log as last time.

Malwarebytes' Anti-Malware 1.40
Database version: 2728
Windows 5.1.2600 Service Pack 2

9/2/2009 3:06:46 AM
mbam-log-2009-09-02 (03-06-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170910
Time elapsed: 1 hour(s), 8 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmbqvmttap (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I ran HijackThis and am unfamiliar with it. I didn't check any boxes nor fix anything. Here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:03 AM, on 9/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Oxigen\bin\Oxigen.exe
C:\Program Files\Oxigen\bin\OxiTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\PreSonus\1394AudioDriver_FirePod\FirePod.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [OxigenClientAdmin] "C:\Program Files\Oxigen\bin\Oxigen.exe"
O4 - HKLM\..\Run: [OxigenTrayIcon] C:\Program Files\Oxigen\bin\OxiTray.exe
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FirePod\FirePod.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132211267802
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132211256235
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

--
End of file - 8921 bytes

Newbie Poster

23 posts since Aug 2009

Reputation Points: 10

Solved Threads: 0

0

Download the Panda Antirootkit programme .

Unzip it and run the PAVARK.exe file.

Tick the box that says In depth scan and follow the on screen instructions.

DO NOT remove any UNKNOWN ROOTKITS at this stage. Instead, let me know your results in your reply.

Nearly a Posting Maven

2,335 posts since May 2009

Reputation Points: 127

Solved Threads: 199

0

I think that there are already enough cooks in this pie :).

Most Valuable Poster

Moderator

20,095 posts since Feb 2004

Reputation Points: 1,142

Solved Threads: 985

This question has already been solved

You

< 1 2 3 >

© 2012 DaniWeb® LLC

Home | About Us | Contact Us | Terms of Service | Advertising Opportunities