# Super virus - help needed



## tigron (Jul 15, 2003)

Hey folks, It's been a long time since I've been in here but I really need some help. I've got a windows Vista machine that is was getting a BSOD 0x0000007. I used last known good configuration and was able to get back in to the desktop but the virus is still there. In safemode, every tool I have is useless as they open and seem to get shutdown almost immediatly and then it does something to the file ownership I think where you can't run it again without reinstalling. I've got a process 3203397148:3809022017.exe that I can't kill and I've taken the HD out of the system and used a USB adapter to scan the drive and malwarebytes found Win32.AutoRun.tmp on the first run I cleaned that, still no luck. While scanning Avira found APPL/KillApp.A found in E:\HP\BIN\EndProcess.exe which I left alone initially as a legit file. On a second attempt to scan via usb Malwarebytes found 10 infected but only 3 different culprits Trojan.BHO, Trojan.Vundo, Adware.MyWebSearch. If anyone can offer assistance, please do.


----------



## tigron (Jul 15, 2003)

No replies ? Well I'll give an update as I haven't been sitting on my hands waiting for help. I was finally able to get the internet working enough to run AVG live cd scan and it found 14 infected, one of which is windows/system32/drivers/tdx.sys - Trojan horse Backdoor.generic14.AGNE(critical system file), /appdata/local/temp/setup1114414592.exe - win32/cryptor, /appdata/local/temp/FBB5.tmp - win32/cryptor, /appdata/local/temp/DD5D.tmp - win32/cryptor, /appdata/locallow/sun/java/deployment/cache/6.0/63/5ad83dbf-18ff9749 - luhe.fiha.a, /appdata/locallow/sun/java/deployment/cache/6.0/63/5ad83dbf-1da3ea6e - luhe.fiha.a, windows/assembly/gac_msil/desktop.ini - Trojan horse agent_r.aks, windows/microsoft.net/framework/v4.0.30319/mscorsvw.exe - win32/katusha.a, windows/system32/drivers/xaudio.exe - win32/katusha.a, windows/system32/pmobserv.exe - win32/katusha.a, windows/system32/spool/drivers/w32x86/3/lxdxpswx.exe - win32/katusha.a, windows/system32/spool/drivers/w32x86/3/lxdxjswx.exe - win32/katusha.a, windows/system32/lxdxcoms.exe - win32/katusha.a, windows/winsxs/x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.0.6001.18000_none_ea3dc84bdc15a8b7/tdx.sy 

If anyone can help me get further that would be appreciated since I still have a redirect issue and can't run any virus programs in safemode or the regular desktop.


----------



## kevinf80 (Mar 21, 2006)

Do the following :-

Boot your PC into Safe Mode with Networking. Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Root of C:\ Drive * <--- Very important*

 Before saving rename to *tigron.com* so you end up with Combofix saved as *C:\tigron.com*

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Navigate to *C:\tigron.com* and double click to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin


----------



## tigron (Jul 15, 2003)

Thanks for the reply. I ran the first time without clicking on run as administrator as the option wasn't available for tigron.com. I ran it a second time using the admin cmd prompt, I hope that didn't skew the results. There was a comment in the beginning that it couldn't access and had to be run as admin but it said admin at the top of the cmd window.

Here's the log results.

ComboFix 11-09-05.05 - crellan 09/09/2011 18:59:44.1.2 - x86 NETWORK

Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2494.1863 [GMT -4:00]

Running from: C:\tigron.com

AV: Norton Internet Security *Disabled/Outdated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}

FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}

SP: Norton Internet Security *Disabled/Outdated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))

.

.

2011-09-09 23:06 . 2011-09-09 23:06	--------	d-----w-	c:\users\crellan\AppData\Local\temp

2011-09-09 23:06 . 2011-09-09 23:06	--------	d-----w-	c:\windows\system32\config\systemprofile\AppData\Local\temp

2011-09-09 23:06 . 2011-09-09 23:06	--------	d-----w-	c:\users\Default\AppData\Local\temp

2011-09-09 22:32 . 2011-09-09 22:55	--------	d-----w-	C:\tigron

2011-09-09 14:37 . 2011-09-09 13:58	71680	----a-w-	c:\windows\system32\drivers\tdx.sys

2011-09-09 12:44 . 2011-09-09 12:44	709968	----a-w-	c:\windows\is-GJSIA.exe

2011-09-09 02:13 . 2011-09-09 02:13	--------	d-----w-	c:\programdata\Kaspersky Lab

2011-09-09 01:45 . 2011-09-09 22:32	--------	d-----w-	C:\ComboFix

2011-09-09 00:22 . 2011-07-08 11:55	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-09 00:22 . 2011-07-08 11:55	22712	----a-w-	c:\windows\system32\drivers\mbam.sys

2011-09-07 22:41 . 2011-09-07 22:41	--------	d-----w-	C:\found.000

2011-09-07 22:06 . 2011-09-07 22:06	--------	d--h--w-	c:\windows\PIF

2011-09-07 20:32 . 2011-09-07 20:47	--------	d-----w-	c:\users\Administrator

2011-09-07 17:00 . 2011-07-04 11:36	309848	----a-w-	c:\windows\system32\drivers\aswSP.sys

2011-09-07 17:00 . 2011-07-04 11:32	19544	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys

2011-09-07 17:00 . 2011-07-04 11:35	43608	----a-w-	c:\windows\system32\drivers\aswTdi.sys

2011-09-07 17:00 . 2011-07-04 11:32	25432	----a-w-	c:\windows\system32\drivers\aswRdr.sys

2011-09-07 17:00 . 2011-07-04 11:36	441176	----a-w-	c:\windows\system32\drivers\aswSnx.sys

2011-09-07 17:00 . 2011-07-04 11:32	54104	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys

2011-09-07 16:58 . 2011-07-04 11:43	40112	----a-w-	c:\windows\avastSS.scr

2011-09-07 16:58 . 2011-07-04 11:43	199304	----a-w-	c:\windows\system32\aswBoot.exe

2011-09-07 16:58 . 2011-09-07 16:58	--------	d-----w-	c:\programdata\AVAST Software

2011-09-07 16:58 . 2011-09-07 16:58	--------	d-----w-	c:\program files\AVAST Software

