oaktree777

Member
  • Content Count

    5
  • Joined

  • Last visited

Community Reputation

0 Neutral

About oaktree777

  • Rank
    New Member
  1. Hi, Sorry about that. My internet connection was lost in the middle of typing a reply and it apparently never made it. I ran all of the programs as you recommended. The following log files are copied below: A2 Combofix win32diag I attached the Iseeyou.txt because it was really long and I figured it may take up too much space on the email. To make a long story short. After following your instructions, it looks like the gen.trojan.!IK is gone! The other ones appear to be gone as well. The last A2 scan did not pick up any viruses or malware. Additionally, I ran malwarebytes just to see what would happen. Before, whatever virus I picked up would interrupt the scan and disable malwarebytes so it couldn't be run. Malwarebytes is now running too. It seems to pick up some things that A2 doesn't. But I deleted the identified files there too. In case it would be helpful, I added the malwarebytes text. Please let me know if I should follow any additional procedures other than putting a giant condom over my laptop in the future Thanks again. You're assistance has been great! A2 LOG COPIED BELOW: a-squared Free - Version 4.5 Last update: 10/3/2009 6:02:19 PM Scan settings: Scan type: Quick Scan Objects: Memory, Traces, Cookies Scan archives: On Heuristics: Off ADS Scan: On Scan start: 10/3/2009 7:59:53 PM Scanned Files: 1708 Traces: 645170 Cookies: 132 Processes: 38 Found Files: 0 Traces: 0 Cookies: 0 Processes: 0 Registry keys: 0 Scan end: 10/3/2009 8:02:15 PM Scan time: 0:02:22 COMBOFIX LOG COPIED BELOW: ComboFix 09-10-01.05 - Bill O'Brien 10/03/2009 16:59.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.584 [GMT -4:00] Running from: c:\documents and settings\Bill O'Brien\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\kobosoheh.bin c:\documents and settings\All Users\Application Data\mahodoqus.com c:\documents and settings\All Users\Documents\ecurojin._dl c:\documents and settings\All Users\track.sys c:\documents and settings\Bill O'Brien\Application Data\obehuhirud.scr c:\documents and settings\Bill O'Brien\Local Settings\Application Data\ygyzelonag.bat C:\p2hhr.bat c:\program files\awywon c:\program files\awywon\hcipsysguard.exe c:\program files\Common Files\laheradif.dll c:\program files\Common Files\moji.pif c:\windows\biguxehos.sys c:\windows\Downloaded Program Files\Downloaded Program Files c:\windows\Installer\2cabcf9.msp c:\windows\Installer\2cabd01.msp c:\windows\Installer\4d0f32b.msp c:\windows\run.log c:\windows\syssvc.exe c:\windows\system32\_000013_.tmp.dll c:\windows\system32\41.exe c:\windows\system32\bLlnmnnn.ini c:\windows\system32\detebutu.dll c:\windows\system32\dim c:\windows\system32\dPI19 c:\windows\system32\dutujahi.exe c:\windows\system32\fuhaleke.dll c:\windows\system32\gp2 c:\windows\system32\guhehodi.exe c:\windows\system32\hilivoze.dll c:\windows\system32\hisekeke.exe c:\windows\system32\ID2 c:\windows\system32\iehelper.dll c:\windows\system32\juriyuyi.dll c:\windows\system32\lsprst7.dll c:\windows\system32\maligoha.exe c:\windows\system32\nijopido.exe c:\windows\system32\nsprs.dll c:\windows\system32\onaxefegyq.pif c:\windows\system32\pegeseyi.exe c:\windows\system32\ssprs.dll c:\windows\system32\tizovawe.dll c:\windows\system32\tuwejipe.dll c:\windows\system32\wefihipe.exe c:\windows\system32\yosutihe.dll c:\windows\system32\zibuyubo.dll c:\windows\twain_30.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_tdssserv.sys -------\Legacy_UACd.sys -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 ))))))))))))))))))))))))))))))) . 2009-10-03 19:07 . 2009-10-03 19:07 -------- d-----w- C:\!KillBox 2009-10-03 18:48 . 2005-01-14 06:41 11254 ----a-w- c:\windows\system32\locate.com 2009-10-03 16:49 . 2009-10-03 16:49 -------- d-----w- C:\ISeeYouXP 2009-10-03 16:49 . 2009-10-03 20:48 -------- d-----w- c:\program files\ExplorerXP 2009-10-03 16:48 . 2009-10-03 16:48 -------- d-----w- c:\program files\a-squared HiJackFree 2009-10-03 13:33 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-03 13:32 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-02 12:59 . 2009-10-03 18:02 -------- d-----w- c:\program files\a-squared Free 2009-10-02 11:17 . 2009-10-02 11:17 0 ----a-w- c:\windows\nsreg.dat 2009-10-02 11:17 . 2009-10-02 11:17 -------- d-----w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\Mozilla 2009-10-01 10:10 . 