File permissions blocked

Hello all!!

Does anyone know which virus it is that blocks file permissions?

I just fought through two issues, thank god for Avast, and am wondering if it is known what caused the issues.

First all .exe files were somehow disassociated in the registry so when clicking on them or asking them to run I got the message “no program associated with this file type”. Registry fix for .exe fixed that.

Then, once I got access to the .exe files. Anytime I ran any software that touched the suspected virus, including Avast (but avast options were available via taskbar), the program would shut down and the programs permissions would be changed resulting in the message “you do not have permissions to run this file”. This activity even blocked Hijack This, Malwarebytes and IE (as I attempted an online scan). This activity carried over to safe mode as well.

Avast saved me via a boot scan!!! The only problem I encountered there was that the boot scan was blocked from view. The monitor turned black (where normally it’s the blue screen with white text as with scandisk), I was not able to select options and the scan terminated. I went back into Avast Boot Scan Advanced options and turned on the delete and don’t prompt options which allowed the scan to run without input and Avast was able to remove it.

So, please, if you know which virus did this, I’d like to know to get a pre-emptive solution for the next system that comes my way.

Thanks to all who reply!!

Hi there lets have a look at the system first to determine what type of malware you have

Please save this file to your desktop. Double-click on it to run a scan. When it’s finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

THEN

We Need to check for Rootkits with RootRepeal

[*]Download RootRepeal from the following location and save it to your desktop.

[*]Zip Mirrors (Recommended)
[list]
[]Primary Mirror
[
]Secondary Mirror
[*]Secondary Mirror

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Primary Mirror[/url]
[*][url=http://ad13.geekstogo.com/RootRepeal.rar]Secondary Mirror[/url]
[*][url=http://rootrepeal.psikotick.com/RootRepeal.rar]Secondary Mirror[/url]

[/list]
[]Extract RootRepeal.exe from the archive.
[
]Open
http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png
on your desktop.
[]Click the
http://billy-oneal.com/forums/rootRepeal/reportTab.png
tab.
[
]Click the
http://billy-oneal.com/forums/rootRepeal/btnScan.png
button.
[*]Check all seven boxes:
http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png

[]Push Ok
[
]Check the box for your main system drive (Usually C:), and press Ok.
[]Allow RootRepeal to run a scan of your system. This may take some time.
[
]Once the scan completes, push the
http://billy-oneal.com/forums/rootRepeal/saveReport.png
button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Thanks for the reply. While I hope to have eliminated all of my issues, I’ll bite and check with you on this.

Here are the results you requested.

Win32kDiag.txt (a)

Log file is located at: C:\Documents and Settings\Sid\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point       : C:\WINDOWS\A3W_DATA\A3W_DATA

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ERDNT\Hiv-backup\Hiv-backup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1042\1042



Due to post limitations this will be in two parts.

Win32kDiag.txt (b)

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3a8e3c780f76\3a8e3c780f76

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!


RootRepeal.txt (a)


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/08/31 13:47
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9037000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EA000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5989000	Size: 49152	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\A3W_DATA\A3W_DATA
Status: Locked to the Windows API!

Path: C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\ShellExt\ShellExt
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\dhcp\dhcp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\FxsTmp\FxsTmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\Test\Test
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wins\wins
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\inetsrv\inetsrv
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1025\1025
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1028\1028
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1031\1031
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1037\1037
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1041\1041
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1042\1042
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1054\1054
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\2052\2052
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3076\3076
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3com_dmi\3com_dmi
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\export\export
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\xircom\xircom
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\_avast4_\_avast4_
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\ERDNT\Hiv-backup\Hiv-backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\disdn\disdn
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\mui\dispspec\dispspec
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\sample\sample
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\snmp\snmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!


Again, in two parts.

RootReveal.txt (b)

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi
Status: Locked to the Windows API!

Path: C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\mof\bad\bad
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\ATI\ACE\ACE
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\3a8e3c780f76\3a8e3c780f76
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1287053465-2906853489-2860694483-500\S-1-5-21-1287053465-2906853489-2860694483-500
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500
Status: Locked to the Windows API!

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f6b8

#: 041	Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f574

#: 065	Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907fa52

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f14c

#: 119	Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f64e

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f08c

#: 128	Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f0f0

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f76e

#: 204	Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f72e

#: 247	Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa907f8ae

Hidden Services
-------------------
Service Name: kbiwkmrdtvvrds
Image Path: C:\WINDOWS\system32\drivers\kbiwkmbcblamrm.sys

==EOF==

Looks like there is more work to do here!!!