2011-09-07 14:35 . 2011-09-09 14:32	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware

2011-09-07 05:55 . 2011-09-07 05:57	--------	d-----w-	c:\programdata\MFAData

2011-09-06 16:17 . 2011-08-12 02:44	7152464	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{866A9F8C-8827-4E70-B592-039220005779}\mpengine.dll

2011-09-04 19:17 . 2003-04-30 07:59	106496	----a-w-	c:\windows\_PMCMisc.dll

2011-09-04 19:16 . 2000-09-18 09:54	45056	----a-w-	c:\windows\system32\ricnmon.dll

2011-09-04 19:16 . 2000-09-18 09:51	45056	----a-w-	c:\windows\system32\ippmon.dll

2011-09-04 19:16 . 2000-09-18 09:47	45056	----a-w-	c:\windows\system32\rpnvmon.dll

2011-09-04 19:16 . 2011-09-04 19:16	--------	d-----w-	c:\windows\NAVITEMP

2011-09-04 18:51 . 2011-09-04 19:13	--------	d-----w-	C:\driverslloyd

2011-09-04 17:40 . 2011-09-04 17:40	--------	d-----w-	c:\programdata\Tenda Driver

2011-09-04 17:40 . 2009-12-10 15:16	776480	----a-w-	c:\windows\system32\RAIHV.dll

2011-09-04 17:40 . 2009-12-10 15:16	1590560	----a-w-	c:\windows\system32\RaCertMgr.dll

2011-09-04 17:40 . 2009-12-10 15:16	102688	----a-w-	c:\windows\system32\RAEXTUI.dll

2011-09-04 17:40 . 2011-09-04 17:40	--------	d-----w-	c:\program files\Tenda

2011-09-01 21:07 . 2011-09-01 21:07	--------	d-sh--w-	c:\windows\system32\%APPDATA%

2011-09-01 19:13 . 2011-09-01 19:13	--------	d-----w-	c:\users\crellan\AppData\Roaming\Malwarebytes

2011-09-01 19:13 . 2011-09-01 19:13	--------	d-----w-	c:\programdata\Malwarebytes

2011-09-01 18:01 . 2011-09-01 18:01	4194304	----a-w-	c:\windows\system32\qnbwvoto.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-07-28 11:01 . 2011-07-28 11:01	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-06 14:56 . 2011-08-10 00:39	213504	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys

2011-06-23 19:48 . 2011-06-23 19:48	45056	----a-r-	c:\users\crellan\AppData\Roaming\Microsoft\Installer\{0dff3440-a901-11dc-8314-0800200c9a66}\NewShortcut1_A80EDC6C85754FF6B838BB92A8E49DC5.exe

2011-06-12 22:34 . 2006-11-02 10:32	101888	----a-w-	c:\windows\system32\ifxcardm.dll

2011-06-12 22:34 . 2006-11-02 10:32	82432	----a-w-	c:\windows\system32\axaltocm.dll

2011-06-12 21:42 . 2011-06-12 22:09	47560	----a-w-	c:\windows\system32\SPReview.exe

2011-06-12 21:42 . 2011-06-12 22:09	152576	----a-w-	c:\windows\system32\SPWizUI.dll

2011-04-14 16:26 . 2011-06-15 21:09	142296	----a-w-	c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-07-04 11:43	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 1773568]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]

"cdloader"="c:\users\crellan\AppData\Roaming\mjusbsp\cdloader2.exe" [2008-08-22 50520]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-19 39408]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"PSDiagnosticM"="c:\program files\Linksys Wireless-G Print Server\PSDiagnosticM.exe" [2007-02-27 315392]

"lxdxmon.exe"="c:\program files\Lexmark 3600-4600 Series\lxdxmon.exe" [2008-06-13 668328]

"lxdxamon"="c:\program files\Lexmark 3600-4600 Series\lxdxamon.exe" [2008-06-13 16040]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2008-06-13 320168]

"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8534560]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-08 1047656]

"JobHisInit"="c:\program files\RDS\RMClient\JobHisInit.exe" [2007-08-30 229481]

"MplSetUp"="c:\program files\RDS\RMClient\MplSetUp.exe" [2007-08-30 49254]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-08 449584]

"InnoSetupRegFile.0000000001"="c:\windows\is-GJSIA.exe" [2011-09-09 709968]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]

R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe [x]

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [x]

R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 PMObserv;PMObserv;c:\windows\system32\PMObserv.exe [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

S3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\DRIVERS\lknuhst.sys [2006-12-15 13824]

S3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\DRIVERS\lknuhub.sys [2006-12-15 35840]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs	REG_MULTI_SZ BthServ

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601659496-17462574-2501975068-1000Core.job

- c:\users\crellan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-31 19:06]

.

2011-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-601659496-17462574-2501975068-1000UA.job

- c:\users\crellan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-05-31 19:06]

.

2011-09-09 c:\windows\Tasks\User_Feed_Synchronization-{505258AB-8A08-43D7-9597-7A32E19A548C}.job

- c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

Trusted Zone: alipay.com

Trusted Zone: alisoft.com

Trusted Zone: taobao.com

FF - ProfilePath - c:\users\crellan\AppData\Roaming\Mozilla\Firefox\Profiles\tg1wjnqh.default\

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-09 19:06

Windows 6.0.6001 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(1524)

c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll

.

Completion time: 2011-09-09 19:08:06

ComboFix-quarantined-files.txt 2011-09-09 23:08

ComboFix2.txt 2011-09-09 22:55

.

Pre-Run: 96,413,814,784 bytes free

Post-Run: 96,378,011,648 bytes free

.

- - End Of File - - 9E5AF7032CC0888E3F1D1216119E711D


----------



## kevinf80 (Mar 21, 2006)

I need you to uplad a file for analysis...

Please visit *Virustotal*

 Click the *Browse...* button
 Navigate to the file *c:\windows\system32\qnbwvoto.dll*
 Click the *Open* button
 Click the *Send* button
 If you get a message saying File has already been analyzed: click Reanalyze file now
 Copy and paste the results back here please.