2009-10-01 10:10 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\8540052764 2009-09-30 11:18 . 2009-10-02 12:14 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-09-29 23:06 . 2009-10-02 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\12473754 2009-09-29 23:01 . 2009-10-03 21:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-29 15:37 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-09-29 15:36 . 2009-09-29 15:36 -------- d-----w- c:\program files\Avira 2009-09-28 12:08 . 2009-10-03 13:20 0 ----a-w- c:\windows\win32k.sys 2009-09-23 18:04 . 2009-09-23 18:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe 2009-09-16 20:51 . 2009-09-16 20:51 13696 ----a-w- c:\windows\system32\drivers\wpsnuio.sys 2009-09-16 20:51 . 2009-09-16 20:51 -------- d-----w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\Skyhook Wireless 2009-09-13 13:53 . 2009-09-13 14:00 -------- d-----w- C:\budget 2009-09-13 13:45 . 2009-09-13 13:45 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\Webroot 2009-09-13 13:45 . 2009-09-13 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot 2009-09-13 13:21 . 2009-09-13 13:45 164 ----a-w- c:\windows\install.dat 2009-09-13 12:21 . 2009-09-13 21:39 -------- d-----w- c:\program files\Webroot 2009-09-13 12:21 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll 2009-09-12 12:01 . 2009-09-29 17:43 -------- d-----w- C:\belgium 2009-09-11 22:36 . 2009-09-23 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\gwr 2009-09-11 21:19 . 2009-09-11 21:19 12724 ----a-w- c:\windows\adyhaha.com 2009-09-11 20:50 . 2009-09-11 21:56 -------- d-----w- C:\sh4ldr 2009-09-09 11:21 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-03 11:24 . 2009-07-03 11:24 52736 --sha-w- c:\windows\system32\degipeme.dll 2009-10-03 11:24 . 2009-07-03 11:24 89088 --sha-w- c:\windows\system32\fujegifu.dll 2009-10-02 21:32 . 2009-01-17 22:30 -------- d-----w- c:\program files\RealArcade 2009-10-02 21:30 . 2007-10-06 01:01 -------- d-----w- c:\program files\Common Files\AOL 2009-10-02 21:30 . 2007-10-06 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL 2009-10-02 13:26 . 2008-11-22 14:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-10-02 12:46 . 2009-02-05 17:07 -------- d-----w- c:\program files\Windows Live Safety Center 2009-10-01 23:11 . 2009-07-01 23:11 50688 --sha-w- c:\windows\system32\mivalivo.dll 2009-10-01 23:11 . 2009-07-01 23:11 91136 --sha-w- c:\windows\system32\lilofati.dll 2009-10-01 17:23 . 2007-09-26 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet 2009-10-01 10:11 . 2009-07-01 10:10 50176 --sha-w- c:\windows\system32\bidiyije.dll 2009-09-30 11:10 . 2009-06-30 11:10 39424 --sha-w- c:\windows\system32\dezifamu.dll 2009-09-29 11:06 . 2009-06-29 11:06 53248 --sha-w- c:\windows\system32\deporare.dll 2009-09-29 11:06 . 2009-06-29 11:06 36864 --sha-w- c:\windows\system32\hopawiki.dll 2009-09-24 11:28 . 2007-09-26 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee 2009-09-24 11:28 . 2007-09-26 16:03 -------- d-----w- c:\program files\McAfee 2009-09-13 13:22 . 2009-09-13 13:22 775168 ----a-w- c:\windows\isRS-000.tmp 2009-08-25 17:54 . 2009-07-01 22:55 -------- d-----w- c:\documents and settings\Bill O'Brien\Application Data\dvdcss 2009-08-23 13:22 . 2007-10-02 13:20 70672 ----a-w- c:\documents and settings\Bill O'Brien\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-23 12:47 . 2009-08-23 12:47 -------- d-----w- c:\program files\MSBuild 2009-08-23 12:46 . 2009-08-23 12:46 -------- d-----w- c:\program files\Reference Assemblies 2009-08-17 16:12 . 2007-11-15 17:05 -------- d-----w- c:\program files\Picasa2 2009-08-15 20:10 . 2009-08-15 20:10 -------- d-----w- c:\program files\Microsoft Picture It! 7 2009-08-05 09:01 . 2004-08-04 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-17 19:01 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-04 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-01 23:11 . 2009-07-01 23:11 50688 --sha-w- c:\windows\system32\tazofehu.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74e98632-f013-423c-a5c3-c520163d1f28}] 2009-07-01 23:11 50688 --sha-w- c:\windows\system32\tazofehu.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-05 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768] "VM30xSnap"="c:\windows\VM30xSnap.exe" [2007-02-05 53248] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Qualcomm\Eudora\EuShlExt.dll" [2006-08-17 86016] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\iPod\\bin\\iPodService.exe"= "c:\\WINDOWS\\VM30xSnap.exe"= "c:\\Program Files\\iTunes\\iTunesHelper.