A very robust virus

I have a virus of some sort that is evading all scanning by shutting down any scanning program that scans for files. I have tried every program that one of the forum members had, and only received limited information from it, because most of the features got it shut down.

This is the original thread.

This is all I was able to get from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 12:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6F81000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8686
Image Path: \Driver\PCI_PNP8686
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5E2E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spmh.sys
Image Path: spmh.sys
Address: 0xBA6A6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBABA8000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xBAA18000 Size: 61440 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 240 Status: -

Path: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PID: 536 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 572 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 620 Status: -

Path: C:\Program Files\AVG\AVG8\avgrsx.exe
PID: 624 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 644 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 688 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 712 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgnsx.exe
PID: 776 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 876 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 956 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1052 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1176 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1220 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1380 Status: -

Path: C:\WINDOWS\system32\wuauclt.exe
PID: 1464 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1624 Status: -

Path: C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
PID: 1660 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
PID: 1696 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 1776 Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 1780 Status: -

Path: C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
PID: 1872 Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 1920 Status: -

Path: C:\WINDOWS\system32\PnkBstrA.exe
PID: 1964 Status: -

Path: C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
PID: 2016 Status: -

Path: C:\WINDOWS\system32\wuauclt.exe
PID: 2104 Status: -

Path: C:\WINDOWS\system32\rundll32.exe
PID: 2248 Status: -

Path: C:\PROGRA~1\AVG\AVG8\avgtray.exe
PID: 2368 Status: -

Path: C:\Documents and Settings\\Desktop\RootRepeal.exe
PID: 2612 Status: -

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PID: 2876 Status: -

Path: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 2948 Status: -

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
PID: 3684 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 3976 Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba8f887e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spmh.sys" at address 0xba6c5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spmh.sys" at address 0xba6c6032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spmh.sys" at address 0xba6a70c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spmh.sys" at address 0xba6c610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spmh.sys" at address 0xba6c5f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba8f8bfe

==EOF==

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

Unfortunately, DDS, as well as essentially all other scanning tools do nothing. I can get at most a few limited scans from RootRepeal, but none of the others I have tried at the request of the person helping me previously.

To go into more detail as to the problem, DDS starts, then a command prompt window appears but disappears almost instantly. Upon taking a screenshot, I verified that it was DDS and it was not reporting any errors. This is identical to what happens every other time I attempt to scan with anything else.

Hi VDOgamez,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please update me about the current condition of your computer and we will go on from there.

My computer can run most programs normally, from word processors to games, but every time I try to scan with anything, be it AVG, Malwarebytes, or DDS, the program immediately closes at the start of the scan and the program takes away my permissions to run it. Restoring permissions does nothing other than allowing me to run it and fail again. The computer is running very slow in general. Additionally, my desktop background changed to the "Active Desktop Recovery" error message, but it does nothing. I must note that I had no active desktop. The display menu does not let me change the background. Additionally, my internet browser is acting odd. When I start Firefox, I am directed to, instead of my home page, a Google search for that URL. The actual setting for the home page is normal, though. More annoyingly, whenever I try to click on one of the main links that results from a Google search, I am redirected to a random web page. These are mostly obscure sites, but I have wound up on some known legitimate sites, too. Another annoyance is that Flash programs often do not work at all. They show up as a blank white screen and the right-click menu states, "Movie has not loaded..." Any attempts to update Flash are fruitless; the installers just crash, much in the same way as the scanning programs. Sometimes images will refuse to load for me, no matter how many times I refresh the page. Java applets work normally for me, and indeed everything else does too, aside from the immense slowness. Another weird thing I have noticed while looking through the processes running in the task manager is that there are many suspect processes running. These include an instance of iexplore.exe that actually corresponds to the real Internet Explorer executable. When I close it, I sometimes get an IE error window. It always restarts. There are many other suspect processes that I could list for you if you need me to with a RootRepeal report of the running processes. RootRepeal is the only scan I can get any information from, and only on some of the scans. I also have access to a bootable USB that I could use to scan if it helps.

Thanks for the detailed feedback. The computer is infected with a new kind of rootkit and more. It needs special treatment and we have to take them out step by step. Meanwhile please don't run any scans any more.

• Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
    • Download Win32kDiag (Win32kDiag.exe) - #1
    • Download Win32kDiag (Win32kDiag.exe) - #2
    • Download Win32kDiag (Win32kDiag.exe) - #3
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
• Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:
  
  cmd /c dir /a/s %systemdrive%\eventlog.dll %systemdrive%\scecli.dll %systemdrive%\netlogon.dll >log.txt&log.txt
  
  A command window will opens wait until it finished. A log.txt file opens, copy and paste the content the log to your reply.

When I attempt to run that program I get an error:
16 bit MS-DOS Subsystem
C\DOCUME~1\Sean\Desktop\WIN32K~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS:0e1c IP:0111 OP:63 72 69 70 74 Chose 'Close' to terminate the application.
[Close] [Ignore]

Pressing ignore terminates it as well.

Okay, please perform the second step.

That crashes immediately, too.

First set Windows to be able to see all hidden, system files and extensions.

How to see Hidden files in Windows

Then using windows explorer or Windows search find the file in bold:

C:\Windows\system32\logevent.dll

Right-click it and select Properties. Please note down and report the exact size of it in bytes.

Oh, I see what you're doing. It's 56,320 bytes.

• Go to start > Run copy/paste the following line in the run box and click OK.
  
  sc config eventlog start= disabled
  
  A window flashes, it is normal.
  
  
• Important: Reboot.
  
  
• Don't use your copy on the desktop. It is corrupted by the malware. Download Win32kDiag from any of the following locations and save it On the C drive.
  • Download Win32kDiag (Win32kDiag.exe) - #1
  • Download Win32kDiag (Win32kDiag.exe) - #2
  • Download Win32kDiag (Win32kDiag.exe) - #3
  We need to run the tool with the following command to fix some malware related changes.
  
  Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:
  
  "C:\win32kdiag.exe" -f -r
  
  When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  
  
  
• This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console.
  
  
  Download Combofix from any of the links below. You must rename it to iexplore.exe before saving it. Save it to your desktop.
  
  Link 1
  Link 2
  Link 3
  
  
  
  --------------------------------------------------------------------
  Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  
  Right-click the renamed Combofix. Select Properties. Press Unblock, then Apply and OK. Double click it & follow the prompts. If ComboFix needed to reboot please allow it and let it reboot to normal mode to run (by itself) again.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
  Note:
  Do not mouseclick combofix's window while it's running. That may cause it to stall

Sorry this took so long to post; I just got a job (Ironically as tech support). After running combofix, I noticed noted improvement all about my computer. It seems that at least the worst of the virus problems are fixed. Is there anything else I need to do to suppliment this? Here are my reports:

---Win32kDiag---
Running from: C:\win32kdiag.exe

Log file at : C:\Documents and Settings\Sean\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB956744\KB956744

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956744\KB956744

Found mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB956844\KB956844

Found mount point : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB960859\KB960859

Found mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB968389\KB968389

Found mount point : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971557\KB971557

Found mount point : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971657\KB971657

Found mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB971961-IE8\KB971961-IE8

Found mount point : C:\WINDOWS\$hf_mig$\KB972260-IE8\KB972260-IE8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB972260-IE8\KB972260-IE8

Found mount point : C:\WINDOWS\$hf_mig$\KB973354\KB973354

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB973354\KB973354

Found mount point : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB973507\KB973507

Found mount point : C:\WINDOWS\$hf_mig$\KB973869\KB973869

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB973869\KB973869

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\AppPatch\Custom\Custom

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11D.tmp\ZAP11D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP11D.tmp\ZAP11D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13.tmp\ZAP13.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13.tmp\ZAP13.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP159.tmp\ZAP159.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP159.tmp\ZAP159.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP192.tmp\ZAP192.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP192.tmp\ZAP192.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP273.tmp\ZAP273.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46.tmp\ZAP46.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP46.tmp\ZAP46.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDF.tmp\ZAPDF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPDF.tmp\ZAPDF.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Cache

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\2c95b28351986132d7f36dd28eece9b0\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\678162639e69c808c1768ab6340eae25\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\678162639e69c808c1768ab6340eae25\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\6b4e49f1a78b9558feeb103a07b06a32\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\9cf59263a134ab3fbbee78365a2fa5fc\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c263092dccc247f68a43cfee93ecc72d\update\update.exe

