-1

Hello All,

I'm new here and was wondering if someone could help me with a issue I'm having with my computer.

First off, I'm infected with a virus that has taken away my desktop icons and start menu. I've tried to run explorer.exe via the task manager and I get a message saying, "Windows cannot access the specified path, device, or file. I'm not sure what else to do.

Also, every time I try to run superantispyware, or spybot it stops in the middle and disappears.

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Thanks!

2
Contributors
50
Replies
53
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0

If someone knows of any possible solutions, I would greatly appreciate it if you let me know.

Hi Kenney,

If you are able, please follow step 8 in the linky below to run MBA-M and have it Remove what it finds. If it runs, post the log.
http://www.daniweb.com/forums/thread134865.html

Should that fail:
Please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

Best Luck :)
PP

0

Hello PhilliePhan,

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.
Thanks,
Kenney

Edited by crunchie: Removed wrong 'log'

0

Thanks so much for your help on this. Its been driving me batty for a couple of days now. My log is posted below. Please let me know if there's anything else needed. I was unable to run MBA-M....it just shuts down in the middle of the scan.

Well . .. That's odd. You posted the contents of the batch file rather than the log. How did you manage that? All you need to do is DoubleClick on RunThis.bat.....

Try running it again. If using Vista, try RightClicking and Run as Administrator....

PP:)

0

Hi PP,

Everytime I click on runthat.bat I get that batch sequence. I open the file via, winrar and there are other applications in the folder, i.e fixit.reg, pv.exe, and swxcacls.exe. But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

0

But as I said when I click on runthat.bat I get the aforementioned batch sequence. When I click on the other apps, a black screen pops up and then quickly disappears.
Thanks in advance for your help...

Happy to try to help :)

-- That is odd.
Can you get a command prompt?
Start > Run > cmd Enter
or
Start > Run > command.com Enter?

If you can get a command prompt and the FindWPP folder is on your Desktop as it should be, do this:
At the command prompt, copy&paste or type "%userprofile%\desktop\FindWPP\RunThis.bat" and hit enter.
See if it runs that way.

PP :)

Edited by PhilliePhan: n/a

0

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!

Microsoft Windows XP [Version 5.1.2600]
Tue 09/29/2009 
09:01 PM

FindWPP is running from C:\Documents and Settings\Administrator                                     

        RUNNING PROCESSES                           


        EXE KEY MODIFIED?                           


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


        CHECKING SELECT POLICIES KEYS                       


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoBandCustomize"=dword:00000000
"NoMovingBands"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


        LOOKING FOR REPLACED FILES                      

Looking for cngaudit.dll                                    

Looking for eventlog.dll                                    

Looking for imm32.dll                                   

Looking for logevent.dll                                    

Looking for netlogon.dll                                    

Looking for ntelogon.dll                                    

Looking for qmgr.dll                                    

Looking for rasauto.dll                                 

Looking for scecli.dll                                  

Looking for sceclt.dll                                  

Looking for sfcfiles.dll                                    

        LOOKING FOR SUSPICIOUS FILES                        


        SEARCH AND DESTROY KNOWN FILES                      

Looking for windows Police Pro.exe                              

No matches found.
Looking for dddesot.dll                                 

No matches found.
Looking for wisdstr.exe                                     

No matches found.
Looking for desote.exe                                  

No matches found.
Looking for svchasts.exe                                    

No matches found.
Looking for ppp4.dat                                    

No matches found.
Looking for sysnet.dat                                  

No matches found.
Looking for bincd32.dat                                 

No matches found.
Looking for ppp3.dat                                    

No matches found.
Looking for desot.exe                                   

No matches found.
Looking for wispex.html                                 

No matches found.
Looking for qcfbc.wbg                                   

No matches found.
Looking for svchast.exe                                 

No matches found.
Looking for dbsinit.exe                                 

No matches found.
Looking for braviax.exe                                 

No matches found.
Looking for bennuar.old                                 

No matches found.
Looking for ~.exe                                       

No matches found.



        EXE KEY STILL MODIFIED?                                         


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


        SUSPECT REG KEYS                                            

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000]
"Service"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
"DeviceDesc"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_{79007602-0CDB-4405-9DBF-1257BB3226ED}\0000\Control]
"ActiveService"="{79007602-0CDB-4405-9DBF-1257BB3226ED}"

        CHECKING MBAM                                               

C:\PROGRA~1\MALWAR~1\
   mbam.exe       Thu Sep 10 2009   2:53:56p  A....      1,312,080     1.25 M

1 item found:  1 file, 0 directories.
   Total of file sizes:  1,312,080 bytes      1.25 M
*******************************************************************************
File: C:\Program Files\malwarebytes' anti-malware\mbam.exe

                    Permissions:
*******************************************************************************
                  Username
Type     Permissions               Inheritance
*******************************************************************************
                  \Everyone
Allowed  Full Control              

No Auditing set

Owner: Administrator (GPC1121-134CA48\Administrator)

Edited by mike_2000_17: Fixed formatting

0

Ok, I was able to get a cmd prompt via the task manager. I copied the text and it says it scanned my computer. Hopefully this is a useful log. Please see below. Thanks!