Yep you are still infected

OK sUBs has been working on this infection and we believe Combofix can kill it now - so lets try

First we will delete the junctions

Click on Start->Run, and copy-paste the following command (the bolded text) into the “Open” box, and click OK.
“%userprofile%\desktop\win32kdiag.exe” -f -r
When it’s finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

THEN

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif


Double click on Combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt along with a OTL log so we can continue cleaning the system.

Thanks again for helpin!!

Win32kDiag.txt -f -r(a)

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point       : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point       : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point       : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point       : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point       : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point       : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point       : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point       : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point       : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point       : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

The junctions are dead ;D

OK lets see if the new Combofix works

DAMN!!! The beeps from ComboFix alerting me to turn off Avast about startled me outa my chair!!!
ComboFix.txt (a)

ComboFix 09-08-31.03 - Sid 08/31/2009 15:16.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1790.1136 [GMT -4:00]
Running from: c:\downloads\MalwareRemoval\Combo-Fix.exe
AV: avast! antivirus 4.8.1351 [VPS 090830-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\B2C143C8.x86.dll
c:\windows\Installer\5d197a8.msp
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\kbiwkmbnstbmpm.dat
c:\windows\system32\kbiwkmsciyqvpx.dat
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_KBIWKMRDTVVRDS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmrdtvvrds




ComboFix.txt (b)


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 19:04 . 2008-03-03 19:29	--------	d-----w-	c:\windows\system32\config\systemprofile\Application Data\Wave Systems Corp
2009-08-31 17:47 . 2009-04-02 13:29	--------	d-----w-	c:\documents and settings\Sid\Application Data\HPAppData
2009-08-31 14:54 . 2008-02-26 16:21	78120	----a-w-	c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-31 14:46 . 2004-08-11 23:14	87643	----a-w-	c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-31 13:14 . 2004-08-11 23:12	24956	----a-w-	c:\windows\system32\emptyregdb.dat
2009-08-29 03:34 . 2008-02-26 16:02	--------	d-----w-	c:\program files\Java
2009-08-29 01:41 . 2008-02-26 16:03	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-08-29 01:32 . 2008-02-26 16:08	--------	d-----w-	c:\documents and settings\All Users\Application Data\Wave Systems Corp
2009-08-29 01:32 . 2008-02-26 16:08	--------	d-----w-	c:\program files\Wave Systems Corp
2009-08-29 01:26 . 2008-03-03 19:29	0	----a-w-	c:\documents and settings\Sid\Local Settings\Application Data\WavXMapDrive.bat
2009-08-05 09:01 . 2004-08-04 10:00	204800	----a-w-	c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 10:00	81920	----a-w-	c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 10:00	119808	----a-w-	c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 10:00	58880	----a-w-	c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-08-04 10:00	233472	----a-w-	c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-03-04 03:33	915456	----a-w-	c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2004-08-04 10:00	730112	----a-w-	c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 10:00	56832	----a-w-	c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 10:00	54272	----a-w-	c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 10:00	301568	----a-w-	c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 10:00	147456	----a-w-	c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 10:00	136192	----a-w-	c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 10:00	92928	----a-w-	c:\windows\system32\drivers\ksecdd.sys
2009-06-12 12:31 . 2004-08-04 10:00	80896	----a-w-	c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 10:00	76288	----a-w-	c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 10:00	84992	----a-w-	c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2004-08-11 23:11	2066432	----a-w-	c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 10:00	132096	----a-w-	c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-04 10:00	1291264	----a-w-	c:\windows\system32\quartz.dll
2002-07-26 21:02 . 2008-10-03 23:26	153088	----a-w-	c:\program files\UNWISE.EXE
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-29 148888]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2003-11-10 406016]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2005-12-21 73728]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-05 405504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 21:20	73728	----a-w-	c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-01 13:17	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/28/2009 6:19 PM 114768]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 4:21 PM 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/28/2009 6:19 PM 20560]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/4/2004 6:00 AM 5120]
S1 SASDIFSV;SASDIFSV;f:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SASDIFSV.SYS [4/10/2009 9:23 PM 9968]
S1 SASKUTIL;SASKUTIL;\??\e:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SASKUTIL.sys --> e:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SASKUTIL.sys [?]
S3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 2:32 PM 97536]
S3 HNMSTPN;HNMSTPN;c:\docume~1\ADMINI~1\LOCALS~1\Temp\HNMSTPN.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\HNMSTPN.exe [?]
S3 SASENUM;SASENUM;\??\e:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SASENUM.SYS --> e:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SASENUM.SYS [?]
S3 UGFLRZNY;UGFLRZNY;c:\docume~1\ADMINI~1\LOCALS~1\Temp\UGFLRZNY.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\UGFLRZNY.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\User_Feed_Synchronization-{ECF067D2-CA6D-4E91-A108-1FA4FEFFF29B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - e:\computer-repair-utility-kit-v2\Virus Removal\SuperAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=6080226
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=4YvZ6Dh7nPwH0LUfADg7Mf32sL4
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sid\Application Data\Mozilla\Firefox\Profiles\mxh5aalm.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 15:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