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\c6bdb40c9241b85d304fd5cdfbebec2f\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\fbadf956b1f29cd6cc8927434ddbc900\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\121973\121973

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\121973\121973

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\Adobe\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Adobe\update\update

Cannot access: C:\WINDOWS\system32\CF26882.exe

Attempting to restore permissions of : C:\WINDOWS\system32\CF26882.exe

Found mount point : C:\WINDOWS\system32\config\RCCBakup\RCCBakup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\RCCBakup\RCCBakup

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\host\host

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\host\host

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\DirectX\websetup\websetup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\DirectX\websetup\websetup

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Discrete Storage

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Discrete Storage\Discrete Storage

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Temp\Temp

Found mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Test Storage\Test Storage

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\E177E04D548C4006A465EEB92D3DE021\Test Storage\Test Storage

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Found mount point : C:\WINDOWS\system32\lowsec\lowsec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\lowsec\lowsec

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Cookies\Cookies

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Found mount point : C:\WINDOWS\Temp\GUM12.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM12.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM17F.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM17F.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\GUM1EEC.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\GUM1EEC.tmp\CrashReports\CrashReports

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP0.DIR\_ISTMP0.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP1.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP1.DIR\_ISTMP1.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP11.DIR\_ISTMP11.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP11.DIR\_ISTMP11.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP2.DIR\_ISTMP2.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP2.DIR\_ISTMP2.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP3.DIR\_ISTMP3.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP3.DIR\_ISTMP3.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP4.DIR\_ISTMP4.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP4.DIR\_ISTMP4.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP5.DIR\_ISTMP5.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP5.DIR\_ISTMP5.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP6.DIR\_ISTMP6.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP6.DIR\_ISTMP6.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP7.DIR\_ISTMP7.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP7.DIR\_ISTMP7.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP8.DIR\_ISTMP8.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP8.DIR\_ISTMP8.DIR

Found mount point : C:\WINDOWS\Temp\_ISTMP9.DIR\_ISTMP9.DIR

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_ISTMP9.DIR\_ISTMP9.DIR

Found mount point : C:\WINDOWS\Temp\_isTmp_{8675309}\_isTmp_{8675309}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_isTmp_{8675309}\_isTmp_{8675309}

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

------

---ComboFix---
ComboFix 09-10-19.01 - Sean 10/19/2009 16:56.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2038 [GMT -5:00]
Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Sean\LOCALS~1\Temp\csrss.exe
c:\docume~1\Sean\LOCALS~1\Temp\lsass.exe
c:\docume~1\Sean\LOCALS~1\Temp\services.exe
c:\docume~1\Sean\LOCALS~1\Temp\svchost.exe
c:\docume~1\Sean\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Sean\LOCALS~1\Temp\winlogon.exe
C:\emxtqjit.exe
C:\fyblb.exe
C:\osps.exe
C:\p2hhr.bat
C:\pvewnn.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\25cf1394.msi
c:\windows\Installer\304b8cff.msi
c:\windows\Installer\52d5c2f.msi
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\sonce122730.dat
c:\windows\st_1243189306.exe
c:\windows\st_1243207739.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\charset.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\cru629.dat
c:\windows\system32\lowsec
c:\windows\system32\onhelp.htm
c:\windows\system32\skynet.dat
c:\windows\system32\SKYNETetymrslk.dll
c:\windows\system32\SKYNETiavlalqj.dat
c:\windows\system32\SKYNETlog.dat
c:\windows\system32\SKYNETrkvkllov.dll
c:\windows\system32\SKYNETwsp.dll
c:\windows\system32\SKYNETwxtqfwxi.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\tmp71.tmp
c:\windows\system32\tmp72.tmp
c:\windows\system32\web.dat
c:\windows\system32\winhelper.dll
c:\windows\system32\wisdstr.exe
c:\windows\uxajopev.dll