Kevin


----------



## tigron (Jul 15, 2003)

Antivirus Version Last Update Result 
AhnLab-V3 2011.09.10.00 2011.09.10 - 
AntiVir 7.11.14.161 2011.09.09 - 
Antiy-AVL 2.0.3.7 2011.09.10 - 
Avast 4.8.1351.0 2011.09.09 - 
Avast5 5.0.677.0 2011.09.09 - 
AVG 10.0.0.1190 2011.09.10 - 
BitDefender 7.2 2011.09.10 - 
ByteHero 1.0.0.1 2011.09.10 - 
CAT-QuickHeal 11.00 2011.09.10 - 
ClamAV 0.97.0.0 2011.09.10 - 
Commtouch 5.3.2.6 2011.09.10 - 
Comodo 10064 2011.09.10 - 
DrWeb 5.0.2.03300 2011.09.10 - 
Emsisoft 5.1.0.11 2011.09.10 - 
eSafe 7.0.17.0 2011.09.07 - 
eTrust-Vet 36.1.8550 2011.09.10 - 
F-Prot 4.6.2.117 2011.09.10 - 
F-Secure 9.0.16440.0 2011.09.10 - 
Fortinet 4.3.370.0 2011.09.10 - 
GData 22 2011.09.10 - 
Ikarus T3.1.1.107.0 2011.09.10 - 
Jiangmin 13.0.900 2011.09.10 - 
K7AntiVirus 9.112.5114 2011.09.09 - 
Kaspersky 9.0.0.837 2011.09.10 - 
McAfee 5.400.0.1158 2011.09.10 - 
McAfee-GW-Edition 2010.1D 2011.09.10 - 
Microsoft 1.7604 2011.09.10 - 
NOD32 6452 2011.09.10 - 
Norman 6.07.11 2011.09.09 - 
nProtect 2011-09-10.01 2011.09.10 - 
Panda 10.0.3.5 2011.09.10 - 
PCTools 8.0.0.5 2011.09.10 - 
Prevx 3.0 2011.09.10 - 
Rising 23.74.03.03 2011.09.09 - 
Sophos 4.69.0 2011.09.10 - 
SUPERAntiSpyware 4.40.0.1006 2011.09.10 - 
Symantec 20111.2.0.82 2011.09.10 - 
TheHacker 6.7.0.1.293 2011.09.10 - 
TrendMicro 9.500.0.1008 2011.09.09 - 
TrendMicro-HouseCall 9.500.0.1008 2011.09.10 - 
VBA32 3.12.16.4 2011.09.09 - 
VIPRE 10431 2011.09.10 - 
ViRobot 2011.9.10.4666 2011.09.10 - 
VirusBuster 14.0.206.1 2011.09.10 - 
Additional informationShow all 
MD5 : 7536eb07efeaf009beb3e241b18c0068 
SHA1 : 0b30f9863358ee7cf05fd45ae6d0e116d9dba435 
SHA256: 65b394b8f0314884182c692ce04cffd2368e416a873e32e1d37b0ea909cf337b 
ssdeep: 98304:huz0tiMI4fFH/OcGkDJk29fTFCA7HWnLa+ryyC:huz0tiMI4fFH/OcGkDJk29fTFCA7HW
nQ 
File size : 4194304 bytes 
First seen: 2011-09-10 16:21:15 
Last seen : 2011-09-10 16:21:15 
TrID: 
Unknown! 
sigcheck: 
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

ExifTool: 
file metadata
Error: File format error
FileSize: 4.0 MB


----------



## kevinf80 (Mar 21, 2006)

Dont see anything wrong with that log, boot into normal mode and RE-run DDS, post fresh DDS.txt. I`ll give instruction if required:

We need to see some additional information about what is happening in your machine.* 
Please perform the following scan in Normal Mode:

Download *DDS* by sUBs from one of the following links.* Save it to your desktop.
*DDS.com*
*DDS.scr*
*DDS.pif*

Double click on the *DDS* icon, allow it to run.
A small box will open, with an explanation about the tool.* *
When done, DDS will open two (2) logs
* * * * *1. DDS.txt
* * * * *2. Attach.txt
 Save both reports to your desktop.
 The instructions here ask you to attach the Attach.txt.








*
*Instead of attaching, please copy/past both logs into your next reply.*
Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection. 
Run the scan, enable your A/V and reconnect to the internet.* 
Information on A/V control *HERE*


----------



## tigron (Jul 15, 2003)

I just wanted to let you know that I'm having issues restarting where it doesn't actually restart, I have to do a hard reboot. It also lags after login with the black screen before going to the desktop. I'm able to ctrl-alt-del and get to task manager during the black screen but that's all. Here are the requested logs.
.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.19088

Run by crellan at 18:45:35 on 2011-09-10

Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.2494.1266 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\PROGRA~1\AVG\AVG2012\avgrsx.exe

C:\Program Files\AVG\AVG2012\avgcsrvx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Windows\system32\svchost.exe -k bthsvcs

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE

C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\AVG\AVG2012\avgemcx.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\8.0.1\ToolbarUpdater.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hp\QuickPlay\QPService.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe

C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe

C:\Windows\vsnp2uvc.exe

C:\Program Files\Hp\HP Software Update\hpwuschd2.exe

C:\HP\KBD\kbd.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\AVG\AVG2012\avgtray.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\RDS\RMClient\MplHDDisp.exe

C:\Program Files\RDS\RMClient\PMJobCliMsg.exe

C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\System32\rundll32.exe

C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\WUDFHost.exe

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll

TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File

TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\8.0.0.34\AVG Secure Search_toolbar.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun

uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe

uRun: [cdloader] "c:\users\crellan\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [PSDiagnosticM] "c:\program files\linksys wireless-g print server\PSDiagnosticM.exe"

mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"

mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [snp2uvc] c:\windows\vsnp2uvc.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [JobHisInit] c:\program files\rds\rmclient\JobHisInit.exe

mRun: [MplSetUp] c:\program files\rds\rmclient\MplSetUp.exe

mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-GJSIA.exe" /REG /REGSVRMODE

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: alipay.com

Trusted Zone: alisoft.com

Trusted Zone: taobao.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1 8.8.8.8

TCP: Interfaces\{7C8380AB-CE91-49FF-8FAD-A6E933B3EDB8} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{F73215BF-58AF-49C4-8C77-B0667C5B5B35} : DhcpNameServer = 192.168.1.1 8.8.8.8

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\crellan\appdata\roaming\mozilla\firefox\profiles\tg1wjnqh.default\

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-7-11 32464]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-8-16 5264736]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\8.0.1\ToolbarUpdater.exe [2011-9-10 246600]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]

R3 lknuhst;Linksys Network USB Host Controller;c:\windows\system32\drivers\lknuhst.sys [2008-11-29 13824]

R3 LKNUHUB;Linksys Network USB Root Hub;c:\windows\system32\drivers\lknuhub.sys [2008-11-29 35840]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe --> c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

S2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 PMObserv;PMObserv;c:\windows\system32\pmobserv.exe --> c:\windows\system32\PMObserv.exe [?]