ComboFix.txt (c)


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,8b,5c,21,d1,4d,
   1a,5a,37,e2,63,26,f1,3f,c8,ff,68,53,f7,fe,91,c0,9a,1b,5f,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,59,51,76,5e,2a,
   9f,90,0a,6a,9c,d6,61,af,45,84,18,83,88,30,6f,ab,d1,44,1e,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f7,2f,77,24,c7,
   e5,de,c1,ff,7c,85,e0,43,d4,0e,fe,fc,fe,59,14,81,7e,a3,a4,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,e1,4a,74,65,24,
   70,6a,e6,86,8c,21,01,be,91,eb,e7,ed,cb,01,cd,72,28,38,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,2a,05,c1,d7,ae,
   99,1e,ff,f5,1d,4d,73,a8,13,5c,05,9f,d8,4d,be,91,b7,ff,0f,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,83,95,d1,b6,2c,
   43,ff,de,df,20,58,62,78,6b,cf,c8,c0,54,d2,91,d2,18,55,a2,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,0c,67,f6,c6,1c,
   9a,b3,f7,fb,a7,78,e6,12,2f,9a,ea,ab,74,29,da,e4,5d,62,f1,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,de,86,fb,eb,e7,
   9a,7d,c9,01,3a,48,fc,e8,04,4a,f1,75,2b,dc,7f,88,5d,f4,4c,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,5c,26,00,cf,54,
   19,5c,50,f6,0f,4e,58,98,5b,89,c9,c5,ce,b2,43,17,60,80,7f,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,f8,a9,61,cf,ad,
   ea,aa,da,3d,ce,ea,26,2d,45,aa,78,c8,e9,96,ef,f4,22,b0,ff,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,d5,0f,b4,4a,4b,
   88,ef,ce,2a,b7,cc,b5,b9,7f,41,e7,28,a8,08,58,bb,02,12,9c,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1f,4c,5e,d7,fa,
   c9,2b,f7,6c,43,2d,1e,aa,22,2f,9c,af,52,ca,eb,a4,48,d1,0f,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\msdtc.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Apoint\ApMsgFwd.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2009-08-31 15:27 - machine was rebooted
ComboFix-quarantined-files.txt  2009-08-31 19:27

Pre-Run: 98,733,420,544 bytes free
Post-Run: 98,688,049,152 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
377	--- E O F ---	2009-08-31 12:31

I’m unable to locate the OTL log that you speak of. Any assistance upon it’s location and actual file name?

Nevermind… figured that out after I posted!!!

Running OTL now.

Nearly done - err you won’t have OTL ooops

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\UGFLRZNY.exe

Driver::
UGFLRZNY


  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.

If you could then run MBAM to clear the orphans

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Skipping OTL and moving on to the instructions above.

ComboFix.txt (1)

ComboFix 09-08-31.03 - Sid 08/31/2009 15:53.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1790.1192 [GMT -4:00]
Running from: c:\downloads\MalwareRemoval\Combo-Fix.exe
Command switches used :: c:\downloads\MalwareRemoval\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090831-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\UGFLRZNY.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UGFLRZNY
-------\Service_UGFLRZNY


(((((((((((((((((((((((((   Files Created from 2009-07-28 to 2009-08-31  )))))))))))))))))))))))))))))))
.