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-20 00:26 . 2009-10-20 00:26 -------- d-----w- c:\windows\LastGood
2009-10-19 21:46 . 2009-10-19 21:46 47104 ----a-w- C:\Win32kDiag.exe
2009-10-14 20:07 . 2009-10-14 20:07 120 ----a-w- c:\documents and settings\Neal\Local Settings\Application Data\Mkelijoyigere.dat
2009-10-09 22:55 . 2009-10-10 01:19 -------- d-----w- c:\program files\Darkwind
2009-09-30 21:27 . 2009-09-30 21:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-22 20:09 . 2009-09-22 20:09 -------- d-----w- c:\documents and settings\Neal\Local Settings\Application Data\{6EE04210-12F5-4ECA-A015-6EC946D0D234}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 22:09 . 2007-10-11 23:19 -------- d-----w- c:\documents and settings\Sean\Application Data\U3
2009-10-19 20:42 . 2009-08-28 11:53 120 ----a-w- c:\windows\Mkelijoyigere.dat
2009-10-16 00:31 . 2006-04-10 20:06 716 ----a-w- c:\windows\eReg.dat
2009-10-14 20:11 . 2005-07-13 15:24 -------- d-----w- c:\program files\DL_cats
2009-09-30 21:59 . 2005-08-12 20:48 59552 ----a-w- c:\documents and settings\Sean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 21:27 . 2009-09-01 21:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 21:34 . 2005-07-13 13:39 -------- d-----w- c:\program files\Java
2009-09-18 21:52 . 2009-09-18 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-18 21:51 . 2009-09-18 21:51 -------- d-----w- c:\program files\NOS
2009-09-10 11:33 . 2008-03-18 02:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-09 22:07 . 2005-07-09 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 00:23 . 2009-09-07 00:23 -------- d-----w- c:\program files\trend micro
2009-09-04 21:38 . 2005-10-05 20:15 -------- d-----w- c:\program files\Google
2009-09-03 22:39 . 2009-09-03 02:49 -------- d-----w- c:\documents and settings\Sean\Application Data\.minecraft
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\documents and settings\Sean\Application Data\Malwarebytes
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 20:41 . 2009-08-28 10:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 11:45 . 2009-08-28 11:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-08-28 10:23 . 2009-05-24 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-28 08:26 . 2007-07-28 21:34 -------- d-----w- c:\program files\Steam
2009-08-26 20:22 . 2009-08-26 20:22 -------- d-----w- c:\documents and settings\Sean\Application Data\orange
2009-08-26 20:22 . 2009-08-26 20:22 -------- d-----w- c:\program files\PyQwt5
2009-08-20 14:59 . 2009-05-24 18:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 14:59 . 2009-05-24 18:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 14:59 . 2006-12-16 20:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-09-01 21:17 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-09-01 21:17 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 10:23 . 2009-01-01 23:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 22:25 . 2009-05-10 22:25 771 ----a-w- c:\program files\Shortcut to userdata.lnk
2005-07-18 18:19 . 2005-07-18 18:19 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-03-01 19:25 . 2006-12-05 21:23 114688 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
2006-04-23 15:03 . 2006-04-21 21:21 80 --sh--r- c:\windows\system32\795427029E.dll
.

------- Sigcheck -------

[-] 2009-08-28 20:23 . 968573F9EE445E154ECF4EE93D9ED13C . 29184 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-24 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-05 520024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 14:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbxPSWX.EXE"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\PuzzleOnline\\QuestOnline.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\LEGO Media\\Constructive\\LEGO LOCO\\Exe\\Loco.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\GeoWarfare\\GeoWarfare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\vdogamez\\garrysmod\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ramjets\\ramjets.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Download\\Sand\\BurningSand2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Download\\dtd\\dtd\\data\\pd\\bin\\pd.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\ElectricSheep.scr"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Telurica\\Telurica.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Downloads\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\gish\\gish.exe"=
"c:\\Program Files\\Steam\\steamapps\\vdogamez\\team fortress 2\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/5/2009 11:17 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2009 1:36 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2009 1:36 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/24/2009 1:35 PM 297752]
S2 gupdate1c9235dac2d5eb8;Google Update Service (gupdate1c9235dac2d5eb8);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2008 7:35 PM 133104]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [1/2/2001 11:53 PM 19677]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/12/2004 9:06 AM 14336]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6b8e864-8e95-11de-a270-00123f70952c}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-01 00:35]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-01 00:35]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-583907252-725345543-1005Core.job
- c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 00:35]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-583907252-725345543-1005UA.job
- c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 00:35]