Well . . . I don't think everything was extracted properly to the FindWPP folder. Either that, or it ran from the zip. Either way, it didn't run properly . . . But, no worries. I still see enough.


Let's try this:

Please Download Win32kDiag from a linky below and save it to your Desktop.
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

It should run - let me know if it doesn't.
Be sure to let it run until is says "Finished" before posting the log!

PP :)

0

Hi PP,

It finished running. It should be attached to this message. Please let me know what you think...

Thanks.

Attachments
Running from: C:\Documents and Settings\Administrator\My Documents\Downloads\Win32kDiag(2).exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point       : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB971032\KB971032

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB973815\KB973815

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16B.tmp\ZAP16B.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP265.tmp\ZAP265.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B1.tmp\ZAP2B1.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B3.tmp\ZAP2B3.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D.tmp\ZAP2D.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Drivers\Intel\Intel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe

[1] 2007-06-13 07:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 06:23:07 1033216 C:\WINDOWS\explorer.exe ()

[1] 2008-04-13 20:12:19 1033728 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 06:23:07 1033216 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)



Found mount point       : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\update\update.exe

[1] 2004-10-14 11:34:54 654848 C:\WINDOWS\$hf_mig$\KB873339\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885835\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB885836\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 14:34:52 654848 C:\WINDOWS\$hf_mig$\KB886185\update\update.exe (Microsoft Corporation)

[1] 2004-10-14 12:34:54 654848 C:\WINDOWS\$hf_mig$\KB887472\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB888302\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB890046\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 20:35:06 718048 C:\WINDOWS\$hf_mig$\KB890859\update\update.exe (Microsoft Corporation)

[1] 2004-11-30 15:46:40 654848 C:\WINDOWS\$hf_mig$\KB891781\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB893756\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB894391\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896358\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896423\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB896428\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 23:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899587\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB899591\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB900485\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB900725\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901017\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB901214\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 21:35:06 718048 C:\WINDOWS\$hf_mig$\KB902400\update\update.exe (Microsoft Corporation)

[1] 2005-10-12 19:12:29 716000 C:\WINDOWS\$hf_mig$\KB904942\update\update.exe (Microsoft Corporation)

[1] 2005-02-24 23:35:05 718048 C:\WINDOWS\$hf_mig$\KB905414\update\update.exe (Microsoft Corporatio
0

It finished running. It should be attached to this message. Please let me know what you think...

OK - Now we are getting somewhere.

First, please move Win32kDiag.exe to the Desktop.


Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in Red below and copy it using Ctrl+C or RightClick > Copy:


Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox, using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.


THEN:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know how that works and we'll go to the next step.

PP :)

0

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

0

Hi PP,

I get an error message when trying to post the above statement in Avenger. It says invalid script. Script must begin with a command directive.

You have to copy ALL the text in red . .. Including the part that says "Files to move" or you'll get that error.

Be sure to do everything carefully and exactly as I have spelled it out. That includes putting the downloaded files where I specify, etc... Otherwise, we'll just get bogged down.
Feel free to ask any questions or let me know if I need to clarify anything - A forum setting is not the easiest for malware removal....


Try again and let me know. I'll be back on in an hour or so - need to head out for a bit.

PP :)

Edited by PhilliePhan: n/a

0

Hi PP,

Yeah, I'm sorry about that. I can be a idot sometimes.
A log didn't pop up for Avenger after the computer rebooted though. My desktop just appeared as usual...nothing else happened.

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

0

Anyway, can we back on this tomorrow? I've got a long day tomorrow. Once again thanks for your help. You're doing an excellent job helping a not so technical guy. Let me know of any other suggestions and I'll get on them first chance I get tomorrow.

I am generally around in the evening (EST). We can pick this up then.
You should probably keep this computer offline as much as possible until we finish. This baddie comes in varying degrees of difficulty and I'd hate to see it call for reinforcements.

-- I do want to see the Avenger log. Try looking at C:\avenger.txt and see if it is there.

-- Also, run that second step with win32kdiag.exe
exactly as I wrote it and post that log.

What we are attempting to do is to get you machine to a point where we can run some tools and have them complete their runs.....

