Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

> Malware byte's Anti Malware software, Malware byte's Anti Malware Not working


  • This topic is locked This topic is locked
44 replies to this topic

#1 smartjock99

smartjock99

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 30 August 2009 - 03:14 PM

[topic=253487.html"]Malware byte's Anti Malware software, Malware byte's Anti Malware Not working[/topic]

My google requests are being redirected to other sites. As a first step to correcting this, I started to run Malware byte's Anti Malware software. After I updated it, I started the scan when all of a sudden it stopped working. When I tried to reconnect, I got a message

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"

I re-installed the software, updated it, and tried to run it again, and got the same message.

Since then, SuperAntispyware, RootRepeal and now DDS will not work. They download okay, but then terminate during the scan, hence I don't have logs I can insert.

I've backed up all my data onto an external hard drive.

I'm at my wits end, but I'm happy with any assistance I can give you. Hopefully the topic link works.

Here is my Win32kDiag.exe log. The next post will by my Rootrepeal drivers log.

Log file is located at: C:Documents and SettingsPhilDesktopWin32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:WINDOWS'...



Found mount point : C:WINDOWSaddinsaddins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP247.tmpZAP247.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP453.tmpZAP453.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP6BF.tmpZAP6BF.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP775.tmpZAP775.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP874.tmpZAP874.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytemptemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSassemblytmptmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCacheAdobe Reader 6.0.1Adobe Reader 6.0.1

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConfigConfig

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSConnection WizardConnection Wizard

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSCursorsCursors

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSDebugUserModeUserMode

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimechsimeappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeCHTIMEAppletsApplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejpappletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimejp98imejp98

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimjp8_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1appletsapplets

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimeimkr6_1dictsdicts

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSimesharedresres

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed0DC1503A46F231838AD88BCDDC8E8F7C3.2.307293.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$Managed90A2CC5A3D9ECE9429D33078B4DBC4C21.20.01.20.0

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSInstaller$PatchCache$ManagedDC3BF90CC0D3D2F398A9A6D1762F70F32.2.307292.2.30729

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv1.1.4322Temporary ASP.NET FilesBind LogsBind Logs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Temporary ASP.NET FilesTemporary ASP.NET Files

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsappsmsinfomsinfo

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmsdownld.tmpmsdownld.tmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSmuimui

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthERRORREPQHEADLESQHEADLES

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthERRORREPQSIGNOFFQSIGNOFF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrBATCHBATCH

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSPCHealthHelpCtrBinarieshelpsvc.exe

[1] 2004-08-04 01:56:52 743936 C:WINDOWS$NtServicePackUninstall$helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:WINDOWSPCHealthHelpCtrBinarieshelpsvc.exe ()

[1] 2008-04-13 18:12:21 744448 C:WINDOWSServicePackFilesi386helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:WINDOWSsystem32dllcachehelpsvc.exe (Microsoft Corporation)



Found mount point : C:WINDOWSPCHealthHelpCtrConfigCheckPointCheckPoint

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrHelpFilesHelpFiles

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrInstalledSKUsInstalledSKUs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrSystemDFSDFS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrSystem_OEMSystem_OEM

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPCHealthHelpCtrTempTemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSPIFPIF

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSProfilesAll UsersAdobeWebbuyWebbuy

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSRegistrationCRMLogCRMLog

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionAuthCabsAuthCabs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionDownload4f47c78d92d1e7d8afd6488622d909fdbackupbackup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSoftwareDistributionSelfUpdateRegisteredRegistered

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSunJavaDeploymentDeployment

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSSxsCaPendDelSxsCaPendDel

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210251025

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210281028

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210311031

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210371037

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210411041

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210421042

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3210541054

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3220522052

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem3230763076

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem323com_dmi3com_dmi

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}TempDirTempDir

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataAdobeFlash PlayerAssetCache2FQWLYSA2FQWLYSA

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMacromediaFlash Player#SharedObjectsEEYUSZ42EEYUSZ42

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftIdentityCRLproductionproduction

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCertificatesCertificates

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCRLsCRLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileApplication DataMicrosoftSystemCertificatesMyCTLsCTLs

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileDesktopDesktop

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileFavoritesLinksLinks

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataGoogleCustom ButtonsEnterpriseEnterprise

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataGoogleFastSearchexceptionsexceptions

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataGoogleToolbar Cache6.1.1715.1442enen

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileLocal SettingstempF-SecureAnti-VirusAnti-Virus

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileMy DocumentsMy Documents

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileNetHoodNetHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofilePrintHoodPrintHood

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32configsystemprofileRecentRecent

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32dhcpdhcp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32driversdisdndisdn

Mount point destination : Device__max++>^

Cannot access: C:WINDOWSsystem32eventlog.dll

[1] 2004-08-04 01:56:44 55808 C:WINDOWS$NtServicePackUninstall$eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:WINDOWSServicePackFilesi386eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:WINDOWSsystem32dllcacheeventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 62464 C:WINDOWSsystem32eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:WINDOWSsystem32logevent.dll (Microsoft Corporation)



Found mount point : C:WINDOWSsystem32exportexport

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMECINTLGNTCINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMEPINTLGNTPINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32IMETINTLGNTTINTLGNT

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32inetsrvinetsrv

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32Macromedupdateupdate

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32muidispspecdispspec

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmlispsgnupispsgnup

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemcustoemcust

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemhwoemhw

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobehtmloemregoemreg

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32oobesamplesample

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32ShellExtShellExt

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversw32x863temptemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spooldriversw32x86__SKIP_0203__SKIP_0203

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32spoolPRINTERSPRINTERS

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemmofbadbad

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32wbemsnmpsnmp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32winswins

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSsystem32xircomxircom

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00000MCE00000

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00001MCE00001

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00002MCE00002

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00003MCE00003

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00004MCE00004

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00005MCE00005

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00006MCE00006

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00007MCE00007

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00008MCE00008

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE00009MCE00009

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE0000aMCE0000a

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE0000bMCE0000b

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSTempMCE0000cMCE0000c

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSWinSxSInstallTempInstallTemp

Mount point destination : Device__max++>^

Found mount point : C:WINDOWSWinSxSx86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : Device__max++>^



Finished!



Here's the Rootrepeal driver log

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/30 08:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA779000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: DriverACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:WINDOWSSystem32driversafd.sys
Address: 0xA13EF000 Size: 138496 File Visible: - Signed: -
Status: -

Name: ALCXSENS.SYS
Image Path: C:WINDOWSsystem32driversALCXSENS.SYS
Address: 0xB968D000 Size: 391424 File Visible: - Signed: -
Status: -

Name: ALCXWDM.SYS
Image Path: C:WINDOWSsystem32driversALCXWDM.SYS
Address: 0xB9711000 Size: 591552 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA731000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:WINDOWSSystem32ati2cqag.dll
Address: 0xBFA0D000 Size: 233472 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:WINDOWSSystem32ati2dvag.dll
Address: 0xBF9D5000 Size: 229376 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:WINDOWSsystem32DRIVERSati2mtag.sys
Address: 0xB97FD000 Size: 880640 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:WINDOWSSystem32ati3duag.dll
Address: 0xBFA46000 Size: 2179072 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:WINDOWSSystem32ativvaxx.dll
Address: 0xBFC5A000 Size: 487424 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:WINDOWSSystem32ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ATMhelpr.SYS
Image Path: C:WINDOWSSystem32DriversATMhelpr.SYS
Address: 0xBAF01000 Size: 4064 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:WINDOWSSystem32DRIVERSaudstub.sys
Address: 0xBAF7C000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:WINDOWSSystem32DriversBeep.SYS
Address: 0xBAE0E000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:WINDOWSsystem32BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: CDAC15BA.SYS
Image Path: C:WINDOWSsystem32driversCDAC15BA.SYS
Address: 0xA0D60000 Size: 11200 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:WINDOWSSystem32DriversCdfs.SYS
Address: 0xBAA28000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:WINDOWSSystem32DRIVERScdrom.sys
Address: 0xB9914000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:WINDOWSSystem32DRIVERSCLASSPNP.SYS
Address: 0xBA8E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA8D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:WINDOWSsystem32driversdrmk.sys
Address: 0xB98E4000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xA1090000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xBAE18000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dvd43llh.sys
Image Path: C:WINDOWSSystem32DRIVERSdvd43llh.sys
Address: 0xBAB58000 Size: 18816 File Visible: - Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:WINDOWSSystem32driversDxapi.sys
Address: 0xA11BB000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:WINDOWSSystem32driversdxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:WINDOWSSystem32driversdxgthk.sys
Address: 0xBAEBF000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:WINDOWSSystem32DriversFastfat.SYS
Address: 0xA0E8C000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:WINDOWSSystem32DRIVERSfdc.sys
Address: 0xBAB70000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:WINDOWSSystem32DriversFips.SYS
Address: 0xBAA08000 Size: 44544 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:WINDOWSSystem32DRIVERSflpydisk.sys
Address: 0xBABA8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA711000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:WINDOWSSystem32DriversFs_Rec.SYS
Address: 0xBAE0C000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA749000 Size: 125056 File Visible: - Signed: -
Status: -

Name: gameenum.sys
Image Path: C:WINDOWSSystem32DRIVERSgameenum.sys
Address: 0xBA5C3000 Size: 10624 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:WINDOWSSystem32DriversGEARAspiWDM.sys
Address: 0xBA5CF000 Size: 9984 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:WINDOWSsystem32hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:WINDOWSsystem32DRIVERSHIDPARSE.SYS
Address: 0xBABB8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HPZid412.sys
Image Path: C:WINDOWSsystem32DRIVERSHPZid412.sys
Address: 0xBAA48000 Size: 50848 File Visible: - Signed: -
Status: -

Name: HPZipr12.sys
Image Path: C:WINDOWSsystem32DRIVERSHPZipr12.sys
Address: 0xA11F6000 Size: 16224 File Visible: - Signed: -
Status: -

Name: HPZius12.sys
Image Path: C:WINDOWSsystem32DRIVERSHPZius12.sys
Address: 0xBAC08000 Size: 21472 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:WINDOWSSystem32DriversHTTP.sys
Address: 0xA00F6000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:WINDOWSSystem32DRIVERSi8042prt.sys
Address: 0xBAA98000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:WINDOWSSystem32DRIVERSimapi.sys
Address: 0xB9924000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipfltdrv.sys
Image Path: C:WINDOWSSystem32DRIVERSipfltdrv.sys
Address: 0xBA9C8000 Size: 32896 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:WINDOWSSystem32DRIVERSipsec.sys
Address: 0xA14B9000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:WINDOWSSystem32DRIVERSkbdclass.sys
Address: 0xBAB80000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:WINDOWSsystem32KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:WINDOWSsystem32driverskmixer.sys
Address: 0x9FAE8000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:WINDOWSSystem32DRIVERSks.sys
Address: 0xB97C6000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA6E8000 Size: 92928 File Visible: - Signed: -
Status: -

Name: LVPrcMon.sys
Image Path: C:WINDOWSsystem32driversLVPrcMon.sys
Address: 0xBAC78000 Size: 16768 File Visible: - Signed: -
Status: -

Name: mfeavfk.sys
Image Path: C:WINDOWSsystem32driversmfeavfk.sys
Address: 0xA033F000 Size: 73152 File Visible: - Signed: -
Status: -

Name: mfebopk.sys
Image Path: C:WINDOWSsystem32driversmfebopk.sys
Address: 0xBAC68000 Size: 28544 File Visible: - Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:WINDOWSsystem32driversmfehidk.sys
Address: 0xA10F8000 Size: 207296 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:WINDOWSSystem32Driversmnmdd.SYS
Address: 0xBAE10000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:WINDOWSSystem32DRIVERSmouclass.sys
Address: 0xBAB78000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: Mpfp.sys
Image Path: C:WINDOWSSystem32DriversMpfp.sys
Address: 0xA1439000 Size: 159744 File Visible: - Signed: -
Status: -

Name: MrFilter.sys
Image Path: MrFilter.sys
Address: 0xBACBC000 Size: 11776 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:WINDOWSSystem32DRIVERSmrxdav.sys
Address: 0xA0A4B000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:WINDOWSSystem32DRIVERSmrxsmb.sys
Address: 0xA112B000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:WINDOWSSystem32DriversMsfs.SYS
Address: 0xBABC8000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:WINDOWSSystem32DRIVERSmsgpc.sys
Address: 0xBA938000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:WINDOWSSystem32DRIVERSmssmbios.sys
Address: 0xBAD3C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA5FF000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA619000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:WINDOWSSystem32DRIVERSndistapi.sys
Address: 0xBA5BF000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:WINDOWSSystem32DRIVERSndisuio.sys
Address: 0xA132B000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:WINDOWSSystem32DRIVERSndiswan.sys
Address: 0xB960C000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:WINDOWSSystem32DriversNDProxy.SYS
Address: 0xBA998000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:WINDOWSSystem32DRIVERSnetbios.sys
Address: 0xBA9D8000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:WINDOWSSystem32DRIVERSnetbt.sys
Address: 0xA1411000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:WINDOWSSystem32DriversNpfs.SYS
Address: 0xBABD0000 Size: 30848 File Visible: - Signed: -
Status: -

Name: npptNT2.sys
Image Path: C:WINDOWSsystem32npptNT2.sys
Address: 0xBABE0000 Size: 24576 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA646000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:WINDOWSsystem32ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:WINDOWSSystem32DriversNull.SYS
Address: 0xBAF00000 Size: 2944 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:WINDOWSSystem32DRIVERSparport.sys
Address: 0xB9679000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 19712 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:WINDOWSSystem32DriversParVdm.SYS
Address: 0xBADFA000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA768000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:WINDOWSSystem32DRIVERSPCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -

Name: Pcouffin.sys
Image Path: C:WINDOWSSystem32DriversPcouffin.sys
Address: 0xBA958000 Size: 39488 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:WINDOWSsystem32driverspfc.sys
Address: 0xBA5D3000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: DriverPnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:WINDOWSsystem32driversportcls.sys
Address: 0xB96ED000 Size: 147456 File Visible: - Signed: -
Status: -

Name: processr.sys
Image Path: C:WINDOWSSystem32DRIVERSprocessr.sys
Address: 0xB9934000 Size: 35840 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:WINDOWSSystem32DRIVERSpsched.sys
Address: 0xB95FB000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:WINDOWSSystem32DRIVERSptilink.sys
Address: 0xBAB90000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA8F8000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:WINDOWSSystem32DRIVERSrasacd.sys
Address: 0xBAD78000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:WINDOWSSystem32DRIVERSrasl2tp.sys
Address: 0xBAB08000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:WINDOWSSystem32DRIVERSraspppoe.sys
Address: 0xBAB18000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:WINDOWSSystem32DRIVERSraspptp.sys
Address: 0xBA928000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:WINDOWSSystem32DRIVERSraspti.sys
Address: 0xBAB98000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: FileSystemRAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:WINDOWSSystem32DRIVERSrdbss.sys
Address: 0xA11C3000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:WINDOWSSystem32DRIVERSRDPCDD.sys
Address: 0xBAE12000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:WINDOWSSystem32DRIVERSredbook.sys
Address: 0xB9904000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal3.sys
Image Path: C:WINDOWSsystem32driversrootrepeal3.sys
Address: 0xA0729000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtlnic51.sys
Image Path: C:WINDOWSSystem32DRIVERSRtlnic51.sys
Address: 0xB98D4000 Size: 65280 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:Program FilesSUPERAntiSpywareSASDIFSV.SYS
Address: 0xBABD8000 Size: 28672 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:Program FilesSUPERAntiSpywareSASKUTIL.sys
Address: 0xA1306000 Size: 135168 File Visible: - Signed: -
Status: -

Name: SCDEmu.SYS
Image Path: C:WINDOWSSystem32DriversSCDEmu.SYS
Address: 0xBA9E8000 Size: 52768 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:WINDOWSSystem32DRIVERSserenum.sys
Address: 0xBA5C7000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:WINDOWSSystem32DRIVERSserial.sys
Address: 0xBAA88000 Size: 64512 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA6FF000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:WINDOWSSystem32DRIVERSsrv.sys
Address: 0xA07F1000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:WINDOWSSystem32DRIVERSswenum.sys
Address: 0xBADFE000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:WINDOWSsystem32driverssysaudio.sys
Address: 0xA0ED0000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tap0901.sys
Image Path: C:WINDOWSsystem32DRIVERStap0901.sys
Address: 0xBABA0000 Size: 25472 File Visible: - Signed: -
Status: -

Name: tapvpn.sys
Image Path: C:WINDOWSsystem32DRIVERStapvpn.sys
Address: 0xBA948000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:WINDOWSSystem32DRIVERStcpip.sys
Address: 0xA1460000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:WINDOWSSystem32DRIVERSTDI.SYS
Address: 0xBAB88000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:WINDOWSSystem32DRIVERStermdd.sys
Address: 0xBA968000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:WINDOWSsystem32driverstmcomm.sys
Address: 0xA0491000 Size: 97280 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:WINDOWSSystem32DRIVERSupdate.sys
Address: 0xB9575000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:WINDOWSsystem32DRIVERSusbccgp.sys
Address: 0xBABF0000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:WINDOWSSystem32DRIVERSUSBD.SYS
Address: 0xBAE06000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:WINDOWSSystem32DRIVERSusbehci.sys
Address: 0xBAB68000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:WINDOWSSystem32DRIVERSusbhub.sys
Address: 0xBA9A8000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:WINDOWSSystem32DRIVERSUSBPORT.SYS
Address: 0xB97A2000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:WINDOWSsystem32DRIVERSusbprint.sys
Address: 0xBAC00000 Size: 25856 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:WINDOWSsystem32DRIVERSUSBSTOR.SYS
Address: 0xBABF8000 Size: 26368 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:WINDOWSSystem32DRIVERSusbuhci.sys
Address: 0xBAB60000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:WINDOWSSystem32driversvga.sys
Address: 0xBABC0000 Size: 20992 File Visible: - Signed: -
Status: -

Name: viaagp1.sys
Image Path: viaagp1.sys
Address: 0xBAB38000 Size: 27904 File Visible: - Signed: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xBADAC000 Size: 5376 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:WINDOWSsystem32DRIVERSVIDEOPRT.SYS
Address: 0xB97E9000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:WINDOWSSystem32DRIVERSwanarp.sys
Address: 0xBA9F8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:WINDOWSSystem32watchdog.sys
Address: 0xBAC18000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:WINDOWSsystem32driverswdmaud.sys
Address: 0xA0C6F000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: DriverWin32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:WINDOWSSystem32win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:WINDOWSwin32k.sys:1
Address: 0xBAC28000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:WINDOWSwin32k.sys:2
Address: 0xA138F000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:WINDOWSSystem32DRIVERSWMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: DriverWMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xBA6D3000 Size: 82944 File Visible: - Signed: -
Status: -

Merged posts. ~ OB

Edited by Orange Blossom, 31 August 2009 - 11:31 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 03 September 2009 - 10:13 PM

Hello smartjock99,

You got a Rootkit on this computer.

We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!

Let's begin....

==========

Step 1

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 07:52 PM

Hi SifuMike:

I've been out of town, so that's why I haven't responded until now. I've run all three steps, but upon my reboot, I've gotten a rogue fake antispyware program (total protection 4.52) logged into my startup which I can't shut down. I tried rebooting twice and the stupid "Total protection program came up again. I'm posting the two text files you asked me for by running the computer in safe mode.

Here's Win32kDiag.txt
-----------------------------

Log file is located at: C:\Documents and Settings\Phil\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP247.tmp\ZAP247.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP247.tmp\ZAP247.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP453.tmp\ZAP453.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP453.tmp\ZAP453.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6BF.tmp\ZAP6BF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6BF.tmp\ZAP6BF.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP775.tmp\ZAP775.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP775.tmp\ZAP775.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP874.tmp\ZAP874.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP874.tmp\ZAP874.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Cursors\Cursors

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cursors\Cursors

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\90A2CC5A3D9ECE9429D33078B4DBC4C2\1.20.0\1.20.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\90A2CC5A3D9ECE9429D33078B4DBC4C2\1.20.0\1.20.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2004-08-04 01:56:52 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:21 744448 C:\WINDOWS\system32\dllcache\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\4f47c78d92d1e7d8afd6488622d909fd\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\2FQWLYSA\2FQWLYSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\2FQWLYSA\2FQWLYSA

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\EEYUSZ42\EEYUSZ42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\EEYUSZ42\EEYUSZ42

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\production

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\IdentityCRL\production\production

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Toolbar Cache\6.1.1715.1442\en\en

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Toolbar Cache\6.1.1715.1442\en\en

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\F-Secure\Anti-Virus\Anti-Virus

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\F-Secure\Anti-Virus\Anti-Virus

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-04 01:56:50 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:18 10752 C:\WINDOWS\system32\dllcache\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 18:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)



Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 01:56:44 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 18:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 18:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!