2009-10-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-15 14:53]

2009-10-21 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-18 20:31]

2009-10-21 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-18 20:31]

2009-10-12 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-21 14:46]

2008-03-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-21 14:46]

2008-06-13 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-03-22 13:52]

2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{03FCD736-6B80-4673-B954-B1229A9CB848}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{47AE6577-2AC1-49D1-9B52-76A342F93700}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-21 c:\windows\Tasks\{474B40BF-B798-457D-82D7-7859E379130D}_DELL-DIMENSION_Sean.job
- c:\windows\system32\mobsync.exe [2004-08-12 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\
FF - prefs.js: browser.startup.homepage - hxxp://jayisgames.com/
FF - component: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: {27BAB56D-850F-43FE-A626-A257AE99FA37} - c:\documents and settings\Sean\Local Settings\Application Data\{27BAB56D-850F-43FE-A626-A257AE99FA37}
FF - HiddenExtension: XUL Cache: {9684CF39-3009-4425-BFFF-14EA0D7C9DA1} - c:\documents and settings\Teresa\Local Settings\Application Data\{9684CF39-3009-4425-BFFF-14EA0D7C9DA1}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Xbewe - c:\windows\uxajopev.dll
SafeBoot-dwshd.sys3857ae4d
SafeBoot-Lavasoft Ad-Aware Service
AddRemove-Cave Story Deluxe - k:\cave story\Uninstal.exe
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 15:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-583907252-725345543-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:18,72,7b,66,75,0d,cb,b6,21,fb,4d,1c,3f,8c,ea,3f,44,bc,45,f6,85,56,43,
fc,cd,54,e1,be,55,44,84,11,58,bb,91,ca,4e,d9,8a,70,05,f3,de,51,7d,13,e7,db,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1085031214-583907252-725345543-1005\Software\SecuROM\License information*]
"datasecu"=hex:23,36,da,49,65,54,59,60,dd,06,27,1f,88,e3,1b,30,1c,3b,83,98,db,
a2,e0,f3,9d,6e,d5,3e,da,d7,a1,0b,1d,21,56,a8,02,e5,63,17,34,59,9b,60,76,83,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}*]
"AKNWOCNXOU3KGNJZJIHVXU2P2H1"=hex:01,00,01,00,00,00,00,00,64,78,88,76,df,05,3c,
db,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(172)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF1376.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-10-21 15:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 20:33

Pre-Run: 12,345,458,688 bytes free
Post-Run: 13,385,019,392 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=2,3,4,5
- - End Of File - - 152277C9161615B91FB99167584ACABD
------

Well done.

Congratulation for the new job.

• Go to start > Run copy/paste the following lines one by one in the run box and click OK after each line.
  
  sc config eventlog start= auto
  
  A window flashes, it is normal.
  
  
• Close any open browsers.
  
  Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:
  
  

  File::
  c:\windows\Mkelijoyigere.dat
  c:\documents and settings\Neal\Local Settings\Application Data\Mkelijoyigere.dat
  c:\windows\system32\795427029E.dll
  c:\windows\system32\dllcache\beep.sys
  MIA::
  c:\windows\system32\drivers\beep.sys
  DDS::
  uInternet Settings,ProxyServer = http=localhost:7171
  RegNull::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}*]
  RegLockDel::
  [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{17DE1F14-B3E4-1035-F057BA15C83B1D27}\{8EADAA70-8C9A-100D-77D42F75FD081297}\{52159879-7142-2CA4-73B8A923B4C8F27A}*]
  Registry::
  [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] 
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
  "5000:TCP"=-
  "5001:TCP"=-
  "5002:TCP"=-
  "5003:TCP"=-
  "5004:TCP"=-
  "5005:TCP"=-
  "5006:TCP"=-
  "5007:TCP"=-
  "5008:TCP"=-
  "5009:TCP"=-
  "5010:TCP"=-
  "5011:TCP"=-
  "5012:TCP"=-
  "5013:TCP"=-
  "5014:TCP"=-
  "5015:TCP"=-
  "5016:TCP"=-
  "5017:TCP"=-
  "5018:TCP"=-
  "5019:TCP"=-
  "5020:TCP"=
  FixCSet::

  
  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  Referring to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.
  
