Google Redirect infection, plus other malware suspected [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic of your own. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

Google Redirect infection, plus other malware suspected [Solved], and most diagnostics not producing output

Options

freaksoupacciden... freaksoupaccident View Member Profile	Nov 4 2009, 01:48 PM Post #1
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Hi folks - first time poster so please be gentle. I'm getting fake virus messages which have the look of the usual malware stuff, but now I'm also noticing some google search results are redirecting to strange places. In short - I think I have a fairly common malware problem. However, additionally my CA anti virus can no longer update and I appear to be losing small parts of windows functionality every other day: eg, the ability to change my wallpaper, the volume icon in the tray etc. A poster on another forum led me here and I've followed all the steps in your cleaning guide but with frustratingly little success... TFC ran fine, as did the System restore, and ERUNT. Then things started going pear shaped. Malwarebytes installed fine but when I run it the program gets to the 'choose which type of scan' screen fine, but once I make my selection and press 'scan' it terminates without executing. No message, no nothing. Then when I try to re-run it I get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". This is rubbish as the .exe is still there and I am running as Administrator. So... no log from MBAM. I ran my Anti Virus and Spyware (now ten days out of date) and it found nothing. (It's CA in case that is relevant). Did the reboot - no improvement. Then got to RootRepeal. Downloaded and installed it fine. But then when stepping thru the instructions I got to Step 6 and the program hung. In fact it hung the whole PC and I had to do a warm reboot. I tried this twice but got the same result. So... no output from RootRepeat either. Undeterred I proceeded to download OTL. It installed fine and I ran it, pasting in the relevant bits into the Custom Scan box as instructed. Clicked 'quick scan' and it whirred away for about 5 minutes with various encouraging messages/file lists, until it got to "Manual File Scan - Getting Folder Structure" whereupon it popped up an "Out of Memory" box and stopped. So, I have no output from OTL either. I'm hoping that despite the absence of logs someone might be able to help me. I'm using a Dell Dimension C521 running XP Home Edition SP3, with 2 x AMD Athlon 64 2.1 Ghz, and 2Gb RAM. Wifey thinks I should just get a new computer but I'm sure this is fixable by someone who knows what they are doing. All help appreciated. Thanks Soupy

piano9playa5 View Member Profile	Nov 4 2009, 02:33 PM Post #2
GeekU Senior Posts: 1,241 OS: XP Home	Hello, freaksoupaccident! Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly: Please be patient. I am still in training and there may be delays between posts. I must check everything with a moderator before posting. Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous. Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise. This makes things easier for me, and the moderator looking over this topic. Ensure "WordWrap" is disabled in Notepad. Click Start > All Programs > Accessories > Notepad. Click Format > Word Wrap (if checked, if not, leave it) To everyone except freaksoupaccident: The instructions following were created specifically for freaksoupaccident, please do not perform these steps unless instructed by a Trusted Helper. I'll post back some instructions shortly. This post has been edited by piano9playa5: Nov 4 2009, 04:11 PM

piano9playa5 View Member Profile	Nov 4 2009, 04:11 PM Post #3
GeekU Senior Posts: 1,241 OS: XP Home	Hello I need to confirm the symptoms you are describing. Win32kDiag Download Win32kDiag from any of the following locations and save it to your Desktop. Link 1 Link 2 Link 3 Double-click on Win32kDiag to start the program. When finished (message will show), press any key to close it. Open the Win32kDiag.txt now on your Desktop and Copy\Paste the contents back here.