2009-08-31 15:14 . 2009-08-07 08:48	100352	-c----w-	c:\windows\system32\dllcache\iecompat.dll
2009-08-31 15:13 . 2009-07-03 17:09	12800	-c----w-	c:\windows\system32\dllcache\xpshims.dll
2009-08-31 15:13 . 2009-07-03 17:09	594432	-c----w-	c:\windows\system32\dllcache\msfeeds.dll
2009-08-31 15:13 . 2009-07-03 17:09	55296	-c----w-	c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-31 15:13 . 2009-07-19 22:48	11067392	-c----w-	c:\windows\system32\dllcache\ieframe.dll
2009-08-31 15:13 . 2009-07-03 17:09	1985536	-c----w-	c:\windows\system32\dllcache\iertutil.dll
2009-08-31 15:13 . 2009-07-03 17:09	246272	-c----w-	c:\windows\system32\dllcache\ieproxy.dll
2009-08-31 15:12 . 2009-08-31 15:13	--------	dc-h--w-	c:\windows\ie8
2009-08-31 14:43 . 2009-08-31 14:43	--------	d-----w-	c:\windows\system32\scripting
2009-08-31 14:43 . 2009-08-31 14:43	--------	d-----w-	c:\windows\system32\en
2009-08-31 14:43 . 2009-08-31 14:43	--------	d-----w-	c:\windows\l2schemas
2009-08-31 14:43 . 2009-08-31 14:43	--------	d-----w-	c:\windows\system32\bits
2009-08-31 14:22 . 2008-04-14 00:12	150528	------w-	c:\windows\system32\qagent.dll
2009-08-31 14:21 . 2008-04-14 00:12	20992	------w-	c:\windows\system32\faxpatch.exe
2009-08-31 13:50 . 2009-06-10 06:14	132096	-c----w-	c:\windows\system32\dllcache\wkssvc.dll
2009-08-31 13:49 . 2009-06-25 08:25	56832	-c----w-	c:\windows\system32\dllcache\secur32.dll
2009-08-31 13:49 . 2009-03-21 14:06	989696	-c----w-	c:\windows\system32\dllcache\kernel32.dll
2009-08-31 13:49 . 2008-06-13 11:05	272128	-c----w-	c:\windows\system32\dllcache\bthport.sys
2009-08-31 13:49 . 2009-06-03 19:09	1291264	-c----w-	c:\windows\system32\dllcache\quartz.dll
2009-08-31 13:49 . 2008-08-14 10:04	138496	-c----w-	c:\windows\system32\dllcache\afd.sys
2009-08-31 13:49 . 2008-06-20 17:46	245248	-c----w-	c:\windows\system32\dllcache\mswsock.dll
2009-08-31 13:49 . 2008-06-20 17:46	147968	-c----w-	c:\windows\system32\dllcache\dnsapi.dll
2009-08-31 13:49 . 2008-06-20 11:51	361600	-c----w-	c:\windows\system32\dllcache\tcpip.sys
2009-08-31 13:49 . 2008-06-20 11:08	225856	-c----w-	c:\windows\system32\dllcache\tcpip6.sys
2009-08-31 13:49 . 2008-12-11 10:57	333952	-c----w-	c:\windows\system32\dllcache\srv.sys
2009-08-31 13:49 . 2008-05-01 14:33	331776	-c----w-	c:\windows\system32\dllcache\msadce.dll
2009-08-31 13:49 . 2009-07-10 13:27	1315328	-c----w-	c:\windows\system32\dllcache\msoe.dll
2009-08-31 13:48 . 2008-06-17 19:02	8461312	-c----w-	c:\windows\system32\dllcache\shell32.dll
2009-08-31 13:48 . 2008-04-11 19:04	691712	-c----w-	c:\windows\system32\dllcache\inetcomm.dll
2009-08-31 13:48 . 2009-04-15 14:51	585216	-c----w-	c:\windows\system32\dllcache\rpcrt4.dll
2009-08-31 13:47 . 2008-12-16 12:30	354304	-c----w-	c:\windows\system32\dllcache\winhttp.dll
2009-08-31 13:47 . 2009-08-05 09:01	204800	-c----w-	c:\windows\system32\dllcache\mswebdvd.dll
2009-08-31 13:47 . 2009-04-17 12:26	1847168	-c----w-	c:\windows\system32\dllcache\win32k.sys
2009-08-31 13:47 . 2008-10-15 16:34	337408	-c----w-	c:\windows\system32\dllcache\netapi32.dll
2009-08-31 13:47 . 2008-09-04 17:15	1106944	-c----w-	c:\windows\system32\dllcache\msxml3.dll
2009-08-31 13:47 . 2008-10-23 12:36	286720	-c----w-	c:\windows\system32\dllcache\gdi32.dll
2009-08-31 13:19 . 2004-08-04 10:00	10240	-c--a-w-	c:\windows\system32\dllcache\snmpstup.dll
2009-08-31 13:18 . 2008-04-14 00:09	13463552	-c--a-w-	c:\windows\system32\dllcache\hwxjpn.dll
2009-08-31 13:17 . 2004-08-04 10:00	19968	-c--a-w-	c:\windows\system32\dllcache\inetsloc.dll
2009-08-31 13:17 . 2004-08-04 10:00	7680	-c--a-w-	c:\windows\system32\dllcache\inetmgr.exe
2009-08-31 13:17 . 2004-08-04 10:00	169984	-c--a-w-	c:\windows\system32\dllcache\iisui.dll