  
• Click on Start->Run, and copy-paste the following command (the bold text) into the "Open" box, and click OK:
  
  "C:\win32kdiag.exe" -f -r
  
  When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Combofix log:
ComboFix 09-10-20.03 - Sean 10/22/2009 6:37.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2028 [GMT -5:00]
Running from: c:\documents and settings\Sean\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sean\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\Neal\Local Settings\Application Data\Mkelijoyigere.dat"
"c:\windows\Mkelijoyigere.dat"
"c:\windows\system32\795427029E.dll"
"c:\windows\system32\dllcache\beep.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Neal\Local Settings\Application Data\Mkelijoyigere.dat
c:\windows\Mkelijoyigere.dat
c:\windows\system32\795427029E.dll

c:\windows\system32\drivers\beep.sys . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-19 21:46 . 2009-10-19 21:46 47104 ----a-w- C:\Win32kDiag.exe
2009-10-09 22:55 . 2009-10-10 01:19 -------- d-----w- c:\program files\Darkwind
2009-09-30 21:27 . 2009-09-30 21:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 20:49 . 2009-09-01 21:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 22:09 . 2007-10-11 23:19 -------- d-----w- c:\documents and settings\Sean\Application Data\U3
2009-10-16 00:31 . 2006-04-10 20:06 716 ----a-w- c:\windows\eReg.dat
2009-10-14 20:11 . 2005-07-13 15:24 -------- d-----w- c:\program files\DL_cats
2009-09-30 21:59 . 2005-08-12 20:48 59552 ----a-w- c:\documents and settings\Sean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 21:34 . 2005-07-13 13:39 -------- d-----w- c:\program files\Java
2009-09-18 21:52 . 2009-09-18 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-18 21:51 . 2009-09-18 21:51 -------- d-----w- c:\program files\NOS
2009-09-10 19:54 . 2009-09-01 21:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-01 21:17 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 11:33 . 2008-03-18 02:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-09 22:07 . 2005-07-09 22:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-07 00:23 . 2009-09-07 00:23 -------- d-----w- c:\program files\trend micro
2009-09-04 21:38 . 2005-10-05 20:15 -------- d-----w- c:\program files\Google
2009-09-03 22:39 . 2009-09-03 02:49 -------- d-----w- c:\documents and settings\Sean\Application Data\.minecraft
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\documents and settings\Sean\Application Data\Malwarebytes
2009-08-31 20:57 . 2009-08-31 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 20:41 . 2009-08-28 10:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 11:45 . 2009-08-28 11:45 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-08-28 10:23 . 2009-05-24 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-28 08:26 . 2007-07-28 21:34 -------- d-----w- c:\program files\Steam
2009-08-26 20:22 . 2009-08-26 20:22 -------- d-----w- c:\documents and settings\Sean\Application Data\orange
2009-08-26 20:22 . 2009-08-26 20:22 -------- d-----w- c:\program files\PyQwt5
2009-08-20 14:59 . 2009-05-24 18:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 14:59 . 2009-05-24 18:36 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 14:59 . 2006-12-16 20:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:01 . 2004-08-12 14:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-01-01 23:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 22:25 . 2009-05-10 22:25 771 ----a-w- c:\program files\Shortcut to userdata.lnk
2005-07-18 18:19 . 2005-07-18 18:19 774144 ----a-w- c:\program files\RngInterstitial.dll
2004-03-01 19:25 . 2006-12-05 21:23 114688 ----a-w- c:\program files\internet explorer\plugins\ChimeShim.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-21_20.06.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-22 12:04 . 2009-10-22 12:04 16384 c:\windows\temp\Perflib_Perfdata_6d4.dat
+ 2008-10-18 17:39 . 2009-10-21 20:45 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-10-18 17:39 . 2009-09-18 21:52 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\IGN\Download Manager\DLM.exe" [2007-03-05 1103480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-09-03 3342336]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-24 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-05 520024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"DLBXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll" [2004-12-07 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 68856]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 14:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dlbxcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dlbxPSWX.EXE"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\PuzzleOnline\\QuestOnline.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\LEGO Media\\Constructive\\LEGO LOCO\\Exe\\Loco.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\GeoWarfare\\GeoWarfare.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"c:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\vdogamez\\garrysmod\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ramjets\\ramjets.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Download\\Sand\\BurningSand2.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Download\\dtd\\dtd\\data\\pd\\bin\\pd.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\WINDOWS\\system32\\ElectricSheep.scr"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Telurica\\Telurica.exe"=
"c:\\Documents and Settings\\Sean\\My Documents\\Downloads\\Worms 4 Mayhem\\WORMS 4 MAYHEM.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\gish\\gish.exe"=
"c:\\Program Files\\Steam\\steamapps\\vdogamez\\team fortress 2\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5020:TCP"= 5020:TCP:TCP Port 5020
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/5/2009 11:17 AM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/24/2009 1:36 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/24/2009 1:36 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/24/2009 1:35 PM 297752]
S2 gupdate1c9235dac2d5eb8;Google Update Service (gupdate1c9235dac2d5eb8);c:\program files\Google\Update\GoogleUpdate.exe [9/30/2008 7:35 PM 133104]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [1/2/2001 11:53 PM 19677]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [8/12/2004 9:06 AM 14336]
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-01 00:35]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-01 00:35]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-583907252-725345543-1005Core.job
- c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 00:35]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-583907252-725345543-1005UA.job
- c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-18 00:35]