freaksoupacciden... freaksoupaccident View Member Profile	Nov 4 2009, 05:02 PM Post #4
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Ok here we go: --- begin included text --- Running from: C:\Documents and Settings\TheMortimers\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\TheMortimers\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE8\KB976749-IE8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP21.tmp\ZAP21.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP647.tmp\ZAP647.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Debug\UserMode\UserMode Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109810090400000000000F01FEC\12.0.4518\12.0.4518 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\mui\mui Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe [1] 2004-08-04 04:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) ERROR OCCURRED! ------------------------------ Windows Version: Windows XP SP3 Exception Code: 0xc0000005 Exception Address: 0x7c954329 Attempt to read from address: 0x00000010 [1] 2008-04-14 00:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe () [1] 2008-04-14 00:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe () Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\rnapxs\CSDK\CSDK Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backup Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe [1] 2004-10-14 18:21:58 654848 C:\WINDOWS\$hf_mig$\KB873339\update\update.exe () [1] 2004-11-30 22:29:47 654848 C:\WINDOWS\$hf_mig$\KB885250\update\update.exe () [1] 2004-10-14 18:34:52 654848 C:\WINDOWS\$hf_mig$\KB885835\update\update.exe () [1] 2004-10-14 10:34:54 654848 C:\WINDOWS\$hf_mig$\KB885836\update\update.exe () [1] 2004-10-14 18:34:52 654848 C:\WINDOWS\$hf_mig$\KB886185\update\update.exe () [1] 2004-10-14 18:34:52 654848 C:\WINDOWS\$hf_mig$\KB887472\update\update.exe () [1] 2004-11-30 13:46:40 654848 C:\WINDOWS\$hf_mig$\KB888302\update\update.exe () [1] 2005-02-24 18:35:06 718048 C:\WINDOWS\$hf_mig$\KB890859\update\update.exe () [1] 2004-10-14 18:21:58 654848 C:\WINDOWS\$hf_mig$\KB891781\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB893756\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB894391\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB896358\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB896423\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB896424\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB896428\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB898461\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB899587\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB899588\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB899591\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB900485\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB900725\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB901017\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB901214\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB902400\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB904706\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB904942\update\update.exe () [1] 2005-02-25 03:35:05 718048 C:\WINDOWS\$hf_mig$\KB905414\update\update.exe () [1] 2005-02-24 19:35:06 718048 C:\WINDOWS\$hf_mig$\KB905749\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB908519\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB908531\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB910437\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB911280\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB911562\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB911927\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB912919\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB912945\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB913580\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB914388\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB914389\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB915865\update\update.exe () [1] 2005-10-12 23:16:51 716000 C:\WINDOWS\$hf_mig$\KB916595\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB917344\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB917422\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB917953\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB918118\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB918439\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB919007\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB920213\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB920214\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB920670\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB920683\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB920685\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB920872\update\update.exe () [1] 2006-01-19 19:29:21 716000 C:\WINDOWS\$hf_mig$\KB921398\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB921503\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB922582\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB922616\update\update.exe () [1] 2005-10-12 23:16:51 716000 C:\WINDOWS\$hf_mig$\KB922819\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB923414\update\update.exe () [1] 2008-11-15 17:18:04 755576 C:\WINDOWS\$hf_mig$\KB923561\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB923694\update\update.exe () [1] 2005-10-12 23:16:51 716000 C:\WINDOWS\$hf_mig$\KB923980\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB924191\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB924270\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB924496\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB925902\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB926255\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB926436\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB927779\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB927802\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB927891\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB928090\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB928255\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB928843\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB929123\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB929969\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB930178\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB930916\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB931261\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB931836\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB933360\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\$hf_mig$\KB933729\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB935839\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB935840\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB936021\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB938127\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe () [1] 2007-11-30 11:20:44 755576 C:\WINDOWS\$hf_mig$\KB938464\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\$hf_mig$\KB938828\update\update.exe () [1] 2006-01-19 19:29:19 716000 C:\WINDOWS\$hf_mig$\KB938829\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB941202\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB941568\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB941644\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB941693\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB942615-IE7\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB942763\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB943055\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB943485\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB944533-IE7\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB944653\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB945553\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB946026\update\update.exe () [1] 2007-11-30 11:20:44 755576 C:\WINDOWS\$hf_mig$\KB946648\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB947864-IE7\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB948590\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB948881\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB950749\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB950760\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB950762\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB950974\update\update.exe () [1] 2007-12-03 15:25:31 755576 C:\WINDOWS\$hf_mig$\KB951066\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB951072-v2\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB951698\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB951748\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB951978\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB952004\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB952287\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB952954\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB953838-IE7\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB953839\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB954211\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB954459\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB954600\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB955069\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB955839\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB956390-IE7\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB956391\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB956572\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB956744\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB956802\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB956803\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB956841\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB956844\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB957095\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB957097\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB958215-IE7\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB958644\update\update.exe () [1] 2007-11-30 11:18:51 755576 C:\WINDOWS\$hf_mig$\KB958687\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB958690\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB959426\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB960225\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\$hf_mig$\KB960714-IE7\update\update.exe () [1] 2008-11-15 17:18:04 755576 C:\WINDOWS\$hf_mig$\KB960715\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB960803\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB960859\update\update.exe () [1] 2007-03-06 01:22:59 716000 C:\WINDOWS\$hf_mig$\KB961260-IE7\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB961371\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB961373\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB961501\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB961503\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB963027-IE7\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB967715\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB968389\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB968537\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB969059\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB969897-IE7\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB969897-IE8\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\$hf_mig$\KB969898\update\update.exe () [1] 2007-11-30 12:39:18 755576 C:\WINDOWS\$hf_mig$\KB970238\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB971486\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB971557\update\update.exe () [1] 2008-07-09 07:38:29 755576 C:\WINDOWS\$hf_mig$\KB971633\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB971657\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB971930-IE8\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB971961-IE8\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB972260-IE8\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB973346\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB973354\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB973507\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB973525\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB973815\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB973869\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB974112\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\$hf_mig$\KB974455-IE8\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB974571\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB975025\update\update.exe () [1] 2009-05-26 11:40:52 755576 C:\WINDOWS\$hf_mig$\KB975467\update\update.exe () [1] 2005-10-12 23:12:28 716000 C:\WINDOWS\SoftwareDistribution\Download\0facce6115ab861022eae3087e064a2a\update\update.exe () [1] 2005-10-12 23:12:29 716000 C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\7b5e86592de99471f7da9382ca63ffe3\update\update.exe () [1] 2008-07-08 13:02:04 755576 C:\WINDOWS\SoftwareDistribution\Download\8f999a6add48b449a8ea8c09fb44cb0c\update\update.exe () [1] 2007-11-30 12:39:22 755576 C:\WINDOWS\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\update\update.exe () [1] 2007-03-06 01:22:56 716000 C:\WINDOWS\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\update\update.exe () Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll () [1] 2008-04-14 00:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll () [1] 2008-04-14 00:11:53 61952 C:\WINDOWS\system32\eventlog.dll () [1] 2004-08-04 04:00:00 55808 C:\i386\eventlog.dll () Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished! --- end included text ---

freaksoupacciden... freaksoupaccident View Member Profile	Nov 5 2009, 02:09 PM Post #5
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Further degradation in Windows today. I'm now getting a not found error from arovekan.dll on boot up. Thanks Soupy

freaksoupacciden... freaksoupaccident View Member Profile	Nov 6 2009, 01:41 PM Post #6
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Waiting patiently.... Please let me know if there is anything I can or should be doing. Thanks Soupy