S3 Symantec Core LC;Symantec Core LC;c:\progra~1\common~1\symant~1\ccpd-lc\symlcsvc.exe [2008-5-15 1245064]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-09-10 17:44:00	--------	d--h--w-	C:\$AVG

2011-09-10 16:19:25	--------	d-----w-	c:\users\crellan\appdata\roaming\AVG2012

2011-09-10 16:17:26	--------	d-----w-	c:\program files\common files\AVG Secure Search

2011-09-10 16:17:25	--------	d-----w-	c:\program files\AVG Secure Search

2011-09-10 16:15:55	--------	d-----w-	c:\windows\system32\drivers\AVG

2011-09-10 16:15:55	--------	d-----w-	c:\programdata\AVG2012

2011-09-10 16:10:21	7152464	----a-w-	c:\programdata\microsoft\windows defender\definition updates\{77ffa1c6-4249-4cc4-8d95-fd19cfa96fe7}\mpengine.dll

2011-09-09 23:08:08	--------	d-----w-	c:\users\crellan\appdata\local\temp

2011-09-09 23:07:33	--------	d-sh--w-	C:\$RECYCLE.BIN

2011-09-09 22:32:55	--------	d-----w-	C:\tigron

2011-09-09 22:29:24	4195482	------r-	C:\tigron.com

2011-09-09 14:37:53	71680	----a-w-	c:\windows\system32\drivers\tdx.sys

2011-09-09 12:44:25	709968	----a-w-	c:\windows\is-GJSIA.exe

2011-09-09 02:13:42	--------	d-----w-	c:\programdata\Kaspersky Lab

2011-09-09 01:45:27	--------	d-----w-	C:\ComboFix

2011-09-09 00:22:08	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys

2011-09-09 00:22:03	22712	----a-w-	c:\windows\system32\drivers\mbam.sys

2011-09-08 15:09:17	--------	d-----w-	C:\ComboFix(0)

2011-09-08 12:34:26	98816	----a-w-	c:\windows\sed.exe

2011-09-08 12:34:26	518144	----a-w-	c:\windows\SWREG.exe

2011-09-08 12:34:26	256000	----a-w-	c:\windows\PEV.exe

2011-09-08 12:34:26	208896	----a-w-	c:\windows\MBR.exe

2011-09-07 22:41:11	--------	d-----w-	C:\found.000

2011-09-07 22:06:01	--------	d--h--w-	c:\windows\PIF

2011-09-07 16:58:34	--------	d-----w-	c:\programdata\AVAST Software

2011-09-07 16:58:34	--------	d-----w-	c:\program files\AVAST Software

2011-09-07 14:35:03	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware

2011-09-07 05:55:53	--------	d-----w-	c:\programdata\MFAData

2011-09-04 19:17:16	106496	----a-w-	c:\windows\_PMCMisc.dll

2011-09-04 19:16:05	45056	----a-w-	c:\windows\system32\rpnvmon.dll

2011-09-04 19:16:05	45056	----a-w-	c:\windows\system32\ricnmon.dll

2011-09-04 19:16:05	45056	----a-w-	c:\windows\system32\ippmon.dll

2011-09-04 19:16:02	--------	d-----w-	c:\windows\NAVITEMP

2011-09-04 18:51:11	--------	d-----w-	C:\driverslloyd

2011-09-04 17:40:20	--------	d-----w-	c:\programdata\Tenda Driver

2011-09-04 17:40:19	776480	----a-w-	c:\windows\system32\RAIHV.dll

2011-09-04 17:40:19	1590560	----a-w-	c:\windows\system32\RaCertMgr.dll

2011-09-04 17:40:19	102688	----a-w-	c:\windows\system32\RAEXTUI.dll

2011-09-04 17:40:18	--------	d-----w-	c:\program files\Tenda

2011-09-01 21:07:07	--------	d-sh--w-	c:\windows\system32\%APPDATA%

2011-09-01 19:13:34	--------	d-----w-	c:\users\crellan\appdata\roaming\Malwarebytes

2011-09-01 19:13:29	--------	d-----w-	c:\programdata\Malwarebytes

2011-09-01 18:01:49	4194304	----a-w-	c:\windows\system32\qnbwvoto.dll

.

==================== Find3M ====================

.

2011-07-28 11:01:04	404640	----a-w-	c:\windows\system32\FlashPlayerCPLApp.cpl

2011-07-11 05:14:38	295248	----a-w-	c:\windows\system32\drivers\avgtdix.sys

2011-07-11 05:14:02	24272	----a-w-	c:\windows\system32\drivers\AVGIDSFilter.sys

2011-07-11 05:14:02	16720	----a-w-	c:\windows\system32\drivers\AVGIDSShim.sys

2011-07-11 05:14:00	23120	----a-w-	c:\windows\system32\drivers\AVGIDSEH.sys

2011-07-11 05:13:58	134736	----a-w-	c:\windows\system32\drivers\AVGIDSDriver.sys

2011-07-11 05:13:46	229840	----a-w-	c:\windows\system32\drivers\avgldx86.sys

2011-07-11 05:13:42	32464	----a-w-	c:\windows\system32\drivers\avgrkx86.sys

2011-07-06 14:56:47	213504	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys

.

============= FINISH: 18:47:34.11 ===============

Attach.txt
.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 6/28/2007 11:21:13 PM

System Uptime: 9/10/2011 6:04:12 PM (0 hours ago)

.