2009-08-31 13:17 . 2004-08-04 10:00	6144	-c--a-w-	c:\windows\system32\dllcache\ftpsapi2.dll
2009-08-31 13:17 . 2004-08-04 10:00	5632	-c--a-w-	c:\windows\system32\dllcache\iisrstap.dll
2009-08-31 13:17 . 2004-08-04 10:00	14336	-c--a-w-	c:\windows\system32\dllcache\iisreset.exe
2009-08-31 13:01 . 2004-08-04 10:00	13312	-c--a-w-	c:\windows\system32\dllcache\irclass.dll
2009-08-31 13:01 . 2004-08-04 10:00	13312	----a-w-	c:\windows\system32\irclass.dll
2009-08-31 13:01 . 2004-08-04 10:00	24661	-c--a-w-	c:\windows\system32\dllcache\spxcoins.dll
2009-08-31 13:01 . 2004-08-04 10:00	24661	----a-w-	c:\windows\system32\spxcoins.dll
2009-08-31 12:27 . 2009-08-31 12:27	--------	d-----w-	c:\windows\system32\XPSViewer
2009-08-31 12:27 . 2009-08-31 12:27	--------	d-----w-	c:\program files\MSBuild
2009-08-31 12:27 . 2009-08-31 12:27	--------	d-----w-	c:\program files\Reference Assemblies
2009-08-31 12:27 . 2008-07-06 12:06	575488	----a-w-	c:\windows\system32\xpsshhdr.dll
2009-08-31 12:27 . 2008-07-06 12:06	1676288	----a-w-	c:\windows\system32\xpssvcs.dll
2009-08-31 12:27 . 2008-07-06 12:06	117760	----a-w-	c:\windows\system32\prntvpt.dll
2009-08-31 12:27 . 2009-08-31 12:27	--------	d-----w-	C:\1e9dffaece1b98136f8c0ff1c6e1c2
2009-08-31 08:47 . 2009-08-31 08:47	--------	d-----w-	c:\windows\dell
2009-08-29 07:03 . 2009-08-31 14:41	--------	d-----w-	c:\windows\ServicePackFiles
2009-08-29 05:10 . 2009-08-29 05:10	--------	d-sh--w-	c:\documents and settings\Sid\UserData
2009-08-29 04:44 . 2008-05-03 11:55	2560	------w-	c:\windows\system32\xpsp4res.dll
2009-08-29 04:44 . 2008-04-21 12:08	215552	-c----w-	c:\windows\system32\dllcache\wordpad.exe
2009-08-29 03:34 . 2009-08-29 03:34	410984	----a-w-	c:\windows\system32\deploytk.dll
2009-08-29 03:33 . 2009-08-29 03:33	152576	----a-w-	c:\documents and settings\Sid\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-08-29 03:23 . 2009-08-29 03:23	3942047	----a-w-	c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-29 03:23 . 2009-08-03 17:36	19096	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-08-29 03:23 . 2009-08-03 17:36	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-29 03:23 . 2009-08-29 03:25	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-08-28 22:19 . 2009-08-17 16:04	23152	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-08-28 22:19 . 2009-08-17 16:04	51376	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-08-28 22:19 . 2009-08-17 16:03	26944	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2009-08-28 22:19 . 2009-08-17 16:02	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-08-28 22:19 . 2009-08-17 16:06	93392	----a-w-	c:\windows\system32\drivers\aswmon.sys
2009-08-28 22:19 . 2009-08-17 16:06	94160	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2009-08-28 22:19 . 2009-08-17 16:05	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-08-28 22:19 . 2009-08-17 16:05	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-08-28 22:19 . 2009-08-17 16:10	1279456	----a-w-	c:\windows\system32\aswBoot.exe

How is your system now whilst I wait for the MBAM log ?

Running well!! MB running now.

MB.log


Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/31/2009 4:15:43 PM
mbam-log-2009-08-31 (16-15-43).txt

Scan type: Quick Scan
Objects scanned: 97000
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u16-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586-p.exe and select “Run as an Administrator.”)

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE

You now have a clean restore point, to get rid of the bad ones:

[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[
]SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: