nasty virus please help

[sr277]

Hi i havent been here in a while but now got a different pc with another nasty virus. I can't run any scans and spybot cannot open and a window pops up saying i dont have proper permissions. I ran an internet scan and found out a bunch of temporary files are infected. This computer is running Windows xp and is a couple years old. Thanks in advance!



DDS (Ver_09-07-30.01) - NTFSx86
Run by Rufus at 20:24:37.72 on 08/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.251 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Rufus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ALOT Toolbar BHO: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - c:\program files\alot\bin\alot.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AIMPro] "c:\program files\aim\aim pro\aimpro.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} - hxxp://zone.msn.com/bingame/rock/default/popcaploader1.cab
DPF: {54FF454A-8F37-4406-8797-4C3607918A85} - hxxp://192.168.254.118/ami/install/amiviewer.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
DPF: {C487F60B-59B9-47D9-BFDF-AB26786F8823} - hxxp://zone.msn.com/bingame/zpagames/zpa_stoo.cab62201.cab
DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} - hxxp://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} - hxxp://zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/cnma/default/cinematycoon.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://sympatico.zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn.agmc.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://zone.msn.com/bingame/swet/default/Sweetopia.1.0.0.46.cab
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab55579.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-27 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-27 144704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2007-3-23 200192]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-27 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-27 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-27 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-27 40552]
S2 0077961250434241mcinstcleanup;McAfee Application Installer Cleanup (0077961250434241);c:\windows\temp\007796~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\007796~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-12 24652]

=============== Created Last 30 ================

2009-08-16 19:49 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-08-16 19:49 <DIR> --d----- c:\program files\Panda Security
2009-08-16 19:25 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-16 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-16 11:30 <DIR> --dsh--- c:\windows\Installer
2009-08-16 01:09 24,576 a------- c:\windows\system32\tapi.nfo
2009-08-16 01:07 15,000 a------- c:\windows\system32\hs7f3uhduhfukde.dll
2009-08-16 01:07 10,752 a------- C:\yihw.exe
2009-08-16 01:07 121,344 a------- C:\djos.exe
2009-08-16 01:04 0 a--sh--- C:\942711389
2009-08-12 12:21 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 12:21 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 14:48 3,252 a------- c:\windows\system32\wbem\Outlook_01ca107d23ff5d58.mof
2009-07-21 11:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-21 11:08 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-21 11:07 21,504 a------- c:\windows\system32\drivers\hidserv.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll

============= FINISH: 20:25:50.63 ===============

[tetonbob]

Hello -

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * IMPORTANT !!! Place it on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   
   You can get help on disabling your protection programs here
   
   How to disable McAfee:
   
   • Please open McAfee Security Centre
   • Under Common Tasks click on Home
   • Click Computer Files
   • Click Configure
   • Make sure the following are disabled by ticking the "Off" button.

     Virus protection
     Spyware protection
     System Guards Protection
     Script Scanning Protection (you may have to scroll down to see it)

   • Next, select never for "When to re-enable real time scanning"
   • and click OK.
   Further info on disabling and re-enabling McAfee: http://help.aol.com/help/microsites/...ernalID=222820
   
   
   How to disable Spybot's Tea Timer
   
   While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent our tools from fixing certain things.
   Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.
   • Open Spybot Search & Destroy.
   • In the Mode menu click "Advanced mode" if not already selected.
   • Choose "Yes" at the Warning prompt.
   • Expand the "Tools" menu.
   • Click "Resident".
   • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
   • In the File menu click "Exit" to exit Spybot Search & Destroy.
   • See this link for a tutorial
   
   
   
3. Double click on the file you downloaded & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[sr277]

Hi and thanks for helping me out. First off i got Mcafee to disable but i cant open spybot S&D. There is a message saying i dont have "the appropriate permissions to access the item". Also Combofix isnt scanning. It shows the program making a registry backup then it shows two messages saying access denied before trying to scan

[tetonbob]

Don't worry about Spybot for now.

Can you be more precise with the error messages from ComboFix, please?

Also...