2009-10-22 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-02-15 14:53]

2009-10-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-03-18 20:31]

2009-10-22 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-03-18 20:31]

2009-10-12 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-21 14:46]

2008-03-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-03-21 14:46]

2008-06-13 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-03-22 13:52]

2009-10-22 c:\windows\Tasks\User_Feed_Synchronization-{03FCD736-6B80-4673-B954-B1229A9CB848}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-22 c:\windows\Tasks\User_Feed_Synchronization-{47AE6577-2AC1-49D1-9B52-76A342F93700}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]

2009-10-22 c:\windows\Tasks\{474B40BF-B798-457D-82D7-7859E379130D}_DELL-DIMENSION_Sean.job
- c:\windows\system32\mobsync.exe [2004-08-12 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\
FF - prefs.js: browser.startup.homepage - hxxp://jayisgames.com/
FF - component: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\Sean\Application Data\Mozilla\Firefox\Profiles\hvmn395j.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Sean\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - HiddenExtension: XUL Cache: {27BAB56D-850F-43FE-A626-A257AE99FA37} - c:\documents and settings\Sean\Local Settings\Application Data\{27BAB56D-850F-43FE-A626-A257AE99FA37}
FF - HiddenExtension: XUL Cache: {9684CF39-3009-4425-BFFF-14EA0D7C9DA1} - c:\documents and settings\Teresa\Local Settings\Application Data\{9684CF39-3009-4425-BFFF-14EA0D7C9DA1}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 15:12
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-583907252-725345543-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:18,72,7b,66,75,0d,cb,b6,21,fb,4d,1c,3f,8c,ea,3f,44,bc,45,f6,85,56,43,
fc,cd,54,e1,be,55,44,84,11,58,bb,91,ca,4e,d9,8a,70,05,f3,de,51,7d,13,e7,db,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1085031214-583907252-725345543-1005\Software\SecuROM\License information*]
"datasecu"=hex:23,36,da,49,65,54,59,60,dd,06,27,1f,88,e3,1b,30,1c,3b,83,98,db,
a2,e0,f3,9d,6e,d5,3e,da,d7,a1,0b,1d,21,56,a8,02,e5,63,17,34,59,9b,60,76,83,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(1764)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF27441.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 20:39
ComboFix2.txt 2009-10-21 20:33

Pre-Run: 13,365,051,392 bytes free
Post-Run: 13,319,016,448 bytes free

- - End Of File - - 9980EF019AEC6DD0365B381A1A58ED34

Win32kDiag log:
Running from: C:\win32kdiag.exe

Log file at : C:\Documents and Settings\Sean\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!