Motherboard: Wistron | | 30B5

Processor: AMD Turion(tm) 64 X2 | U1 | 1800/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 141 GiB total, 81.707 GiB free.

D: is FIXED (NTFS) - 8 GiB total, 1.743 GiB free.

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description:

Device ID: ROOT\LEGACY_RASMAN\0000

Manufacturer:

Name:

PNP Device ID: ROOT\LEGACY_RASMAN\0000

Service:

.

==== System Restore Points ===================

.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

ABBYY FineReader 6.0 Sprint

Activation Assistant for the 2007 Microsoft Office suites

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 8.1.2

Apple Application Support

Apple Mobile Device Support

Apple Software Update

AVG 2012

Bonjour

Canon MP190 series MP Drivers

CheckIt Diagnostics

Conexant HD Audio

Definition update for Microsoft Office 2010 (KB982726)

Dell AIO Printer A940

DeskTopBinder - SmartDeviceMonitor for Client

EasyBits GO

Enhanced Multimedia Keyboard Solution

Epson Easy Photo Print 2

EPSON NX300 Series Printer Uninstall

EPSON Scan

ESU for Microsoft Vista

FileZilla Client 3.5.0

GeoVision ADPCM

GeoVision H264

GeoVision JPEG

GeoVision MPEG2

GeoVision MPEG4

GeoVision MPEG4 ASP

GeoVision MPEG4 AVC

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

GoToMeeting 4.1.0.366

HDAUDIO Soft Data Fax Modem with SmartCP

Hewlett-Packard Active Check for Health Check

Hewlett-Packard Asset Agent for Health Check

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Active Support Library

HP Active Support Library 32 bit components

HP Customer Experience Enhancements

HP Doc Viewer

HP Easy Setup - Frontend

HP Help and Support

HP Integrated Module with Bluetooth wireless technology

HP Pavilion Webcam Driver for Vista v061.001.00006

HP Photosmart Essential 2.0

HP Photosmart Essential2.5

HP Product Detection

HP Quick Launch Buttons 6.40 F1

HP QuickPlay 3.2

HP Total Care Advisor

HP Update

HP User Guides 0083

HP Wireless Assistant

HPNetworkAssistant

Inter-Tel Collaboration Client 2.0

Java(TM) 6 Update 17

Java(TM) 6 Update 3

Java(TM) SE Runtime Environment 6

Junk Mail filter update

Lexmark 3600-4600 Series

Lexmark Fax Solutions

Lexmark Tools for Office

LightScribe 1.4.136.1

Linksys Wireless-G Print Server

LiveUpdate (Symantec Corporation)

LiveUpdate Notice (Symantec Corporation)

Malwarebytes' Anti-Malware version 1.51.1.1800

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Application Error Reporting

Microsoft Choice Guard

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2007

Microsoft Office Excel MUI (English) 2010

Microsoft Office Home and Student 2007

Microsoft Office Home and Student 2010

Microsoft Office Live Add-in 1.3

Microsoft Office OneNote MUI (English) 2007

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Proof (English) 2007

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2007

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing (English) 2010

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Single Image 2010

Microsoft Office Word MUI (English) 2007

Microsoft Office Word MUI (English) 2010

Microsoft Office XP Professional

Microsoft Search Enhancement Pack

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Web Platform Installer 3.0

Microsoft Works

Move Media Player

Mozilla Firefox 4.0.1 (x86 en-US)

MSCU for Microsoft Vista

MSVCRT

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

muvee autoProducer 6.0

My HP Games

My Webcam Broadcaster

NetWaiting

NVIDIA Drivers

Octoshape add-in for Adobe Flash Player

OGA Notifier 2.0.0048.0

OpenOffice.org Installer 1.0

PSSWCORE

QuickTime

Remote Viewlog

Rhapsody

Rhapsody Player Engine

Roxio Activation Module

Roxio Creator Audio

Roxio Creator Basic v9

Roxio Creator Copy

Roxio Creator Data

Roxio Creator EasyArchive

Roxio Creator Tools

Roxio Express Labeler 3

Roxio MyDVD Basic v9

Sandlot Games Client Services

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2509488)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft Excel 2010 (KB2523021)

Security Update for Microsoft Office 2007 System (KB2541012)

Security Update for Microsoft Office 2010 (KB2289078)

Security Update for Microsoft Office 2010 (KB2289161)

Security Update for Microsoft Office Excel 2007 (KB2541007)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Microsoft PowerPoint 2010 (KB2519975)

Security Update for Microsoft Publisher 2010 (KB2409055)

Security Update for Microsoft Word 2010 (KB2345000)

Serif PagePlus Essentials

Skype Toolbars

Skype 5.3

Sony Picture Utility

Sony USB Driver

SymNet

Synaptics Pointing Device Driver

The Logo Creator v5

The Print Shop® Labels & Logos 4.0.0.0

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office 2010 (KB2202188)

Update for Microsoft Office 2010 (KB2413186)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2523113)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

Update for Microsoft OneNote 2010 (KB2493983)

Update for Microsoft Outlook Social Connector (KB2441641)

VNC Free Edition 4.1.2

Windows Live Communications Platform

Windows Live Essentials

Windows Live ID Sign-in Assistant

Windows Live Mail

Windows Live Movie Maker

Windows Live Photo Gallery

Windows Live Sync

Windows Live Upload Tool

Windows Live Writer

WinRAR archiver

Yahoo! Software Update

Yahoo! Toolbar

.

==== Event Viewer Messages From Past Week ========

.

9/7/2011 10:37:24 AM, Error: EventLog [6008] - The previous system shutdown at 10:35:47 AM on 9/7/2011 was unexpected.

9/7/2011 1:24:33 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document Test Page, owned by crellan, failed to print on printer Lexmark 3600-4600 Series. Try to print the document again, or restart the print spooler. Data type: LEMF. Size of the spool file in bytes: 159068. Number of bytes printed: 159068. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\CRELLAN-PC. Win32 error code returned by the print processor: 0. The operation completed successfully.