piano9playa5 View Member Profile	Nov 6 2009, 02:06 PM Post #7
GeekU Senior Posts: 1,241 OS: XP Home	Hello! I'm really sorry for the wait. School, midterms, volleyball, jazz band... I'm really short on time. Step One Please go to Start > Run Copy\Paste the following into the dialogue: CODE "%userprofile%\desktop\win32kdiag.exe" -f -r Click Ok Once done, there should be a file, Win32kDiag.txt on your Desktop. Open it, and post the contents here. Step Two Go to Start > All Programs > Accessories > Notepad Please Copy\Paste the following to notepad: CODE copy "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll" "C:\eventlog.dll" Go to File > Save As: On the Save In: click on the drop-down menu and select Desktop In File Name: type in Fixup.bat In Save as Type: use the drop-down menu to change it to All Files Click Save Close Notepad Double-Click on Fixup A black window will briefly flash on the screen. This is normal. Step Three Please download The Avenger by Swandog46 to your Desktop. Right click on the Avenger.zip folder and select "Extract All..." Follow the prompts and extract the avenger folder to your desktop Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C): Please include "Files to move:" as well! CODE Files to move: C:\eventlog.dll \| C:\WINDOWS\system32\eventlog.dll Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Now, open the avenger folder and start The Avenger program by clicking on its icon. Right click on the window under Input script here:, and select Paste. You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard. Click on Execute Answer "Yes" twice when prompted. The Avenger will automatically do the following: It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.) On reboot, it will briefly open a black command window on your desktop, this is normal. After the restart, it creates a log file that should open with the results of Avenger�s actions. This log file will be located at C:\avenger.txt The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log . Step Four You must use Internet Explorer to download this! Please download Combofix from any of the links below. You must rename it before saving. Please rename it to svchost before saving it to your desktop. Download Link #1 Download Link #2 ================================== Temporarily disable Anti-Virus\Anti-Malware real-time protection. Double click on svchost and follow the prompts. Be patient. It could take a while to load\run. When finished, it will produce a report for you. Please post the C:\ComboFix.txt so we can continue cleaning the system. Logs&Info Remember to post back the following logs: Win32kDiag.txt C:\avenger.txt C:\ComboFix.txt This post has been edited by piano9playa5: Nov 6 2009, 02:07 PM

freaksoupacciden... freaksoupaccident View Member Profile	Nov 6 2009, 07:20 PM Post #8
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Hi and thanks for getting back to me. The win32kDiag.txt is in my earlier post so at least that's one thing that did work. I wish I could say the same for Avenger and Combofix. Both ran, and whirred away for a long time. When the Avenger finished I got the following output: Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\eventlog.dll\|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. *************** Finished! Terminate. Combofix went thru all the stages, rebooted the machine, then hung - leaving the message "do not run any programs until combofix is finished" or something like that. I waited and waited, but there was no disk or cpu activity going on so after 30 minutes I rebooted and here I am. So sadly, no output from combofix. I appreciate my machine is not being very helpful to you, and the more diagnostic tools I run that don't produce output the more worried I get that my machine is seriously screwed. Do you have any further ideas? Late here, I'm off to bed. Thanks Soupy This post has been edited by freaksoupaccident**: Nov 6 2009, 07:24 PM

freaksoupacciden... freaksoupaccident View Member Profile	Nov 6 2009, 07:46 PM Post #9
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	I had another stab at getting combofix to run and produce output and was rewarded with: ComboFix 09-11-05.05 - TheMortimers 07/11/2009 1:28.2.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1215 [GMT 0:00] Running from: c:\documents and settings\TheMortimers\Desktop\ComboFix.exe AV: CA Anti-Virus On-access scanning enabled (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\cleanup.exe c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm c:\documents and settings\LocalService\Application Data\twain_32\user.ds c:\documents and settings\NetworkService\Application Data\twain_32\user.ds c:\windows\msacm32.drv c:\windows\rasqervy.dll c:\windows\run.log c:\windows\sdfinacs.dll c:\windows\sdfixwcs.dll c:\windows\system32\drivers\svchost.exe c:\windows\system32\net.net c:\windows\Sysvxd.exe c:\windows\wuasirvy.dll Infected copy of c:\windows\system32\drivers\nvata.sys was found and disinfected Restored copy from - Kitty ate it . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 ))))))))))))))))))))))))))))))) . 2009-11-07 00:24 . 2009-11-07 00:24 574 ----a-w- C:\cleanup.bat 2009-11-07 00:24 . 2009-11-07 00:24 135168 ----a-w- C:\zip.exe 2009-11-04 18:50 . 2009-11-04 18:50 -------- d-----w- c:\program files\RM-Malwarebytes 2009-11-04 18:44 . 2009-11-04 18:44 -------- d-----w- c:\program files\ERUNT 2009-11-03 20:47 . 2009-11-03 20:47 152576 ----a-w- c:\documents and settings\TheMortimers\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-03 20:42 . 2009-11-05 17:53 16384 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\490c603819.exe 2009-11-03 15:29 . 2009-11-06 18:00 16384 ----a-w- c:\documents and settings\Josie\Application Data\Macromedia\Common\490c603819.exe 2009-11-03 12:15 . 2009-11-07 01:40 16384 ----a-w- c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe 2009-11-03 12:15 . 2009-11-03 13:10 101888 ----a-w- c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c60381.dll 2009-11-02 20:19 . 2009-11-04 18:46 -------- d-----w- c:\program files\Malwarebytes 2009-11-01 21:01 . 2009-11-01 21:01 17217008 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe 2009-10-31 19:58 . 2009-10-31 19:58 -------- d-----w- c:\documents and settings\TheMortimers\Local Settings\Application Data\Temp 2009-10-30 14:01 . 2009-10-30 14:02 -------- d-----w- c:\documents and settings\Saffron\Application Data\HpUpdate 2009-10-24 08:25 . 2009-10-24 08:25 -------- d-----w- c:\program files\Microsoft 2009-10-22 19:28 . 2009-11-06 06:53 0 ----a-w- c:\windows\win32k.sys 2009-10-22 06:10 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Josie\Local Settings\Application Data\{DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0} 2009-10-21 19:21 . 2009-10-21 19:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-21 19:21 . 2009-10-22 18:13 120 ----a-w- c:\windows\Bdumalu.dat 2009-10-21 19:21 . 2009-10-22 06:11 0 ----a-w- c:\windows\Lxuxuxoxu.bin 2009-10-21 19:21 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\TheMortimers\Local Settings\Application Data\{449B131C-A0A7-4A24-9FDA-E1F6D4641860} 2009-10-19 18:51 . 2009-10-19 18:51 -------- d-----w- c:\program files\Dorling Kindersley . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 01:35 . 2008-10-18 17:47 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs 2009-11-07 00:23 . 2009-02-14 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-06 18:14 . 2007-12-25 10:07 -------- d-----w- c:\documents and settings\Josie\Application Data\Skype 2009-11-03 20:49 . 2007-05-11 17:04 -------- d-----w- c:\program files\Java 2009-11-02 20:18 . 2009-01-10 18:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-01 16:50 . 2008-06-15 11:28 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-11-01 11:54 . 2007-10-04 20:23 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys 2009-11-01 11:54 . 2007-10-04 20:23 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys 2009-11-01 11:54 . 2007-10-04 20:23 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys 2009-11-01 11:54 . 2007-10-04 20:23 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys 2009-11-01 11:54 . 2007-10-04 20:23 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys 2009-11-01 11:54 . 2007-10-04 20:23 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys 2009-10-24 09:24 . 2007-10-11 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-10-24 08:23 . 2007-05-16 10:08 56792 ----a-w- c:\documents and settings\TheMortimers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-22 19:27 . 2009-05-09 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-10-22 19:27 . 2007-10-11 19:16 -------- d-----w- c:\program files\Microsoft Works 2009-10-19 18:51 . 2007-05-16 15:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-13 14:41 . 2007-12-31 12:51 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll 2009-10-11 04:17 . 2008-12-20 18:30 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-09 14:01 . 2009-09-12 09:33 -------- d-----w- c:\documents and settings\Josie\Application Data\Image Zone Express 2009-10-09 13:39 . 2007-06-30 17:47 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\Image Zone Express 2009-10-08 09:00 . 2008-02-11 08:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft 2009-10-08 09:00 . 2009-03-29 08:55 -------- d-----w- c:\program files\DVDVideoSoft 2009-10-04 14:35 . 2009-10-04 14:35 8406648 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe 2009-10-04 14:34 . 2009-10-04 14:34 10309448 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\chr\ChromeInstaller.exe 2009-10-04 14:34 . 2009-10-04 14:34 64000 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll 2009-10-04 14:34 . 2009-10-04 14:34 52288 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll 2009-10-04 14:34 . 2009-10-04 14:34 50688 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll 2009-10-04 14:34 . 2009-10-04 14:34 114688 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\compat.dll 2009-10-04 14:34 . 2009-10-04 14:34 488968 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\setup.exe 2009-10-03 11:10 . 2009-01-04 17:14 -------- d-----w- c:\program files\QuickTime 2009-10-03 11:04 . 2007-12-25 10:17 -------- d-----w- c:\program files\Common Files\Apple 2009-09-23 19:32 . 2009-09-23 19:32 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx19E.tmp 2009-09-20 08:26 . 2007-12-25 10:06 -------- d-----w- c:\documents and settings\Josie\Application Data\HP 2009-09-14 11:30 . 2009-09-07 10:36 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\HpUpdate 2009-09-13 16:45 . 2009-05-09 13:04 -------- d-----w- c:\program files\NOS 2009-09-12 09:33 . 2009-09-12 09:33 -------- d-----w- c:\documents and settings\Josie\Application Data\Printer Info Cache 2009-09-11 14:18 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 14:54 . 2009-01-10 18:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 . 2009-01-10 18:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 06:21 . 2009-01-26 15:15 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 06:12 . 2009-03-28 12:17 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\Skype 2009-09-04 21:03 . 2004-08-10 11:51 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-10 11:51 916480 ------w- c:\windows\system32\wininet.dll 2009-08-28 18:42 . 2009-04-26 07:23 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 . 2007-12-25 10:17 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 08:00 . 2004-08-10 11:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-22 09:28 . 2009-08-22 09:28 152576 ----a-w- c:\documents and settings\TheMortimers\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-18 13:20 . 2007-12-25 10:06 56792 ----a-w- c:\documents and settings\Josie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2007-05-16 15:45 . 2007-05-16 15:44 88 --sh--r- c:\windows\system32\32E57CEE10.sys 2007-12-06 16:25 . 2007-09-15 09:51 88 --sh--r- c:\windows\system32\39FE50E009.sys 2007-12-06 16:43 . 2007-12-06 16:43 88 --sh--r- c:\windows\system32\A3DB9FBCB6.sys 2007-12-06 17:38 . 2007-05-16 15:44 8300 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-11-07_01.00.33 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-07 01:36 . 2009-11-07 01:36 16384 c:\windows\Temp\Perflib_Perfdata_478.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 09:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "E07ZXLRD_9512000"="c:\program files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" [2006-06-13 351000] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608] "PopRock"="c:\docume~1\THEMOR~1\LOCALS~1\Temp\j.exe" [BU] "WAB"="c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe" [2009-11-07 16384] "rundll32.exe"="" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184] "cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-23 181488] "CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230640] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-15 14088] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184] "LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176] "LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 05:39 73728] "LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "VetStart"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" [2009-07-31 255216] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "lsdefrag"="c:\docume~1\THEMOR~1\LOCALS~1\Temp\nmoacxsewr.tmp" [BU] "Gzofeju"="c:\windows\arovekan.dll" [BU] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "combofix"="c:\combofix\CF22553.exe" [2009-11-07 389120] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\Josie\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] c:\documents and settings\Saffron\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] c:\documents and settings\TheMortimers\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-10 333088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe rundll32.exe oqrk.pso dkhsx" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "midi1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "mixer1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "wave1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "aux1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "midi2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "mixer2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "wave2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "aux2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\explorer.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:02 163840] R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [04/10/2007 20:24 185584] S2 gupdate1c98eeeb974af84;Google Update Service (gupdate1c98eeeb974af84);c:\program files\Google\Update\GoogleUpdate.exe [14/02/2009 21:53 133104] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [16/05/2007 10:16 20160] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [13/11/2008 20:44 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [13/11/2008 20:45 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [13/11/2008 20:45 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [13/11/2008 20:45 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [13/11/2008 20:45 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [13/11/2008 20:45 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [13/11/2008 20:45 97704] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34] 2009-09-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as TheMortimers at 21 25.job - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-10-04 06:46] 2009-11-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-16 11:17] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 21:53] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 21:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://uk.yahoo.com/ uSearch Page = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk uSearch Bar = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk uDefault_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0070511 uInternet Settings,ProxyOverride = .local;<local> uInternet Settings,ProxyServer = webcache.blueyonder.co.uk:8080 mSearchAssistant = hxxp://www.google.co.uk/hws/sb/dell-usuk/en/side.html?channel=uk IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll FF - ProfilePath - c:\documents and settings\TheMortimers\Application Data\Mozilla\Firefox\Profiles\97ivrjvi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF - HiddenExtension: XULRunner: {449B131C-A0A7-4A24-9FDA-E1F6D4641860} - c:\documents and settings\TheMortimers\Local Settings\Application Data\{449B131C-A0A7-4A24-9FDA-E1F6D4641860} FF - HiddenExtension: XULRunner: {DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0} - c:\documents and settings\Josie\Local Settings\Application Data\{DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0}\ . - - - - ORPHANS REMOVED - - - - HKLM-Run-<NO NAME> - (no file) AddRemove-net - c:\windows\system32\net.net *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 01:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1044) c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll - - - - - - - > 'lsass.exe'(1296) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\HPZipm12.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe c:\windows\system32\PSIService.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\iPod\bin\iPodService.exe c:\program files\CA\CA Internet Security Suite\ccprovsp.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Common Files\Teleca Shared\CapabilityManager.exe . ************************************************************************ . Completion time: 2009-11-07 1:43 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-07 01:43 Pre-Run: 25,743,609,856 bytes free Post-Run: 25,703,366,656 bytes free - - End Of File - - 8B261D7FEED2AC38D975E2F2C3D5A305 Hope this helps! Thanks RM

piano9playa5 View Member Profile	Nov 7 2009, 08:33 AM Post #10
GeekU Senior Posts: 1,241 OS: XP Home	Hello. You did run it again, in the manner I instructed, yes? It is an important step in the removal of one of your infections. If you did run it correctly, then the log, Win32kDiag.txt should have been changed. Step One 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: C:\cleanup.bat C:\zip.exe c:\windows\win32k.sys c:\windows\Bdumalu.dat c:\windows\Lxuxuxoxu.bin c:\windows\system32\drivers\lvuvc.hs c:\windows\system32\d3d9caps.dat c:\documents and settings\All Users\Application Data\ISx19E.tmp c:\windows\system32\32E57CEE10.sys c:\windows\system32\39FE50E009.sys c:\windows\system32\A3DB9FBCB6.sys c:\documents and settings\don\Application Data\Macromedia\Common\ae54a05c1.dll c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopRock"=- "WAB"=- "rundll32.exe"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "lsdefrag"=- "Gzofeju"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"=- "NoActiveDesktopChanges"=- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"=- "NoActiveDesktopChanges"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Shell"="Explorer.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "midi1"="wdmaud.drv" "mixer1"="wdmaud.drv" "wave1"="wdmaud.drv" "aux1"="wdmaud.drv" "midi2"="wdmaud.drv" "mixer2"="wdmaud.drv" "wave2"="wdmaud.drv" "aux2"="wdmaud.drv" Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a new log for you at C:\ComboFix.txt which I will require in your next reply... Step Two To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link. Download OTS to your Desktop Close ALL OTHER PROGRAMS. Double-click on OTS.exe to start the program. Check the box that says Scan All Users Under Custom Scans paste in the following: %SYSTEMDRIVE%\.exe %SYSTEMROOT%\.* /s /r %SYSTEMDRIVE%\eventlog.dll /s /md5 %SYSTEMDRIVE%\scecli.dll /s /md5 %SYSTEMDRIVE%\netlogon.dll /s /md5 %SYSTEMDRIVE%\cngaudit.dll /s /md5 %SYSTEMDRIVE%\sceclt.dll /s /md5 %SYSTEMDRIVE%\ntelogon.dll /s /md5 %SYSTEMDRIVE%\logevent.dll /s /md5 %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\nvstor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5 %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 %SYSTEMDRIVE%\viasraid.sys /s /md5 %SYSTEMDRIVE%\AGP440.sys /s /md5 %SYSTEMDRIVE%\vaxscsi.sys /s /md5 %SYSTEMDRIVE%\comres.dll /s /md5 %SYSTEMDRIVE%\appmgmts.dll /s /md5 Under Additional Scans check the following: Reg - NetSvcs Reg - Shell Spawning File - Lop Check File - Purity Scan Evnt - EvtViewer (last 10) Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Please attach the log in your next post. It's usually located on the Desktop. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button. Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post Logs&Info Remember to post back the following logs: C:\ComboFix.txt OTS.txt (attached)

freaksoupacciden... freaksoupaccident View Member Profile	Nov 7 2009, 11:37 AM Post #11
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Hi again - no, like I dumbo I didn't run win32kdiag.exe again. Sorry. I've just run it now and the output from Win32kDiag.txt is below: Running from: C:\Documents and Settings\TheMortimers\desktop\win32kdiag.exe Log file at : C:\Documents and Settings\TheMortimers\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Finished! I'm following the other steps now and will postthe logs shortly. Thanks Soupy

freaksoupacciden... freaksoupaccident View Member Profile	Nov 7 2009, 12:06 PM Post #12
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Hi again - Here's the ComboFix.txt log that is the output from Step One above: ComboFix 09-11-06.03 - TheMortimers 07/11/2009 17:45.3.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1035 [GMT 0:00] Running from: c:\documents and settings\TheMortimers\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\TheMortimers\Desktop\CFScript.txt AV: CA Anti-Virus On-access scanning enabled (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93} FILE :: "C:\cleanup.bat" "c:\documents and settings\All Users\Application Data\ISx19E.tmp" "c:\documents and settings\don\Application Data\Macromedia\Common\ae54a05c1.dll" "c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe" "c:\windows\Bdumalu.dat" "c:\windows\Lxuxuxoxu.bin" "c:\windows\system32\32E57CEE10.sys" "c:\windows\system32\39FE50E009.sys" "c:\windows\system32\A3DB9FBCB6.sys" "c:\windows\system32\d3d9caps.dat" "c:\windows\system32\drivers\lvuvc.hs" "c:\windows\win32k.sys" "C:\zip.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\cleanup.bat c:\documents and settings\All Users\Application Data\ISx19E.tmp c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe c:\windows\Bdumalu.dat c:\windows\Lxuxuxoxu.bin c:\windows\system32\32E57CEE10.sys c:\windows\system32\39FE50E009.sys c:\windows\system32\A3DB9FBCB6.sys c:\windows\system32\d3d9caps.dat c:\windows\system32\drivers\lvuvc.hs c:\windows\win32k.sys C:\zip.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 ))))))))))))))))))))))))))))))) . 2009-11-04 18:50 . 2009-11-04 18:50 -------- d-----w- c:\program files\RM-Malwarebytes 2009-11-04 18:44 . 2009-11-04 18:44 -------- d-----w- c:\program files\ERUNT 2009-11-03 20:47 . 2009-11-03 20:47 152576 ----a-w- c:\documents and settings\TheMortimers\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-11-03 20:42 . 2009-11-05 17:53 16384 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\490c603819.exe 2009-11-03 15:29 . 2009-11-07 17:31 16384 ----a-w- c:\documents and settings\Josie\Application Data\Macromedia\Common\490c603819.exe 2009-11-03 12:15 . 2009-11-07 12:03 101888 ----a-w- c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c60381.dll 2009-11-02 20:19 . 2009-11-04 18:46 -------- d-----w- c:\program files\Malwarebytes 2009-11-01 21:01 . 2009-11-01 21:01 17217008 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\rp\RealPlayerSPGold.exe 2009-10-31 19:58 . 2009-10-31 19:58 -------- d-----w- c:\documents and settings\TheMortimers\Local Settings\Application Data\Temp 2009-10-30 14:01 . 2009-10-30 14:02 -------- d-----w- c:\documents and settings\Saffron\Application Data\HpUpdate 2009-10-24 08:25 . 2009-10-24 08:25 -------- d-----w- c:\program files\Microsoft 2009-10-22 06:10 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\Josie\Local Settings\Application Data\{DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0} 2009-10-21 19:21 . 2009-10-21 19:21 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-21 19:21 . 2009-10-22 19:31 -------- d-----w- c:\documents and settings\TheMortimers\Local Settings\Application Data\{449B131C-A0A7-4A24-9FDA-E1F6D4641860} 2009-10-19 18:51 . 2009-10-19 18:51 -------- d-----w- c:\program files\Dorling Kindersley . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-11-07 17:59 . 2009-11-07 17:54 16384 ----a-w- c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe 2009-11-07 16:53 . 2007-12-25 10:07 -------- d-----w- c:\documents and settings\Josie\Application Data\Skype 2009-11-07 00:23 . 2009-02-14 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-11-03 20:49 . 2007-05-11 17:04 -------- d-----w- c:\program files\Java 2009-11-02 20:18 . 2009-01-10 18:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-11-01 11:54 . 2007-10-04 20:23 739696 ----a-w- c:\windows\system32\drivers\vetefile.sys 2009-11-01 11:54 . 2007-10-04 20:23 26352 ----a-w- c:\windows\system32\drivers\vet-filt.sys 2009-11-01 11:54 . 2007-10-04 20:23 21488 ----a-w- c:\windows\system32\drivers\vetfddnt.sys 2009-11-01 11:54 . 2007-10-04 20:23 21104 ----a-w- c:\windows\system32\drivers\vet-rec.sys 2009-11-01 11:54 . 2007-10-04 20:23 161008 ----a-w- c:\windows\system32\drivers\vetmonnt.sys 2009-11-01 11:54 . 2007-10-04 20:23 133520 ----a-w- c:\windows\system32\drivers\veteboot.sys 2009-10-24 09:24 . 2007-10-11 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-10-24 08:23 . 2007-05-16 10:08 56792 ----a-w- c:\documents and settings\TheMortimers\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-10-22 19:27 . 2009-05-09 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-10-22 19:27 . 2007-10-11 19:16 -------- d-----w- c:\program files\Microsoft Works 2009-10-19 18:51 . 2007-05-16 15:04 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-10-13 14:41 . 2007-12-31 12:51 1541416 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll 2009-10-11 04:17 . 2008-12-20 18:30 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-09 14:01 . 2009-09-12 09:33 -------- d-----w- c:\documents and settings\Josie\Application Data\Image Zone Express 2009-10-09 13:39 . 2007-06-30 17:47 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\Image Zone Express 2009-10-08 09:00 . 2008-02-11 08:19 -------- d-----w- c:\program files\Common Files\DVDVideoSoft 2009-10-08 09:00 . 2009-03-29 08:55 -------- d-----w- c:\program files\DVDVideoSoft 2009-10-04 14:35 . 2009-10-04 14:35 8406648 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\gtb_us\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe 2009-10-04 14:34 . 2009-10-04 14:34 10309448 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\chr\ChromeInstaller.exe 2009-10-04 14:34 . 2009-10-04 14:34 64000 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\gcapi_dll.dll 2009-10-04 14:34 . 2009-10-04 14:34 52288 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\gtapi.dll 2009-10-04 14:34 . 2009-10-04 14:34 50688 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\fftbapi.dll 2009-10-04 14:34 . 2009-10-04 14:34 114688 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\RUP\inst_config\compat.dll 2009-10-04 14:34 . 2009-10-04 14:34 488968 ----a-w- c:\documents and settings\Josie\Application Data\Real\Update\setup\setup.exe 2009-10-03 11:10 . 2009-01-04 17:14 -------- d-----w- c:\program files\QuickTime 2009-10-03 11:04 . 2007-12-25 10:17 -------- d-----w- c:\program files\Common Files\Apple 2009-09-20 08:26 . 2007-12-25 10:06 -------- d-----w- c:\documents and settings\Josie\Application Data\HP 2009-09-14 11:30 . 2009-09-07 10:36 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\HpUpdate 2009-09-13 16:45 . 2009-05-09 13:04 -------- d-----w- c:\program files\NOS 2009-09-12 09:33 . 2009-09-12 09:33 -------- d-----w- c:\documents and settings\Josie\Application Data\Printer Info Cache 2009-09-11 14:18 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 14:54 . 2009-01-10 18:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-10 14:53 . 2009-01-10 18:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-10 06:21 . 2009-01-26 15:15 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-10 06:12 . 2009-03-28 12:17 -------- d-----w- c:\documents and settings\TheMortimers\Application Data\Skype 2009-09-04 21:03 . 2004-08-10 11:51 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08 . 2004-08-10 11:51 916480 ------w- c:\windows\system32\wininet.dll 2009-08-28 18:42 . 2009-04-26 07:23 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-08-28 18:42 . 2007-12-25 10:17 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-08-26 08:00 . 2004-08-10 11:51 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-22 09:28 . 2009-08-22 09:28 152576 ----a-w- c:\documents and settings\TheMortimers\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-18 13:20 . 2007-12-25 10:06 56792 ----a-w- c:\documents and settings\Josie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2007-12-06 17:38 . 2007-05-16 15:44 8300 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-11-07_01.00.33 ))))))))))))))))))))))))))))))))))))))))) . + 2009-11-07 17:54 . 2009-11-07 17:54 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat + 2007-10-11 19:19 . 2009-08-06 19:23 215920 c:\windows\system32\muweb.dll + 2007-10-11 19:19 . 2009-08-06 19:23 274288 c:\windows\system32\mucltui.dll + 2009-11-07 07:47 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll + 2009-11-07 07:47 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe + 2004-08-10 11:51 . 2009-10-22 09:19 5939712 c:\windows\system32\mshtml.dll + 2007-05-11 17:02 . 2009-10-22 09:19 5939712 c:\windows\system32\dllcache\mshtml.dll + 2009-11-07 07:47 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 09:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "E07ZXLRD_9512000"="c:\program files\Microsoft Encarta\Encarta Reference Library 2007 DVD\EDICT.EXE" [2006-06-13 351000] "MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856] "LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-01-18 196608] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "WAB"="c:\documents and settings\TheMortimers\Application Data\Macromedia\Common\490c603819.exe" [2009-11-07 16384] "rundll32.exe"="" [BU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184] "cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-05-23 181488] "CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-07-31 230640] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe" [2008-04-15 14088] "LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184] "LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176] "LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 05:39 73728] "LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 528384] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "VetStart"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe" [2009-07-31 255216] "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] "combofix"="c:\combofix\CF11333.exe" [2009-11-07 389120] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] c:\documents and settings\Josie\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] c:\documents and settings\Saffron\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] c:\documents and settings\TheMortimers\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 101440] PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-5-10 333088] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "midi1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "mixer1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "wave1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "aux1"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "midi2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "mixer2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "wave2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll "aux2"=c:\docume~1\THEMOR~1\APPLIC~1\MACROM~1\Common\490c60381.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "5353:TCP"= 5353:TCP:Adobe CSI CS4 R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [16/09/2008 13:02 163840] R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [04/10/2007 20:24 185584] S2 gupdate1c98eeeb974af84;Google Update Service (gupdate1c98eeeb974af84);c:\program files\Google\Update\GoogleUpdate.exe [14/02/2009 21:53 133104] S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [16/05/2007 10:16 20160] S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [13/11/2008 20:44 81832] S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [13/11/2008 20:45 13864] S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [13/11/2008 20:45 107304] S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [13/11/2008 20:45 99112] S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [13/11/2008 20:45 21928] S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [13/11/2008 20:45 97320] S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [13/11/2008 20:45 97704] --- Other Services/Drivers In Memory --- Deregistered - mbr . Contents of the 'Scheduled Tasks' folder 2009-10-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34] 2009-09-02 c:\windows\Tasks\CAAntiSpywareScan_Daily as TheMortimers at 21 25.job - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-10-04 06:46] 2009-11-07 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-16 11:17] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 21:53] 2009-11-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 21:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://uk.yahoo.com/ uInternet Settings,ProxyOverride = .local;<local> uInternet Settings,ProxyServer = webcache.blueyonder.co.uk:8080 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 LSP: c:\windows\system32\VetRedir.dll FF - ProfilePath - c:\documents and settings\TheMortimers\Application Data\Mozilla\Firefox\Profiles\97ivrjvi.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF - HiddenExtension: XULRunner: {449B131C-A0A7-4A24-9FDA-E1F6D4641860} - c:\documents and settings\TheMortimers\Local Settings\Application Data\{449B131C-A0A7-4A24-9FDA-E1F6D4641860} FF - HiddenExtension: XULRunner: {DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0} - c:\documents and settings\Josie\Local Settings\Application Data\{DEE9FF73-E3CC-4DB3-AEAC-FD839BD9F8B0}\ . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-11-07 17:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1016) c:\windows\system32\wininet.dll c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll - - - - - - - > 'lsass.exe'(1244) c:\windows\system32\VetRedir.dll c:\windows\system32\ISafeIf.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\PSIService.exe c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe c:\program files\iPod\bin\iPodService.exe c:\program files\CA\CA Internet Security Suite\ccprovsp.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\Common Files\Teleca Shared\Generic.exe c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe c:\program files\CA\CA Internet Security Suite\ccupdate\CCUpdate.exe . ************************************************************************ . Completion time: 2009-11-07 18:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-11-07 18:01 ComboFix2.txt 2009-11-07 01:43 Pre-Run: 25,647,263,744 bytes free Post-Run: 25,629,409,280 bytes free - - End Of File - - 710A052B7CD0077F5CC9DD714E8990E3 I'm now going to run Step Two ta Soupy