Be back Wednesday evening.
PP :)

0

Hi PP,

I hope you're having a wonderful Wednesday.

Ok, first off, I can't find the avenger log anywhere. I ran it yesterday and it rebooted my computer but a log didn't pop up and currently I don't see it.
Secondly I tried running your second instruction. Each time I attempt it I get a message saying it is not recognized as an internal or external command operable program or batch file.
FYI, because I don't have a start menu, I'm running it from the task manager feature, and just inputting what you have in the designated area.
Thanks.

0

I hope you're having a wonderful Wednesday.

It's a dank and dreary Wednesday in my neck of the woods...

We really need to get this step done before we can try any removal tools, so let's do this:

Please Download a fresh copy of Win32kDiag from a linky below and save it to your C:\Drive. (C:\Win32kDiag.exe)
http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

Then, try the following command and post me the log:
"C:\win32kdiag.exe" -f –r

And we'll go from there.

PP :)

0

Hi PP,

Please see the attached log. Please let me know what you think.

Thanks.

Attachments
Running from: C:\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point       : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point       : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point       : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point       : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point       : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Found mount point       : C:\WINDOWS\$hf_mig$\KB971032\KB971032

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971032\KB971032

Found mount point       : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Found mount point       : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Found mount point       : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Found mount point       : C:\WINDOWS\$hf_mig$\KB973815\KB973815

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB973815\KB973815

Found mount point       : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16B.tmp\ZAP16B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16B.tmp\ZAP16B.tmp

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP265.tmp\ZAP265.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP265.tmp\ZAP265.tmp

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B1.tmp\ZAP2B1.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B1.tmp\ZAP2B1.tmp

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B3.tmp\ZAP2B3.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B3.tmp\ZAP2B3.tmp

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D.tmp\ZAP2D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2D.tmp\ZAP2D.tmp

Found mount point       : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point       : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point       : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point       : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point       : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point       : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point       : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point       : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point       : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point       : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point       : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point       : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point       : C:\WINDOWS\Drivers\Intel\Intel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Drivers\Intel\Intel

Cannot access: C:\WINDOWS\explorer.exe

[1] 2007-06-13 07:26:03 1033216 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe (Microsoft Corporation)

[1] 2004-08-04 08:00:00 1032192 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 06:23:07 1033216 C:\WINDOWS\explorer.exe ()

[1] 2008-04-13 20:12:19 1033728 C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe (Microsoft Corporation)

[1] 2007-06-13 06:23:07 1033216 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)



Found mount point       : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point       : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point       : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point       : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point       : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point       : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point       : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point       : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point       : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point       : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point       : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point       : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point       : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point       : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point       : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\I
0

Please see the attached log. Please let me know what you think.

Well. . . . Part of what we were trying to do got done. Let's go ahead and try this next step:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me. Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

If it runs, post me the log.

Cheers :)
PP

Edited by PhilliePhan: n/a

0

Ok, I let combo fix run and everything was ok until I came back to my computer to find it idle and the screen savor on. Well, it completed all 50 stages and deleted some files, etc, but then it said something failed and it logged me off. So, basically I have no log to report right now. It seemed like it was real close to being finished.
Should I run it again?

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

0

It took a long time...so I'll just try to run in again tomorrow if you say its ok. Let me know! Thanks!

Look for the log at C:\Combofix.txt and post it if it exists.
-- Try doing a search of the machine for Combofix / Combo-fix / Qoobox and let me know if anything shows up.

If you can't find any of those, go ahead and try to run Combofix again. Do it in Safe Mode this time and see if it saves a log...
To boot to Safe Mode, tap F8 on reboot to get the Safe Boot options. Do not use MSConfig to boot to safe mode!

Best Luck :)
PP

1

Happy Thursday PP,

Ok, I was able to run combo-fix in safe mode, and it actually produced a log...so thankful!

Anyway please see the attached log and let me know what you think...

K

Attachments
ComboFix 09-09-30.05 - Administrator 10/01/2009 20:29.2.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.510.308 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-fix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\Drivers\gibaq.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiwow64.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\12533434
c:\documents and settings\All Users\Application Data\12533434\12533434
c:\documents and settings\All Users\Application Data\12533434\12533434.exe
c:\documents and settings\All Users\Application Data\12533434\pc12533434ins
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\Fonts\mlog
c:\windows\Install.txt
c:\windows\run.log
c:\windows\system32\browsew.dll
c:\windows\system32\drivers\ytasfwxexrxjge.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\netcard.sys
c:\windows\system32\wiwow64.exe
c:\windows\system32\ytasfwbeexmyby.dll
c:\windows\system32\ytasfwcbfwysiw.dll
c:\windows\system32\ytasfwjkyurwts.dat
c:\windows\system32\ytasfwlexteoaw.dll
c:\windows\system32\ytasfwviudwxdu.dat
c:\windows\TEMP\mta56547.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected 
Restored copy from - c:\windows\system32\dllcache\eventlog.dll 

--------

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_NETCARD
-------\Legacy_ytasfwwyksrubl
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_Ias
-------\Service_netcard
-------\Service_ytasfwwyksrubl


(((((((((((((((((((((((((   Files Created from 2009-09-02 to 2009-10-02  )))))))))))))))))))))))))))))))
.