9/7/2011 1:01:39 AM, Error: Microsoft-Windows-PrintSpooler [6161] - The document https://www.fedex.com/shipping/html/en//PrintIFrame.html, owned by crellan, failed to print on printer Lexmark 3600-4600 Series. Try to print the document again, or restart the print spooler. Data type: LEMF. Size of the spool file in bytes: 124831. Number of bytes printed: 124831. Total number of pages in the document: 1. Number of pages printed: 0. Client computer: \\CRELLAN-PC. Win32 error code returned by the print processor: 0. The operation completed successfully.

9/6/2011 12:19:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070005: Definition Update for Windows Defender - KB915597 (Definition 1.111.1554.0).

9/6/2011 12:05:15 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.50.4.143. The computer with the IP address 10.50.4.173 did not allow the name to be claimed by this computer.

9/6/2011 12:02:04 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.106 for the Network Card with network address 001A736F237E has been denied by the DHCP server 10.50.4.1 (The DHCP Server sent a DHCPNACK message).

9/6/2011 11:55:10 AM, Error: EventLog [6008] - The previous system shutdown at 11:52:46 AM on 9/6/2011 was unexpected.

9/4/2011 3:24:54 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the MBAMService service to connect.

9/4/2011 3:24:54 PM, Error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/4/2011 3:24:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.

9/4/2011 3:24:46 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/4/2011 3:22:14 PM, Error: Service Control Manager [7022] - The CyberLink Background Capture Service (CBCS) service hung on starting.

9/4/2011 3:22:14 PM, Error: Service Control Manager [7001] - The CyberLink Task Scheduler (CTS) service depends on the CyberLink Background Capture Service (CBCS) service which failed to start because of the following error: After starting, the service hung in a start-pending state.

9/4/2011 3:21:46 PM, Error: Service Control Manager [7024] - The Windows Firewall service terminated with service-specific error 5 (0x5).

9/4/2011 3:21:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Live ID Sign-in Assistant service to connect.

9/4/2011 3:21:46 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.

9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Windows Live ID Sign-in Assistant service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

9/4/2011 3:21:46 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

9/4/2011 3:20:30 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Send To OneNote 2007 with shared resource name Send To OneNote 2007. Error 2114. The printer cannot be used by others on the network.

9/4/2011 3:20:01 PM, Error: Ntfs [137] - The default transaction resource manager on volume \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 encountered a non-retryable error and could not start. The data contains the error code.

9/4/2011 2:20:23 PM, Error: RemoteAccess [20013] - The communication device attached to port VPN16-1 is not functioning.

9/4/2011 2:20:23 PM, Error: RemoteAccess [20013] - The communication device attached to port VPN16-0 is not functioning.

9/4/2011 1:24:37 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer BDL-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7C8380AB-CE91-49FF-8FAD-A6E933B3EDB. The master browser is stopping or an election is being forced.

9/4/2011 1:17:20 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.106 for the Network Card with network address 001A736F237E has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

.

==== End Of File ===========================


----------



## kevinf80 (Mar 21, 2006)

Please download the *AVP removal tool* and save directly to your Desktop.

Double-click the executable







to install it.










Select your language preference, accept the agreement and click the Start button. You should see something like this:










Click the settings button...it's the small "Gear" icon just to the right of the large yellow button.










Make sure the following boxes are checked:










*System memory
Hidden startup objects
Disk boot sectors
Computer*

...Next, click the Actions link and click the bullet item labeled "Select action". Disinfect and Delete if disinfection fails should already be checked by default...then return to the Automatic Scan tab and click the Start scanning button.










Select "Automatic Scan" then "Start Scan"










If you happen to receive a pop up during the scan which reads "File C:\(FILE NAME.extension)" is password protected, ignore these reports. The program will find any password protected files and report them during the scan. Malicious files that are password protected will be dealt with later as required.

The scan will begin and you will see a progress bar and scanned objects counter.










When the scan completes, the progress bar will disappear.

Click the "Reports" tab icon to the far right, just under the large yellow button. Click on the "Automatic scan report" link, then click the save button.










Save the report to your desktop as Scan 1. The report will be saved as a text file. Please post the contents of that report in your next reply.


----------



## tigron (Jul 15, 2003)

I wasn't able to copy this to the post as it's 84mb. What do you suggest ? I've lost almost a day not thinking and trying to copy and paste it.


----------



## kevinf80 (Mar 21, 2006)

I`m unsure why AVP is returning such large logs, I`m not at home at present so am unable to run a scan on my test PC to check it out.

OK, did the AVP scan actually find/kill anything?

Start Task manager is 3203397148:3809022017.exe still running?

Close all windows, Select > start icon > all programs > accessories > Right click on "command prompt" > select > Run as administrator > ok any alerts > at the command prompt type or copy and paste sfc /scannow > then enter. Type exit when its finished and re-boot your PC. See if that helps with problem start up.

Next,

Please download *Junction.zip* and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe

Next, 
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.


```
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
```
Save it to your desktop as File name: junc.bat
Save as type: All Files

Next, 
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.

Kevin


----------



## tigron (Jul 15, 2003)

No it didn't kill anything. The process 3203397148:3809022017.exe is gone now. I'm not able to turn on windows firewall. I was able to run Malwarebytes and it found a Trojan.Downloader - c:\\windows\system32\spool\drivers\w32x86\3\DLBAJSWX.exe. sfc /scannow completed with no violations, was > a switch that I was supposed to include ?

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright (C) 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

\\?\c:\\Documents and Settings: JUNCTION

Print Name : C:\Users

Substitute Name: C:\Users

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\ComboFix\PV.3XE: Access is denied.

Failed to open \\?\c:\\ComboFix(0)\PV.3XE: Access is denied.

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe: Access is denied.

...

...
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\winlogon.exe: Access is denied.

...

...

.\\?\c:\\ProgramData\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\ProgramData\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\ProgramData\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

\\?\c:\\ProgramData\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\ProgramData\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\ProgramData\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

...

...

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\LightningSand.CFD: Access is denied.

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\Quarantine: Access is denied.

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP: Access is denied.

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP: Access is denied.

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\75B62D4E.TMP: Access is denied.

Failed to open \\?\c:\\ProgramData\Symantec\SRTSP\SrtETmp\EC945FE7.TMP: Access is denied.

...

...

Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.

...

...