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HPZIPM12.EXE"= S1 2093de44;2093de44;c:\windows\system32\drivers\2093de44.sys [1/29/2009 11:42 AM 0] S1 orerthdy;orerthdy;\??\c:\windows\system32\drivers\orerthdy.sys --> c:\windows\system32\drivers\orerthdy.sys [?] S2 cpnwr;cpnwr;c:\windows\system32\drivers\jjve.sys --> c:\windows\system32\drivers\jjve.sys [?] S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?] S3 VM30xx86;Vimicro USB PC Camera (ZC030x);c:\windows\system32\drivers\vm30xx86.sys [3/22/2008 8:01 PM 1294336] . Contents of the 'Scheduled Tasks' folder 2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-09-26 c:\windows\Tasks\ParetoLogic Privacy Controls_{3CEEF1D2-AA8F-11DE-AE79-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-09-26 c:\windows\Tasks\ParetoLogic Privacy Controls_{5FAAE77E-AAA0-11DE-AE7A-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-09-24 c:\windows\Tasks\ParetoLogic Privacy Controls_{7D54321D-A92F-11DE-AE75-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-09-07 c:\windows\Tasks\ParetoLogic Privacy Controls_{D801D5B4-C20E-11DD-AD82-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-03-01 c:\windows\Tasks\ParetoLogic Privacy Controls_{EC89D382-069D-11DE-ADD3-8AEF67650B1F}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-10-02 c:\windows\Tasks\ParetoLogic Privacy Controls_{F34EE94C-AEFD-11DE-AE93-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-09-19 c:\windows\Tasks\ParetoLogic Privacy Controls_{FC2C06F0-A564-11DE-AE6D-0012F0AB7742}.job - c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2008-11-25 16:30] 2009-09-29 c:\windows\Tasks\ParetoLogic Registration.job - c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 17:25] 2009-09-10 c:\windows\Tasks\ParetoLogic Update Version2.job - c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 17:25] . . ------- Supplementary Scan ------- . uLocal Page = \blank.htm mLocal Page = \blank.htm mStart Page = hxxp://www.google.com IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: advancedmd.com FF - ProfilePath - c:\documents and settings\Bill O'Brien\Application Data\Mozilla\Firefox\Profiles\z60eckcq.default\ FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - BHO-{385F2EEB-EF59-4400-9156-CEF1C3B303BD} - c:\windows\system32\iehelper.dll HKLM-Run-Acrobat Assistant 8.0 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe HKLM-Run-jakiduwab - c:\windows\system32\tizovawe.dll HKLM-Run-julafinire - zibuyubo.dll SharedTaskScheduler-{eb847b3d-b9c8-4e93-bc88-ddd3807a0ab4} - (no file) SharedTaskScheduler-{3d5bdeda-38b8-489d-b16f-21d245c24ff6} - (no file) SharedTaskScheduler-{6138dd23-ff27-4634-812f-c7dc2291c1b0} - (no file) SharedTaskScheduler-{057c2cce-49f2-4b21-bcd0-a8a0b79dccf4} - c:\windows\system32\tizovawe.dll SSODL-beyopazod-{eb847b3d-b9c8-4e93-bc88-ddd3807a0ab4} - (no file) SSODL-bojuluteg-{3d5bdeda-38b8-489d-b16f-21d245c24ff6} - (no file) SSODL-ketinikel-{6138dd23-ff27-4634-812f-c7dc2291c1b0} - (no file) SSODL-dukibapaf-{057c2cce-49f2-4b21-bcd0-a8a0b79dccf4} - c:\windows\system32\tizovawe.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-03 17:06 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(820) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3836) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\a-squared Free\a2service.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\McAfee\Common Framework\Mctray.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\wscntfy.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2009-10-03 17:10 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-03 21:10 Pre-Run: 64,104,075,264 bytes free Post-Run: 64,021,123,072 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 284 --- E O F --- 2009-09-10 07:04 WIN32DIAG LOG COPIED BELOW: Running from: C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12D.tmp\ZAP12D.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E1.tmp\ZAP1E1.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1592454029-839522115-1003\S-1-5-21-515967899-1592454029-839522115-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Proof\Proof Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 10\Shockwave 10 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DriverFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished! MALWAREBYTES LOG COPIED BELOW: Malwarebytes' Anti-Malware 1.41 Database version: 2902 Windows 5.1.2600 Service Pack 3 10/3/2009 8:25:35 PM mbam-log-2009-10-03 (20-25-35).txt Scan type: Quick Scan Objects scanned: 100622 Time elapsed: 4 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 1 Registry Values Infected: 5 Registry Data Items Infected: 3 Folders Infected: 4 Files Infected: 14 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\piyudijo.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{172e7c1f-6113-4cd3-b1a9-57c8abb8d268} (Trojan.Vundo.H) -> Delete on reboot. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jakiduwab (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{172e7c1f-6113-4cd3-b1a9-57c8abb8d268} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jalaforef (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0369133145 (Rogue.SecurityTool) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\julafinire (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\piyudijo.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\piyudijo.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\12473754 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\0369133145 (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\8540052764 (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\gwr (Rogue.GreenAV) -> Quarantined and deleted successfully. Files Infected: c:\WINDOWS\system32\piyudijo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yepogofa.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\12473754\12473754 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\12473754\pc12473754ins (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.bat (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\0369133145\0369133145.cfg (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\8540052764\8540052764.bat (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\Bill O'Brien\Application Data\8540052764\8540052764.cfg (Rogue.SecurityTool) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\gwr\Viruses.dat (Rogue.GreenAV) -> Quarantined and deleted successfully. C:\WINDOWS\system32\deporare.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dezifamu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mivalivo.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
  2. Hi and thanks for your speedy reply. I followed the instructions and I think everything went okay. The logs from a2 scan, and hijack this are copied below. Interestingly, when I reran the a2 scan (after running atf, explorerxp), the gen.tojan!ik didn't show up on the a2 scan. A2 scan results: a-squared Free - Version 4.5 Last update: 10/2/2009 9:06:49 AM Scan settings: Scan type: Deep Scan Objects: Memory, Traces, Cookies, C:\ Scan archives: On Heuristics: Off ADS Scan: On Scan start: 10/3/2009 12:57:06 PM [1780] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK C:\Avenger\eventlog.dll detected: Trojan.Win32.Sirefef!IK C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK Scanned Files: 105534 Traces: 645170 Cookies: 89 Processes: 37 Found Files: 2 Traces: 0 Cookies: 0 Processes: 1 Registry keys: 0 Scan end: 10/3/2009 2:02:16 PM Scan time: 1:05:10 Hijack this Log NameProcessIDPriorityLocation a2hijackfree.exe2648NormalC:\Program Files\a-squared HiJackFree\a2hijackfree.exe a2service.exe1296NormalC:\Program Files\a-squared Free\a2service.exe alg.exe3124NormalC:\WINDOWS\System32\alg.exe ati2evxx.exe1048NormalC:\WINDOWS\system32\Ati2evxx.exe ati2evxx.exe1572NormalC:\WINDOWS\system32\Ati2evxx.exe atiptaxx.exe1216NormalC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe csrss.exe796NormalC:\WINDOWS\system32\csrss.exe ctfmon.exe1568NormalC:\WINDOWS\system32\ctfmon.exe Dot1XCfg.exe2520NormalC:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe EvtEng.exe1360NormalC:\Program Files\Intel\Wireless\Bin\EvtEng.exe explorer.exe1668NormalC:\WINDOWS\Explorer.EXE HPZIPM12.EXE2124NormalC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe iexplore.exe1780NormalC:\Program Files\Internet Explorer\iexplore.exe iFrmewrk.exe1272NormalC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe iPodService.exe2560NormalC:\Program Files\iPod\bin\iPodService.exe iTunesHelper.exe1368NormalC:\Program Files\iTunes\iTunesHelper.exe lsass.exe880NormalC:\WINDOWS\system32\lsass.exe Mctray.exe916NormalC:\Program Files\McAfee\Common Framework\McTray.exe MDM.EXE2088NormalC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE RegSrvc.exe2248NormalC:\Program Files\Intel\Wireless\Bin\RegSrvc.exe S24EvMon.exe1772NormalC:\Program Files\Intel\Wireless\Bin\S24EvMon.exe services.exe868NormalC:\WINDOWS\system32\services.exe smss.exe748NormalC:\WINDOWS\System32\smss.exe spoolsv.exe544NormalC:\WINDOWS\system32\spoolsv.exe svchost.exe1060NormalC:\WINDOWS\system32\svchost.exe svchost.exe1164NormalC:\WINDOWS\system32\svchost.exe svchost.exe1308NormalC:\WINDOWS\System32\svchost.exe svchost.exe1932NormalC:\WINDOWS\system32\svchost.exe svchost.exe236NormalC:\WINDOWS\system32\svchost.exe svchost.exe1136NormalC:\WINDOWS\system32\svchost.exe svchost.exe2336NormalC:\WINDOWS\system32\svchost.exe System4NormalN/A System Idle Processes0IdleN/A UdaterUI.exe1280NormalC:\Program Files\McAfee\Common Framework\UdaterUI.exe VM30xSnap.exe1288NormalC:\WINDOWS\VM30xSnap.exe winlogon.exe820HighC:\WINDOWS\system32\winlogon.exe WINWORD.EXE436NormalC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE WkUFind.exe1524NormalC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe WLKEEPER.exe1860NormalC:\Program Files\Intel\Wireless\Bin\WLKeeper.exe ZCfgSvc.exe1260NormalC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe Thanks.
  3. Hi, I am new here and have been reading other remedies for the gen.tojan.!IK viures that is found on my a2 scan. When I attempt to delete it, a windows shutdown message comes up and turns off my computer with a countdown of 60 sec. I have not been able to run any other malware removal programs either. They disappear and and disable when attempting to scan. The a2 scan also cannot remove a file called system32\iehelper.dll. The a2 scan report is copied below. After that I copied the win32kdiag report. Thanks for any help you can provide. This has been very frustrating! a-squared Free - Version 4.5 Last update: 10/2/2009 9:06:49 AM Scan settings: Scan type: Smart Scan Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files Scan archives: On Heuristics: Off ADS Scan: On Scan start: 10/3/2009 9:56:01 AM [1168] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [1312] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [1676] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK [1988] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [236] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [512] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [2156] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [2516] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [2620] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [1344] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [1344] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK [3044] \\?\globalroot\Device\__max++>\54C61D40.x86.dll detected: Gen.Trojan!IK [3044] C:\WINDOWS\system32\iehelper.dll detected: Trojan.Win32.FakeSpypro!IK C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.247realmedia!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.atdmt!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.casalemedia!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.cms!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][1].txt detected: Trace.TrackingCookie.com!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.doubleclick!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.fastclick!A2 C:\Documents and Settings\Bill O'Brien\Cookies\bill_o'[email protected][2].txt detected: Trace.TrackingCookie.tribalfusion!A2 Scanned Files: 2354 Traces: 645170 Cookies: 341 Processes: 41 Found The win32kdiag report is provided below (I saw that most helpers request this). Running from: C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Bill O'Brien\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP12D.tmp\ZAP12D.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E1.tmp\ZAP1E1.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Downloaded Program Files\Downloaded Program Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA3301004F7706000000000030\8.0.0\8.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-1592454029-839522115-1003\S-1-5-21-515967899-1592454029-839522115-1003 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Proof\Proof Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Templates\Templates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.MSO\Content.MSO Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.Word\Content.Word Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dim\dim Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dPI19\dPI19 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\dumprep.exe [1] 2004-08-04 06:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)