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll C:\Windows\eventlog.dll>Log.txt
START Log.txt
DEL %0

Save this as peek.bat Choose to "Save type as - All Files"
It should look like this:
Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

[sr277]

I took a screen shot (attached to post) where the computer shows the acess denied message. After this, combo fix tries to run but doesnt do anything; i left it running for half an hour without anything happening.And heres the log u wanted.

Volume in drive C has no label.
Volume Serial Number is 3830-A25D

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 60,928 eventlog.dll
3 File(s) 649,216 bytes

Total Files Listed:
9 File(s) 1,936,896 bytes
0 Dir(s) 65,528,164,352 bytes free

[sr277]

oh sorry forgot to attach the screenshot. here it is

[tetonbob]

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following:
  
  C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analyzed: click Reanalyze file now
• Once scanned, copy and paste the results in your next reply.
  
• Please repeat for the following files:
  
  • 
    C:\WINDOWS\system32\eventlog.dll
    

[sr277]

ok here is the result of the first file, but the 2nd one keeps bringing up a message saying the site received zero bytes.

File eventlog.dll received on 2009.08.18 01:35:53 (UTC)
Current status: finished
Result: 0/41 (0%)
Compact
Print results Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.17 -
AhnLab-V3 5.0.0.2 2009.08.17 -
AntiVir 7.9.1.1 2009.08.17 -
Antiy-AVL 2.0.3.7 2009.08.17 -
Authentium 5.1.2.4 2009.08.17 -
Avast 4.8.1335.0 2009.08.17 -
AVG 8.5.0.406 2009.08.17 -
BitDefender 7.2 2009.08.18 -
CAT-QuickHeal 10.00 2009.08.17 -
ClamAV 0.94.1 2009.08.18 -
Comodo 2005 2009.08.18 -
DrWeb 5.0.0.12182 2009.08.18 -
eSafe 7.0.17.0 2009.08.17 -
eTrust-Vet 31.6.6683 2009.08.18 -
F-Prot 4.4.4.56 2009.08.16 -
F-Secure 8.0.14470.0 2009.08.18 -
Fortinet 3.120.0.0 2009.08.17 -
GData 19 2009.08.18 -
Ikarus T3.1.1.68.0 2009.08.18 -
Jiangmin 11.0.800 2009.08.17 -
K7AntiVirus 7.10.820 2009.08.17 -
Kaspersky 7.0.0.125 2009.08.18 -
McAfee 5712 2009.08.17 -
McAfee+Artemis 5712 2009.08.17 -
McAfee-GW-Edition 6.8.5 2009.08.17 -
Microsoft 1.4903 2009.08.17 -
NOD32 4343 2009.08.17 -
Norman 6.01.09 2009.08.17 -
nProtect 2009.1.8.0 2009.08.17 -
Panda 10.0.0.14 2009.08.17 -
PCTools 4.4.2.0 2009.08.17 -
Prevx 3.0 2009.08.18 -
Rising 21.43.04.00 2009.08.17 -
Sophos 4.44.0 2009.08.18 -
Sunbelt 3.2.1858.2 2009.08.17 -
Symantec 1.4.4.12 2009.08.18 -
TheHacker 6.3.4.3.383 2009.08.13 -
TrendMicro 8.950.0.1094 2009.08.17 -
VBA32 3.12.10.9 2009.08.18 -
ViRobot 2009.8.17.1887 2009.08.17 -
VirusBuster 4.6.5.0 2009.08.17 -
Additional information
File size: 56320 bytes
MD5...: 6d4feb43ee538fc5428cc7f0565aa656
SHA1..: 20df622631e9e0a3212ae79e6b2289316fd6c12e
SHA256: 4091d82537198562f0ca1d032b2d4bec75101342b7bca7778fda2d515300bc36
ssdeep: 1536:5HR5vjbM7s2sUtAcx9vZVoQ1BE7vzzxA:5rvjgA9a1rZVHMrzx
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2637
timedatestamp.....: 0x4802a0ba (Mon Apr 14 00:09:30 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc309 0xc400 6.49 30b4564463dc53fe690fef3f90909cfe
.data 0xe000 0x3a0 0x400 1.34 f51974f7b5fe926fc7833c337729e7ba
.rsrc 0xf000 0x558 0x600 3.08 0eebbcb11d856770bc6ea513edecf8bf
.reloc 0x10000 0x9d0 0xa00 6.66 93d41c53d5b8160080e1c77ff9af280b

( 8 imports )
> ADVAPI32.dll: SetServiceStatus, GetTokenInformation, OpenProcessToken, LookupAccountSidW, GetLengthSid, CopySid, IsValidSid, OpenThreadToken, CheckTokenMembership, IsWellKnownSid, RegisterServiceCtrlHandlerW, RegOpenKeyExW, RegCreateKeyExW, RegDeleteValueW, RegQueryValueExW, RegSetValueExW, RegFlushKey, RegCloseKey
> KERNEL32.dll: GetTimeFormatW, GetDateFormatW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, DisableThreadLibraryCalls, LoadLibraryA, InterlockedCompareExchange, DelayLoadFailureHook, GetCurrentProcess, SetFileAttributesW, WaitForSingleObject, AddAtomA, LocalFree, InterlockedExchange, OpenProcess, GetWindowsDirectoryW, lstrcatW, lstrcmpiW, InterlockedIncrement, InterlockedDecrement, CreateThread, GetCurrentThread, LoadLibraryW, Sleep, lstrcpyW, WaitForMultipleObjects, TerminateThread, CloseHandle, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, GetModuleHandleW, GetProcAddress, GetLastError, CreateEventW, InitAtomTable, DeleteAtom, LoadLibraryExW, FormatMessageW, FreeLibrary, GetComputerNameW, GetVersionExW, GetSystemTime, SystemTimeToTzSpecificLocalTime, FindAtomA
> msvcrt.dll: _wcsicmp, wcscpy, wcslen, _ltow, memmove, wcscmp, wcsncpy, wcsncat, _except_handler3, _wtoi, swprintf, _local_unwind2, _wcsnicmp, _vsnwprintf, mbstowcs, wcstombs, wcscat
> ntdll.dll: NtOpenProcess, NtDuplicateObject, RtlAcquireResourceExclusive, RtlAcquireResourceShared, RtlReleaseResource, RtlFreeUnicodeString, NtQueryInformationFile, NtCreateFile, NtReadFile, NtWriteFile, RtlEnterCriticalSection, RtlLeaveCriticalSection, NtCreateEvent, RtlQueueWorkItem, RtlExpandEnvironmentStrings_U, RtlDosPathNameToNtPathName_U, RtlAreAllAccessesGranted, NtNotifyChangeKey, RtlNtStatusToDosError, RtlAllocateAndInitializeSid, NtOpenKey, RtlCopyUnicodeString, RtlDeleteResource, NtQueryValueKey, RtlDeregisterWait, RtlRegisterWait, NtEnumerateKey, RtlInitUnicodeString, RtlUnicodeStringToAnsiString, RtlFreeAnsiString, NtSetValueKey, NtOpenThreadToken, NtClose, RtlLengthSid, RtlTimeToSecondsSince1970, NtQuerySystemTime, RtlAnsiStringToUnicodeString, RtlDeleteSecurityObject, NtCreatePort, RtlRaiseStatus, NtCompleteConnectPort, NtAcceptConnectPort, NtReplyWaitReceivePort, RtlCreateUserSecurityObject, NtSetInformationThread, NtAdjustPrivilegesToken, NtDuplicateToken, NtOpenProcessToken, NtPrivilegeObjectAuditAlarm, NtPrivilegeCheck, NtOpenObjectAuditAlarm, NtAccessCheck, NtCloseObjectAuditAlarm, RtlInitializeCriticalSection, RtlInitializeResource, RtlDeleteCriticalSection, NtOpenFile, NlsMbCodePageTag, RtlxUnicodeStringToAnsiSize, NtSetInformationFile, NtExtendSection, RtlAllocateHeap, RtlCreateHeap, NtQueryAttributesFile, NtCreateSection, NtMapViewOfSection, RtlCompareMemory, NtUnmapViewOfSection, NtFlushVirtualMemory, RtlFreeHeap, NtPulseEvent
> PSAPI.DLL: GetModuleFileNameExW
> RPCRT4.dll: I_RpcBindingIsClientLocal, I_RpcMapWin32Status, RpcRevertToSelf, RpcImpersonateClient, RpcStringFreeW, RpcStringBindingParseW, RpcBindingServerFromClient, RpcBindingFree, NdrServerCall2, I_RpcBindingInqLocalClientPID, RpcServerRegisterIfEx, RpcServerUseProtseqEpW, RpcBindingToStringBindingW
> USER32.dll: MessageBoxW
> WS2_32.dll: -, -, -, -

( 1 exports )
SvcEntry_Eventlog
PDFiD.: -
RDS...: NSRL Reference Data Set
-

[tetonbob]

That's fine on the second file, and not unexpected. Don't keep trying.

I'll have new instructions for you shortly.

[sr277]

alright and thanks for the quick replies!

[tetonbob]

I'd like you to try something for me.

Delete the current version of the tool you downloaded. Download it once again from the same link in post #2.

Ensure McAfee is disabled as previously instructed.

Reboot the machine into Safe Mode with Networking

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (then choose Safe Mode with Networking from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

Run the file once again, according the the previous instructions.

[sr277]

srry combofix still didnt run

[tetonbob]

Ok, from normal mode now...

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  Code:

  Files to move:
  C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

Once the machine has rebooted, try running the version of ComboFix previously downloaded.

[sr277]

Hi i ran avenger i got this log but combofix still isnt running

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Aug 17 22:42:28 2009

22:42:28: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[tetonbob]

Please run the batch file in post #4 once again, and post the results.

Also....if there's a folder, C:\ComboFix, please delete it.

[sr277]

Alright, i did the scan i also deleted the folder

Volume in drive C has no label.
Volume Serial Number is 3830-A25D

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 08:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 08:12 PM 407,040 netlogon.dll
2 File(s) 588,288 bytes

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 08:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
8 File(s) 1,875,968 bytes
0 Dir(s) 65,405,538,304 bytes free

[tetonbob]

I've attached a file to this post. Download it, and unzip the contents to their own folder.

Inside the folder, you'll see peek.bat

Please double click on it to run it. This batch file may take a while to run. A log file should eventually open. Please attach that log file to your next reply.

[sr277]

um... there isn't a peek.bat file in the zip. Could you explain a what i should be doing again?

[tetonbob]

Hmm, my archiving didn't seem to do what it should have.

Let's try this again with the zip file attached. Same as before, download it, unzip it to it's own folder, run the peek.bat file.

[sr277]

Alright i got the and theres A LOT of things that say acess denied like on combofix


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\System Volume Information: Access is denied.


...

.
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\5ca59aa40ab458ce22b5377b516a0ceb_44201686-56bb-41be-89c0-484e9ccd687b: Access is denied.


..

..
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD: Access is denied.


.

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\asferror.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\connectionmanager.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\connectionmanager_stub.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\contentdirectory.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\contentdirectory_stub.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\eula.txt: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\l3codecp.acm: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\legitlibm.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\mediareceiverregistrar.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\mediareceiverregistrar_stub.xml: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\mpvis.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\setup_wm.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\spuninst.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\spupdsvc.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\unregmp2.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\update: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmccds.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmccfg.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmccpl.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmcsci.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw120.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw120.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw32.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw32.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw48.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw48.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_bw48.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color120.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color120.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color32.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color32.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color48.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color48.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmc_color48.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmdbexport.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmerror.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmlaunch.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmp.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmp11.chm: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmp11.inf: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpasf.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpband.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpdxm.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpeffects.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpenc.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpencen.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmplayer.adm: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmplayer.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmploc.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpmde.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnetwk.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnscfg.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnssci.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw120.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw120.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw32.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw32.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw48.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw48.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_bw48.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color120.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color120.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color32.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color32.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color48.bmp: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color48.jpg: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpnss_color48.png: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpps.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpshare.exe: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpshell.dll: Access is denied.



Failed to open \\?\c:\\fb0d230eabf2d491203d59ee\wmpsrcwp.dll: Access is denied.


..

...

...

...

...

...

...

..
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.


.

...

...

..
Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


.

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...


Failed to open \\?\c:\\WINDOWS\system32\attrib.exe: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\findstr.exe: Access is denied.


..

...

..
Failed to open \\?\c:\\WINDOWS\system32\wbem\Logs\NTEVT.log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\wbem\Logs\WBEMSNMP.log: Access is denied.


.

...