...
Failed to open \\?\c:\\System Volume Information\{1ef21d87-da19-11e0-a872-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6923ed96-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6923edae-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6923edc6-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6923edcc-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6923edd5-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{6e1a3f56-db05-11e0-b694-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{affb19fb-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{affb1a0e-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{b489af11-da11-11e0-8a7f-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{dc5523c3-dc23-11e0-a6f9-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

Failed to open \\?\c:\\System Volume Information\{e1c638d0-da80-11e0-803b-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}: Access is denied.

\\?\c:\\Users\All Users: SYMBOLIC LINK

Print Name : C:\ProgramData

Substitute Name: \??\C:\ProgramData

\\?\c:\\Users\Default User: JUNCTION

Print Name : C:\Users\Default

Substitute Name: C:\Users\Default

\\?\c:\\Users\Administrator\Application Data: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming

Substitute Name: C:\Users\Administrator\AppData\Roaming

\\?\c:\\Users\Administrator\Cookies: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Administrator\Local Settings: JUNCTION

Print Name : C:\Users\Administrator\AppData\Local

Substitute Name: C:\Users\Administrator\AppData\Local

\\?\c:\\Users\Administrator\My Documents: JUNCTION

Print Name : C:\Users\Administrator\Documents

Substitute Name: C:\Users\Administrator\Documents

\\?\c:\\Users\Administrator\NetHood: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Administrator\PrintHood: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Administrator\Recent: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Administrator\SendTo: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Administrator\Start Menu: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Administrator\Templates: JUNCTION

Print Name : C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Administrator\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\Administrator\AppData\Local

Substitute Name: C:\Users\Administrator\AppData\Local

\\?\c:\\Users\Administrator\AppData\Local\History: JUNCTION

Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Administrator\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Administrator\Documents\My Music: JUNCTION

Print Name : C:\Users\Administrator\Music

Substitute Name: C:\Users\Administrator\Music

\\?\c:\\Users\Administrator\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Administrator\Pictures

Substitute Name: C:\Users\Administrator\Pictures

\\?\c:\\Users\Administrator\Documents\My Videos: JUNCTION

Print Name : C:\Users\Administrator\Videos

Substitute Name: C:\Users\Administrator\Videos

\\?\c:\\Users\Administrator.crellan-PC\Application Data: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming

\\?\c:\\Users\Administrator.crellan-PC\Cookies: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\Administrator.crellan-PC\Local Settings: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Local

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local

\\?\c:\\Users\Administrator.crellan-PC\My Documents: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\Documents

Substitute Name: C:\Users\Administrator.crellan-PC\Documents

\\?\c:\\Users\Administrator.crellan-PC\NetHood: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Administrator.crellan-PC\PrintHood: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Administrator.crellan-PC\Recent: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Administrator.crellan-PC\SendTo: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Administrator.crellan-PC\Start Menu: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Administrator.crellan-PC\Templates: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Administrator.crellan-PC\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Local

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local

\\?\c:\\Users\Administrator.crellan-PC\AppData\Local\History: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Administrator.crellan-PC\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\Administrator.crellan-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files

Failed to open \\?\c:\\Users\Administrator.crellan-PC\Desktop\HijackThis.exe: Access is denied.

\\?\c:\\Users\Administrator.crellan-PC\Documents\My Music: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\Music

Substitute Name: C:\Users\Administrator.crellan-PC\Music

\\?\c:\\Users\Administrator.crellan-PC\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\Pictures

Substitute Name: C:\Users\Administrator.crellan-PC\Pictures

\\?\c:\\Users\Administrator.crellan-PC\Documents\My Videos: JUNCTION

Print Name : C:\Users\Administrator.crellan-PC\Videos

Substitute Name: C:\Users\Administrator.crellan-PC\Videos

.\\?\c:\\Users\All Users\Application Data: JUNCTION

Print Name : C:\ProgramData

Substitute Name: C:\ProgramData

\\?\c:\\Users\All Users\Desktop: JUNCTION

Print Name : C:\Users\Public\Desktop

Substitute Name: C:\Users\Public\Desktop

\\?\c:\\Users\All Users\Documents: JUNCTION

Print Name : C:\Users\Public\Documents

Substitute Name: C:\Users\Public\Documents

\\?\c:\\Users\All Users\Favorites: JUNCTION

Print Name : C:\Users\Public\Favorites

Substitute Name: C:\Users\Public\Favorites

\\?\c:\\Users\All Users\Start Menu: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Start Menu

Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu

\\?\c:\\Users\All Users\Templates: JUNCTION

Print Name : C:\ProgramData\Microsoft\Windows\Templates

Substitute Name: C:\ProgramData\Microsoft\Windows\Templates

..
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b: Access is denied.

...

...

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\LightningSand.CFD: Access is denied.

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\Quarantine: Access is denied.

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP: Access is denied.

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP: Access is denied.

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\75B62D4E.TMP: Access is denied.

Failed to open \\?\c:\\Users\All Users\Symantec\SRTSP\SrtETmp\EC945FE7.TMP: Access is denied.

...

...

\\?\c:\\Users\crellan\Application Data: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming

Substitute Name: C:\Users\crellan\AppData\Roaming

\\?\c:\\Users\crellan\Cookies: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Cookies

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Cookies

\\?\c:\\Users\crellan\Local Settings: JUNCTION

Print Name : C:\Users\crellan\AppData\Local

Substitute Name: C:\Users\crellan\AppData\Local

\\?\c:\\Users\crellan\My Documents: JUNCTION

Print Name : C:\Users\crellan\Documents

Substitute Name: C:\Users\crellan\Documents

\\?\c:\\Users\crellan\NetHood: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\crellan\PrintHood: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\crellan\Recent: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\crellan\SendTo: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\crellan\Start Menu: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\crellan\Templates: JUNCTION

Print Name : C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\crellan\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\crellan\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\crellan\AppData\Local

Substitute Name: C:\Users\crellan\AppData\Local

\\?\c:\\Users\crellan\AppData\Local\History: JUNCTION

Print Name : C:\Users\crellan\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\crellan\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\crellan\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\crellan\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\crellan\AppData\Local\Microsoft\Windows\Temporary Internet Files

...

...

...

...