2009-10-01 00:48 . 2009-10-01 00:48	47616	----a-w-	C:\Win32kDiag.exe
2009-09-30 01:00 . 2009-09-30 01:01	--------	d-----w-	C:\PKBTEMP
2009-09-28 01:59 . 2009-09-28 01:59	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-09-28 01:34 . 2004-08-04 12:00	55808	----a-w-	C:\logevent.dll
2009-09-27 16:48 . 2009-09-27 16:48	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-27 16:48 . 2009-09-10 18:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 16:48 . 2009-09-29 22:36	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-09-27 16:48 . 2009-09-27 16:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 16:48 . 2009-09-10 18:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-09-27 15:37 . 2009-09-27 15:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-27 15:37 . 2009-10-02 00:36	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-09-27 15:37 . 2009-09-27 15:37	--------	d-----w-	c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-27 03:16 . 2009-10-02 00:23	718880	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2009-09-27 03:16 . 2009-10-02 00:23	38944	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\program files\Common Files\ParetoLogic
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\program files\ParetoLogic
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-27 02:44 . 2009-09-27 02:44	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-09-25 00:02 . 2009-09-25 00:02	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-21 23:35 . 2009-09-30 23:03	0	----a-r-	c:\windows\win32k.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 00:25 . 2009-08-08 17:43	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-10-02 00:23 . 2009-09-27 03:16	9500	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2009-10-02 00:23 . 2009-09-27 03:16	4724	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2009-09-30 23:18 . 2009-08-08 17:43	--------	d-----w-	c:\program files\Spyware Doctor
2009-09-30 02:55 . 2009-09-30 02:55	166	----a-w-	c:\program files\zvudg.txt
2009-09-27 16:20 . 2009-03-15 17:04	--------	d-----w-	c:\program files\Lavasoft
2009-09-27 16:01 . 2009-08-09 15:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 16:01 . 2009-08-09 15:12	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2009-09-27 15:40 . 2009-08-08 17:43	206256	----a-w-	c:\windows\system32\drivers\PCTCore.sys
2009-09-27 15:40 . 2009-09-27 15:40	7396	----a-w-	c:\windows\system32\drivers\pctcore.cat
2009-09-27 02:51 . 2008-03-18 20:46	46056	----a-w-	c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 19:50 . 2009-08-08 19:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\Winferno
2009-08-08 19:49 . 2009-08-08 19:49	--------	d-----w-	c:\documents and settings\Administrator\Application Data\vlc
2009-08-08 19:45 . 2009-08-08 19:45	--------	d-----w-	c:\program files\VideoLAN
2009-08-08 19:45 . 2009-08-08 19:45	--------	d-----w-	c:\program files\Winferno
2009-08-08 17:45 . 2009-08-08 17:43	--------	d-----w-	c:\program files\Common Files\PC Tools
2009-08-08 17:43 . 2009-08-08 17:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\PC Tools
2009-08-08 17:43 . 2009-08-08 17:43	--------	d-----w-	c:\documents and settings\Administrator\Application Data\PC Tools
2009-08-08 07:26 . 2009-08-08 07:26	--------	d-----w-	c:\program files\MSXML 4.0
2009-08-08 07:20 . 2009-08-08 07:20	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-08-08 03:42 . 2009-08-08 03:42	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Apple Computer
2009-08-06 04:50 . 2009-08-06 01:58	--------	d-----w-	c:\documents and settings\All Users\Application Data\17624374
2009-08-06 03:29 . 2009-08-06 03:29	--------	d-----w-	c:\program files\MSSOAP
2009-08-06 03:29 . 2009-08-06 03:29	--------	d-----w-	c:\program files\Webroot
2009-08-06 03:26 . 2009-08-06 03:26	164	----a-w-	c:\windows\install.dat
2009-08-06 02:24 . 2009-01-03 20:44	--------	d-----w-	c:\program files\FlashGet
2009-07-14 03:43 . 2004-08-04 12:00	286208	----a-w-	c:\windows\system32\wmpdxm.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 68856]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-09-11 2836440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2009-09-27 1974]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[hkey_local_machine
0

Happy Thursday.....
Anyway please see the attached log and let me know what you think...

Agreed! So Happy It's Thursday! ;) That's my favorite . . . Right up there with TGIF!

Anyhoo, that log looks great! A ton of nasty crap was removed.
We still have a bunch to do, though.....

Let's do this next:
Update your MBAM and run the Quick Scan in Normal Windows boot and have it remove what it finds and then post the log for me.

PP :)

Edited by PhilliePhan: Added info....

0

Hi PP,

Ooops, I'm sorry, I did the full system scan. And as you can tell, it took a long time. Anyway, the logs are attached. Two logs popped up and I didn't know which would be the most useful. Please let me know what you think.

Thanks.

K.

Edited by Kenney: n/a

Attachments
Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 2

10/1/2009 11:42:21 PM
mbam-log-2009-10-01 (23-42-05).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 138779
Time elapsed: 1 hour(s), 45 minute(s), 59 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\applnit_dlls (Spyware.Agent.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\17624374 (Rogue.Multiple) -> No action taken.

Files Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir (Antivirus2009) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Antivirus2009) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\netcard.sys.vir (Trojan.Proxy) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwbeexmyby.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwcbfwysiw.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwlexteoaw.dll.vir (Rootkit.TDSS) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ytasfwxexrxjge.sys.vir (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\EvdoServer.dllx (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\sofatnet.exex (Backdoor.Bot) -> No action taken.
C:\WINDOWS\temp\t4m0_594943644569.bk.old (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\All Users\Application Data\17624374\17624374 (Rogue.Multiple) -> No action taken.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.
Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 2

10/1/2009 11:42:37 PM
mbam-log-2009-10-01 (23-42-37).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 138779
Time elapsed: 1 hour(s), 45 minute(s), 59 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 21

Memory Processes Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\applnit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\17624374 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir (Antivirus2009) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Antivirus2009) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\netcard.sys.vir (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwbeexmyby.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwcbfwysiw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ytasfwlexteoaw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ytasfwxexrxjge.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dllx (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\sofatnet.exex (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\t4m0_594943644569.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\17624374\17624374 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
0

Ooops, I'm sorry, I did the full system scan. And as you can tell, it took a long time. Anyway, the logs are attached. Two logs popped up and I didn't know which would be the most useful. Please let me know what you think.

Hi Kenney,

Looking better.... Let's do this and see if we can get all the logs to show clean:

First:
REBOOT and Update MBAM and run one more Quick Scan and have it remove what it finds.

Then:
DELETE your current copy of Combofix and Download a fresh one to the Desktop. You don't need to rename it this time.
Run it in Normal Windows Boot and post me that log along with MBAM log and we'll see if we can't wrap this up.....

Be sure to do the MBAM first and then follow up with Combofix.

I'll be able to check in briefly Friday evening EST.

Cheers :)
PP

Edited by PhilliePhan: Added info....

1

Happy Friday PP,

I was able to run a scan in malwarebytes.

I also was able to run a scan in combofix too.

Please let me what you think.

Kenney

Attachments
ComboFix 09-10-01.05 - Administrator 10/02/2009 19:56.3.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.510.126 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\irc.txt
c:\windows\system32\Install.txt

.
(((((((((((((((((((((((((   Files Created from 2009-09-02 to 2009-10-02  )))))))))))))))))))))))))))))))
.

2009-10-01 00:48 . 2009-10-01 00:48	47616	----a-w-	C:\Win32kDiag.exe
2009-09-30 01:00 . 2009-09-30 01:01	--------	d-----w-	C:\PKBTEMP
2009-09-28 01:59 . 2009-09-28 01:59	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-09-28 01:34 . 2004-08-04 12:00	55808	----a-w-	C:\logevent.dll
2009-09-27 16:48 . 2009-09-27 16:48	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-27 16:48 . 2009-09-10 18:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-27 16:48 . 2009-10-02 01:52	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-09-27 16:48 . 2009-09-27 16:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 16:48 . 2009-09-10 18:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-09-27 15:37 . 2009-09-27 15:37	--------	d-----w-	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-27 15:37 . 2009-10-03 00:04	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-09-27 15:37 . 2009-09-27 15:37	--------	d-----w-	c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-09-27 03:16 . 2009-10-03 00:09	259872	--sha-w-	c:\windows\system32\drivers\fidbox2.dat
2009-09-27 03:16 . 2009-10-03 00:07	1949728	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\program files\Common Files\ParetoLogic
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\program files\ParetoLogic
2009-09-27 02:50 . 2009-09-27 02:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-27 02:44 . 2009-09-27 02:44	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Downloaded Installations
2009-09-25 00:02 . 2009-09-25 00:02	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 23:44 . 2009-08-08 17:43	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-10-02 23:42 . 2009-09-27 03:16	24116	--sha-w-	c:\windows\system32\drivers\fidbox2.idx
2009-10-02 23:42 . 2009-09-27 03:16	22388	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2009-10-02 01:07 . 2009-08-08 17:43	--------	d-----w-	c:\program files\Spyware Doctor
2009-09-30 02:55 . 2009-09-30 02:55	166	----a-w-	c:\program files\zvudg.txt
2009-09-27 16:20 . 2009-03-15 17:04	--------	d-----w-	c:\program files\Lavasoft
2009-09-27 16:01 . 2009-08-09 15:12	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-27 16:01 . 2009-08-09 15:12	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2009-09-27 15:40 . 2009-08-08 17:43	206256	----a-w-	c:\windows\system32\drivers\PCTCore.sys
2009-09-27 15:40 . 2009-09-27 15:40	7396	----a-w-	c:\windows\system32\drivers\pctcore.cat
2009-09-27 02:51 . 2008-03-18 20:46	46056	----a-w-	c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 19:50 . 2009-08-08 19:50	--------	d-----w-	c:\documents and settings\All Users\Application Data\Winferno
2009-08-08 19:49 . 2009-08-08 19:49	--------	d-----w-	c:\documents and settings\Administrator\Application Data\vlc
2009-08-08 19:45 . 2009-08-08 19:45	--------	d-----w-	c:\program files\VideoLAN
2009-08-08 19:45 . 2009-08-08 19:45	--------	d-----w-	c:\program files\Winferno
2009-08-08 17:45 . 2009-08-08 17:43	--------	d-----w-	c:\program files\Common Files\PC Tools
2009-08-08 17:43 . 2009-08-08 17:43	--------	d-----w-	c:\documents and settings\All Users\Application Data\PC Tools
2009-08-08 17:43 . 2009-08-08 17:43	--------	d-----w-	c:\documents and settings\Administrator\Application Data\PC Tools
2009-08-08 07:26 . 2009-08-08 07:26	--------	d-----w-	c:\program files\MSXML 4.0
2009-08-08 07:20 . 2009-08-08 07:20	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-08-08 03:42 . 2009-08-08 03:42	--------	d-----w-	c:\documents and settings\LocalService\Application Data\Apple Computer
2009-08-06 23:24 . 2008-03-18 13:33	327896	----a-w-	c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-03-18 13:33	209632	----a-w-	c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-03-18 15:09	44768	----a-w-	c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-03-18 13:33	35552	----a-w-	c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-03-18 13:33	53472	----a-w-	c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2004-08-04 12:00	96480	----a-w-	c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-03-18 13:33	575704	----a-w-	c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-03-18 13:33	1929952	----a-w-	c:\windows\system32\wuaueng.dll
2009-08-06 03:29 . 2009-08-06 03:29	--------	d-----w-	c:\program files\MSSOAP
2009-08-06 03:29 . 2009-08-06 03:29	--------	d-----w-	c:\program files\Webroot
2009-08-06 03:26 . 2009-08-06 03:26	164	----a-w-	c:\windows\install.dat
2009-08-06 02:24 . 2009-01-03 20:44	--------	d-----w-	c:\program files\FlashGet
2009-07-14 03:43 . 2004-08-04 12:00	286208	----a-w-	c:\windows\system32\wmpdxm.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-10-02_00.39.08   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-02 23:22 . 2009-08-06 23:24	44768              c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-10-02 23:22 . 2009-08-06 23:24	35552              c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2008-03-18 13:33 . 2009-08-06 23:24	35552              c:\windows\system32\dllcache\wups.dll
+ 2008-03-18 13:33 . 2009-08-06 23:24	53472              c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 12:00 . 2009-08-06 23:24	96480              c:\windows\system32\dllcache\cdm.dll
+ 2008-03-18 13:33 . 2009-08-06 23:24	209632              c:\windows\system32\dllcache\wuweb.dll
+ 2008-03-18 13:33 . 2009-08-06 23:24	327896              c:\windows\system32\dllcache\wucltui.dll
+ 2008-03-18 13:33 . 2009-08-06 23:23	575704              c:\windows\system32\dllcache\wuapi.dll
+ 2008-03-18 13:33 . 2009-08-06 23:23	1929952              c:\windows\system32\dllcache\wuaueng.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-22 68856]
"MP4 Player"="c:\program files\MP4 Player\mp4Player.exe" [2007-09-19 639488]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-09-11 2836440]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-09-25 2007088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" [2009-09-27 1974]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-0
Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 2

10/2/2009 7:41:14 PM
mbam-log-2009-10-02 (19-41-06).txt

Scan type: Quick Scan
Objects scanned: 92799
Time elapsed: 14 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\I26PYOD2\w[1].bin (Backdoor.Bot) -> No action taken.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R9DNZ2Y5\w[1].bin (Backdoor.Bot) -> No action taken.
0

Please let me what you think.