freaksoupacciden... freaksoupaccident View Member Profile	Nov 8 2009, 07:05 AM Post #13
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Hi again - The OTS scan has been running for 18 hours. Is this normal? There is still plenty of disk/CPU activity and filenames change in the status line so it is clearly doing something. Is there any way of telling how much longer it has to run??? Thanks Soupy

piano9playa5 View Member Profile	Nov 8 2009, 04:14 PM Post #14
GeekU Senior Posts: 1,241 OS: XP Home	I'm sorry. One of the Custom Scans seems to be the problem. Close OTS, then try this: To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link. Please close ALL OTHER PROGRAMS and open OTS. Check the box that says Scan All Users Under Custom Scans paste in the following: %SYSTEMDRIVE%\.exe %SYSTEMROOT%\. /s /r %SYSTEMDRIVE%\eventlog.dll /s /md5 %SYSTEMDRIVE%\scecli.dll /s /md5 %SYSTEMDRIVE%\netlogon.dll /s /md5 %SYSTEMDRIVE%\cngaudit.dll /s /md5 %SYSTEMDRIVE%\sceclt.dll /s /md5 %SYSTEMDRIVE%\ntelogon.dll /s /md5 %SYSTEMDRIVE%\logevent.dll /s /md5 %SYSTEMDRIVE%\iaStor.sys /s /md5 %SYSTEMDRIVE%\nvstor.sys /s /md5 %SYSTEMDRIVE%\atapi.sys /s /md5 %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 %SYSTEMDRIVE%\viasraid.sys /s /md5 %SYSTEMDRIVE%\AGP440.sys /s /md5 %SYSTEMDRIVE%\vaxscsi.sys /s /md5 %SYSTEMDRIVE%\comres.dll /s /md5 %SYSTEMDRIVE%\appmgmts.dll /s /md5 Under Additional Scans check the following: Reg - NetSvcs Reg - Shell Spawning File - Lop Check File - Purity Scan Evnt - EvtViewer (last 10) Now click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Please attach the log in your next post. It's usually located on the Desktop. To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button. Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post

freaksoupacciden... freaksoupaccident View Member Profile	Nov 9 2009, 01:45 PM Post #15
Member Posts: 14 From: Watford, United Kingdom OS: Windows XP	Ah - that was much better. It didn't take long at all. However the log is about 1Mb so I have uploaded it to Mediafire here: http://www.mediafire.com/file/zagamiiyyyu/OTS.Txt Thanks Soupy PS. Some Windows functionality seems to have returned - the volume icon is in the tray now and I can change the wallpaper again. This post has been edited by freaksoupaccident: Nov 9 2009, 01:46 PM

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Google Redirect & Possible Other Malware [Solved]	13 / 391	10th June 2009 - 07:00 PM Eidola started - last by sage5
Virus, Spyware and Trojan Removal Google redirect and possibly other malware [Solved]	12 / 389	20th July 2009 - 01:24 PM pdxhandyman started - last by Rorschach112
Virus, Spyware and Trojan Removal Google Redirect virus plus suspected rootkit [Solved]	10 / 186	21st September 2009 - 02:29 PM Crozza started - last by Transience
Virus, Spyware and Trojan Removal Google Redirect then Not a Valid Win32 Application [Solved] 12	19 / 183	3rd November 2009 - 11:07 AM jrwp started - last by Rorschach112