...\\?\c:\\Users\crellan\Documents\My Music: JUNCTION

Print Name : C:\Users\crellan\Music

Substitute Name: C:\Users\crellan\Music

\\?\c:\\Users\crellan\Documents\My Pictures: JUNCTION

Print Name : C:\Users\crellan\Pictures

Substitute Name: C:\Users\crellan\Pictures

\\?\c:\\Users\crellan\Documents\My Videos: JUNCTION

Print Name : C:\Users\crellan\Videos

Substitute Name: C:\Users\crellan\Videos

.\\?\c:\\Users\Default\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming

Substitute Name: C:\Users\Default\AppData\Roaming

\\?\c:\\Users\Default\Local Settings: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\My Documents: JUNCTION

Print Name : C:\Users\Default\Documents

Substitute Name: C:\Users\Default\Documents

\\?\c:\\Users\Default\NetHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts

\\?\c:\\Users\Default\PrintHood: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts

\\?\c:\\Users\Default\Recent: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent

\\?\c:\\Users\Default\SendTo: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo

\\?\c:\\Users\Default\Start Menu: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu

\\?\c:\\Users\Default\Templates: JUNCTION

Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates

\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION

Print Name : C:\Users\Default\AppData\Local

Substitute Name: C:\Users\Default\AppData\Local

\\?\c:\\Users\Default\AppData\Local\History: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History

\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION

Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files

\\?\c:\\Users\Default\Documents\My Music: JUNCTION

Print Name : C:\Users\Default\Music

Substitute Name: C:\Users\Default\Music

\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Default\Pictures

Substitute Name: C:\Users\Default\Pictures

\\?\c:\\Users\Default\Documents\My Videos: JUNCTION

Print Name : C:\Users\Default\Videos

Substitute Name: C:\Users\Default\Videos

\\?\c:\\Users\Public\Documents\My Music: JUNCTION

Print Name : C:\Users\Public\Music

Substitute Name: C:\Users\Public\Music

\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION

Print Name : C:\Users\Public\Pictures

Substitute Name: C:\Users\Public\Pictures

\\?\c:\\Users\Public\Documents\My Videos: JUNCTION

Print Name : C:\Users\Public\Videos

Substitute Name: C:\Users\Public\Videos

Failed to open \\?\c:\\Windows\bthservsdp.dat: Access is denied.

...

...

...

...

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6296.tmp: Access is denied.

Failed to open \\?\c:\\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspC599.tmp: Access is denied.

...

..
Failed to open \\?\c:\\Windows\System32\mrt.exe: Access is denied.

...

...

...
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.

...

..


----------



## kevinf80 (Mar 21, 2006)

Run the following:

*Step 1*


 please download *GrantPerms.zip* and save it to your desktop.
 Unzip the file and run GrantPerms.exe
 Copy and paste the following in the edit box:


```
c:\ComboFix\PV.3XE
c:\ComboFix(0)\PV.3XE
c:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Malwarebytes' Anti-Malware\winlogon.exe
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816d f03c9dadad_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192 c473772cf6_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676 679ece8b24_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e162207 88332b55d5_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae078824 68403e48ac_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b 76cb7da5fe_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490 f4cb729c64_9b6ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\ProgramData\Symantec\SRTSP\LightningSand.CFD
c:\ProgramData\Symantec\SRTSP\Quarantine
c:\ProgramData\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP
c:\ProgramData\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP
c:\ProgramData\Symantec\SRTSP\SrtETmp\75B62D4E.TMP
c:\ProgramData\Symantec\SRTSP\SrtETmp\EC945FE7.TMP
c:\Qoobox\BackEnv
c:\System Volume Information\{1ef21d87-da19-11e0-a872-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6923ed96-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6923edae-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6923edc6-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6923edcc-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6923edd5-db44-11e0-9085-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{6e1a3f56-db05-11e0-b694-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{affb19fb-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{affb1a0e-dce1-11e0-a0bb-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{b489af11-da11-11e0-8a7f-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{dc5523c3-dc23-11e0-a6f9-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\System Volume Information\{e1c638d0-da80-11e0-803b-0016d3a3dc0e}{3808876b-c176-4e48-b7ae-04046e6cc752}
c:\Users\Administrator.crellan-PC\Desktop\HijackThis.exe
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\5ee26b9889bc1ddaa6816df03c9dadad_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\8a727abac84c80c4d1d192c473772cf6_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\977b3a91dcd81be1a7d676679ece8b24_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\9fc0f03a3ada1a7e16220788332b55d5_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\af5823c5e41329ae07882468403e48ac_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\e22e2bbdf72e7870c8828b76cb7da5fe_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\ee4f2cefd80c145b4cf490f4cb729c64_9b6 ceae2-5c81-4ef4-879d-d1c2c29f392b
c:\Users\All Users\Symantec\SRTSP\LightningSand.CFD
c:\Users\All Users\Symantec\SRTSP\Quarantine
c:\Users\All Users\Symantec\SRTSP\SrtETmp\0D34C7CF.TMP
c:\Users\All Users\Symantec\SRTSP\SrtETmp\6D95FCBA.TMP
c:\Users\All Users\Symantec\SRTSP\SrtETmp\75B62D4E.TMP
c:\Users\All Users\Symantec\SRTSP\SrtETmp\EC945FE7.TMP
c:\Windows\bthservsdp.dat
c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp6296.tmp
c:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspC599.tmp..
c:\Windows\System32\mrt.exe
c:\Windows\System32\LogFiles\WMI\RtBackup
```

 Now Click Unlock.
 When it is done click "OK".
 Now click List Permissions and post the result (Perms.txt) that pops up.
 A copy of Perms.txt will be saved in the same directory the tool is run.

*Step 2*

Delete any versions of Combofix that you may have on your Computer, download a fresh copy from either of the following links :-

*Link 1*
*Link 2*


 Ensure that Combofix is saved directly to the Desktop * <--- Very important*

 Disable all security programs as they will have a negative effect on Combofix, instructions available *Here* if required. Be aware the list may not have all programs listed, if you need more help please ask.

 Close any open browsers and any other programs you might have running

 Double click the







icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)

 Instructions for running Combofix available *Here* if required.

 If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.

 When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

*******Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze* ******

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read *Here* why disabling autoruns is recommended.

*EXTRA NOTES*

 If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
 If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
 If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the two logs in next reply please...

Kevin


----------