Hi Kenney,

TGIF :)

That looks good, although you didn't have MBAM remove the baddies it found.
-- Run the Quick Scan again and REMOVE all that it finds and post the log for me. There is a backdoor trojan detected that I want to make sure gets removed.

Everything else looks OK - How are things running now?

I will say that you have altogether too many anti-malware apps on the machine now. We can thin those down a bit.

After you run MBAM and remove those last remnants, please do this:
• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.


Then
, please run HijackThis in Normal windows boot and post the scanlog for me along with that last MBAM Log.

Also, you can DELETE these:
C:\Win32kDiag.exe
C:\PKBTEMP


Also - I would like to check these:

C:\windows\install.dat
C:\logevent.dll

Go here ---> and use the Browse Button at the top of the page to navigate to each of those items and and Submit them for analysis. Let me know what you find. If even one scanner reports malware, let me know.

Post those results along with the two logs I requested and we'll see what remains to be done.

Cheers :)
PP

0

Hello PP,

I hope your Saturday is going well.

Ok, my computer seems to be running a lot better now. However, I still don't have any desktop icons present. Currently when I log on my background is the only thing present. I'm still having to navigate via the task manger. I tried typing in explorer.exe in the run field however I continue to get the same error message, can't find specified path, etc.

I ran the quick scan in malwarebytes and nothing was found (please see attached log). I also scanned the items below via the website you posted and they found nothing.

I can't find hijackthis on my computer, so I wasn't able to run a scan from there.

Overall it seems as though the computer is mostly clean. I just hope we can get the desktop icons and start menu back so I can stop using the task manager for everything. But overall everything you have done has worked. You've saved me a great deal of heart ache and trouble.

If you have any other things you would like for me to check, please let me know.

Thanks.
K

Attachments
Malwarebytes' Anti-Malware 1.41
Database version: 2890
Windows 5.1.2600 Service Pack 2

10/3/2009 11:26:20 AM
mbam-log-2009-10-03 (11-26-20).txt

Scan type: Quick Scan
Objects scanned: 92463
Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0

Overall it seems as though the computer is mostly clean. I just hope we can get the desktop icons and start menu back so I can stop using the task manager for everything. But overall everything you have done has worked. You've saved me a great deal of heart ache and trouble.

If you have any other things you would like for me to check, please let me know.

Hi Kenney,

I am going to be here infrequently over the weekend - so don't worry that I deserted you or anything like that..... :)

I think we can fix the Desktop & explorer issue with a little registry hacking, but I'd like you to do a few things first, just to be thorough and make sure all the proper files are present and intact after your malware battle:

1) Please run System File Checker and let me know the results. Here is an excellent linky on how to do that:
http://www.updatexp.com/scannow-sfc.html

2) Navigate to C:\Windows\explorer.exe and RENAME it to explorer.old
Now try to run that via task manager and see if it works.

3) Download Kenney.bat
-- DoubleClick on it to run it and post me the log (peek.txt) that pops up.


Let me know the results of the above and I'll try to check back as time permits.

Cheers :)
PP

Edited by PhilliePhan: n/a

0

Hi PP,

Its Sunday, which for me means football day.

Nevertheless, I had time to follow your instructions this morning.

I've attached the log, peek.txt. Please let me know what you think.

I also tried to rename the explorer.exe but was unsuccessful. I get a message saying, " Cannot rename explorer: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." Please let me know if you have any further suggestions.

I also ran the system file checker, and it progressed right through with no problem. So I'm guessing nothing was found during the scan.

Anyway, I 'll be checking back periodically as time permits today.

Please let me know what you think.

Thanks.
Kenney

Attachments
Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe]

"ApplicationGoo"=hex:14,02,00,00,10,02,00,00,00,02,00,00,90,04,34,00,00,00,56,\

  00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\

  46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,00,00,07,00,0b,00,00,00,00,\

  00,07,00,0b,00,00,00,3f,00,00,00,02,00,00,00,04,00,01,00,01,00,00,00,00,00,\

  00,00,00,00,00,00,00,00,00,00,44,00,00,00,01,00,56,00,61,00,72,00,46,00,69,\

  00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,00,00,24,00,04,00,00,00,54,00,\

  72,00,61,00,6e,00,73,00,6c,00,61,00,74,00,69,00,6f,00,6e,00,00,00,00,00,09,\

  04,e4,04,f0,03,00,00,01,00,53,00,74,00,72,00,69,00,6e,00,67,00,46,00,69,00,\

  6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,cc,03,00,00,01,00,30,00,34,00,30,\

  00,39,00,30,00,34,00,45,00,34,00,00,00,4a,00,19,00,01,00,43,00,6f,00,6d,00,\

  6d,00,65,00,6e,00,74,00,73,00,00,00,43,00,72,00,79,00,73,00,74,00,61,00,6c,\

  00,20,00,53,00,51,00,4c,00,20,00,44,00,65,00,73,00,69,00,67,00,6e,00,65,00,\

  72,00,20,00,37,00,2e,00,30,00,00,00,00,00,88,00,34,00,01,00,43,00,6f,00,6d,\

  00,70,00,61,00,6e,00,79,00,4e,00,61,00,6d,00,65,00,00,00,00,00,53,00,65,00,\

  61,00,67,00,61,00,74,00,65,00,20,00,53,00,6f,00,66,00,74,00,77,00,61,00,72,\

  00,65,00,20,00,49,00,6e,00,66,00,6f,00,72,00,6d,00,61,00,74,00,69,00,6f,00,\

  6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,74,00,20,\

  00,47,00,72,00,6f,00,75,00,70,00,2c,00,20,00,49,00,6e,00,63,00,2e,00,00,00,\

  ae,00,45,00,01,00,4c,00,65,00,67,00,61,00,6c,00,43,00,6f,00,70,00,79,00,72,\

  00,69,00,67,00,68,00,74,00,00,00,43,00,6f,00,70,00,79,00,72,00,69,00,67,00,\

  68,00,74,00,20,00,28,00,63,00,29,00,20,00,31,00,39,00,39,00,31,00,2d,00,31,\

  00,39,00,39,00,10,00,00,00,00,00,00,00



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE]

"DisableHeapLookAside"="1"



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll]

"CheckAppHelp"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe]

"ApplicationGoo"=hex:54,09,00,00,54,02,00,00,00,02,00,00,8c,03,34,00,00,00,56,\

  00,53,00,5f,00,56,00,45,00,52,00,53,00,49,00,4f,00,4e,00,5f,00,49,00,4e,00,\

  46,00,4f,00,00,00,00,00,bd,04,ef,fe,00,00,01,00,02,00,a8,11,2e,04,00,00,02,\

  00,a8,11,2e,04,00,00,3f,00,00,00,20,00,00,00,04,00,00,00,01,00,00,00,00,00,\

  00,00,00,00,00,00,00,00,00,00,ec,02,00,00,01,00,53,00,74,00,72,00,69,00,6e,\

  00,67,00,46,00,69,00,6c,00,65,00,49,00,6e,00,66,00,6f,00,00,00,c8,02,00,00,\

  01,00,30,00,30,00,30,00,30,00,30,00,34,00,62,00,30,00,00,00,38,00,10,00,01,\

  00,43,00,6f,00,6d,00,6d,00,65,00,6e,00,74,00,73,00,00,00,4f,00,72,00,69,00,\

  67,00,6e,00,61,00,6c,00,20,00,56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,\

  00,42,00,11,00,01,00,43,00,6f,00,6d,00,70,00,61,00,6e,00,79,00,4e,00,61,00,\

  6d,00,65,00,00,00,00,00,53,00,41,00,50,00,20,00,41,00,47,00,2c,00,20,00,57,\

  00,61,00,6c,00,6c,00,64,00,6f,00,72,00,66,00,00,00,00,00,5a,00,19,00,01,00,\

  46,00,69,00,6c,00,65,00,44,00,65,00,73,00,63,00,72,00,69,00,70,00,74,00,69,\

  00,6f,00,6e,00,00,00,00,00,53,00,41,00,50,00,20,00,46,00,72,00,6f,00,6e,00,\

  74,00,65,00,6e,00,64,00,20,00,66,00,6f,00,72,00,20,00,57,00,69,00,6e,00,64,\

  00,6f,00,77,00,73,00,00,00,00,00,3c,00,0e,00,01,00,46,00,69,00,6c,00,65,00,\

  56,00,65,00,72,00,73,00,69,00,6f,00,6e,00,00,00,00,00,34,00,35,00,32,00,30,\

  00,2e,00,32,00,2e,00,30,00,2e,00,31,00,30,00,37,00,30,00,00,00,32,00,09,00,\

  01,00,49,00,6e,00,74,00,65,00,72,00,6e,00,61,00,
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.