Here's the Avenger text (I forgot to put the line "file to move" at first, which gave the error message at the top)

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Sep 07 17:54:31 2009

17:54:31: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Mon Sep 07 17:55:25 2009

17:55:25: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Awaiting the next steps (as well as how to deal with that "Total Protection" program.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:13 PM

Hi smartjock99,

Please tell me the antivirus you are running?

Also, are you running any registry protectors (like Spybot Teatimer, Windows Defender, etc.)?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 09:13 PM

Thanks to the Avenger and Win32kDiag programs (whatever they did), my Malwarebytes' Anti-Malware program was able to run with a quick scan and erraticate that "Total Protection nonsense". For your info, here's the log file from that. I haven't done anything else (but this enabled me to rescue the computer from safe mode, so I hope that's okay).

Here's the Malwarebyte log

Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 3 (Safe Mode)

07/09/2009 8:00:24 PM
mbam-log-2009-09-07 (20-00-24).txt

Scan type: Quick Scan
Objects scanned: 135322
Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetjmeovdtm (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10636874 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10636874 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\10636874\10636874 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10636874\10636874.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10636874\pc10636874ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Local Settings\temp\b.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Philip\Local Settings\temp\rasvsnet.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACfftvekuqvgnwymsdw.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:16 PM

duplicate post removed

Edited by SifuMike, 07 September 2009 - 09:18 PM.
duplicate post removed

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:17 PM

Please Do NOT run any programs without my say so. It just makes it more difficult for me. :(

You forgot to answer my previous post.

Edited by SifuMike, 07 September 2009 - 09:17 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 09:23 PM

I'm not running any more programs without what you say.

I do not have any registry protectors installed or running. I used to have Spybot teatimer, but that's been deleted from my computer for at least 6 months.

My anti-virus program is McAfee.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:25 PM

Hi,


Is it McAfee antivirus or McAfee Security Center?

Edited by SifuMike, 07 September 2009 - 09:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 09:27 PM

McAfee Security Center.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:30 PM

Hi,

Be back in about 5 minutes with a fix.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 09:40 PM

Hi smartjock99,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee Security Center before running ComboFix, as it will prevent it from running.

To Disable McAfee Security Center
Posted Image

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 10:31 PM

SifuMike:

ComboFix ran successfully. Can I restore my McAfee Security Centre and my windows XP Firewall?

Here's my comboFix log:

ComboFix 09-09-07.03 - Phil 07/09/2009 21:05.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1060 [GMT -6:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\recycler\S-1-5-21-1606980848-299502267-725345543-1004
c:\windows\AUTOLNCH.REG
c:\windows\Installer\13193c.msp
c:\windows\Installer\131952.msp
c:\windows\Installer\1319a7.msp
c:\windows\Installer\1319bc.msp
c:\windows\Installer\1319d2.msp
c:\windows\Installer\1319ee.msp
c:\windows\Installer\131a09.msp
c:\windows\Installer\131a26.msp
c:\windows\Installer\131a3f.msp
c:\windows\Installer\131a55.msp
c:\windows\Installer\131a6c.msp
c:\windows\Installer\38491b0.msp
c:\windows\Installer\38491b8.msp
c:\windows\Installer\96093ba.msi
c:\windows\Installer\9d577.msp
c:\windows\Installer\c61c2f.msp
c:\windows\Installer\WMEncoder.msi
c:\windows\qmtdla3.dll
c:\windows\run.log
c:\windows\system32\drivers\kbiwkmnsjwlgdk.sys
c:\windows\system32\drivers\UACxcrgqvatmpaetyean.sys
c:\windows\system32\hjgruinmjiybrr.dat
c:\windows\system32\hjgruiyycbxyvv.dat
c:\windows\system32\kbiwkmhucnrvsh.dll
c:\windows\system32\kbiwkmlkhbfdyj.dat
c:\windows\system32\kbiwkmnqdddgco.dat
c:\windows\system32\kbiwkmrdgpilxw.dll
c:\windows\system32\UAChsrjplulpfkvpfkaj.db
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_TDSSSERV.SYS
-------\Service_NPF
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmktmrwait


((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-08-30 16:24 . 2009-08-30 16:25 -------- d-----w- c:\program files\Cobian Backup 9
2009-08-15 18:31 . 2009-08-15 18:31 -------- d-----w- c:\program files\gs
2009-08-15 18:28 . 2009-08-15 18:28 -------- d-----w- c:\program files\PlotSoft
2009-08-15 18:28 . 2009-08-15 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2009-08-14 00:22 . 2009-08-14 00:22 -------- d-----w- c:\documents and settings\Phil\Application Data\Quask Response Data Viewer
2009-08-14 00:22 . 2009-08-14 00:22 -------- d-----w- c:\program files\Quask
2009-08-14 00:22 . 2002-01-05 07:16 536576 ----a-w- c:\windows\system32\msvcr70d.dll
2009-08-12 20:05 . 2009-08-12 20:05 -------- d-----w- c:\documents and settings\Hal\Application Data\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 02:34 . 2006-12-01 06:36 -------- d-----w- c:\program files\McAfee
2009-09-08 01:47 . 2009-07-06 17:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-07 16:09 . 2005-09-14 00:36 -------- d-----w- c:\documents and settings\Philip\Application Data\BitTorrent
2009-09-04 21:10 . 2004-12-24 00:17 65440 ----a-w- c:\documents and settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 04:32 . 2009-05-08 23:35 -------- d-----w- c:\program files\Warcraft III
2009-09-01 13:45 . 2007-03-23 05:52 -------- d-----w- c:\documents and settings\Phil\Application Data\uTorrent
2009-08-30 22:49 . 2008-02-22 18:20 -------- d-----w- c:\program files\Unlocker
2009-08-30 22:48 . 2004-12-25 02:39 65440 ----a-w- c:\documents and settings\Philip\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 22:47 . 2008-10-20 01:36 -------- d-----w- c:\program files\DNA
2009-08-30 22:47 . 2008-10-20 01:36 -------- d-----w- c:\documents and settings\Philip\Application Data\DNA
2009-08-29 10:07 . 2008-10-01 00:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-25 20:45 . 2007-07-01 07:42 99216 ----a-w- c:\windows\War3Unin.dat
2009-08-25 00:13 . 2006-01-02 01:49 -------- d-----w- c:\documents and settings\Phil\Application Data\BitTorrent
2009-08-24 05:59 . 2006-10-29 07:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-21 16:00 . 2006-02-15 01:57 80476 ----a-w- c:\windows\HPHins08.dat
2009-08-20 20:31 . 2005-08-06 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-15 19:11 . 2005-02-27 02:10 -------- d-----w- c:\program files\COSMI
2009-08-15 19:11 . 2004-12-23 23:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-13 22:05 . 2006-03-13 01:06 -------- d-----w- c:\documents and settings\Hal\Application Data\BitTorrent
2009-08-12 20:06 . 2009-05-23 04:33 -------- d-----w- c:\program files\Hotspot Shield
2009-08-10 07:40 . 2004-12-25 01:30 65832 ----a-w- c:\documents and settings\Hal\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-09 18:43 . 2009-08-09 18:43 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx72.tmp
2009-08-09 18:36 . 2009-08-09 18:36 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx71.tmp
2009-08-08 13:38 . 2005-12-19 23:26 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-08-07 09:10 . 2009-08-07 09:10 -------- d-----w- c:\program files\MSBuild
2009-08-07 09:09 . 2009-08-07 09:09 -------- d-----w- c:\program files\Reference Assemblies
2009-08-06 20:35 . 2006-12-04 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-08-06 05:59 . 2006-12-01 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:14 . 2008-06-21 21:41 -------- d-----w- c:\documents and settings\Phil\Application Data\Winamp
2009-08-04 14:22 . 2006-12-01 06:36 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-04 05:55 . 2009-08-04 05:55 -------- d-----w- c:\program files\McAfee.com
2009-08-04 05:47 . 2009-07-06 17:20 -------- d-----w- c:\program files\Shaw Secure
2009-08-04 05:45 . 2009-03-02 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\f-secure
2009-08-04 05:30 . 2009-07-06 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\fssg
2009-08-04 02:56 . 2009-07-06 17:43 -------- d-----w- c:\documents and settings\Phil\Application Data\F-Secure
2009-08-03 19:36 . 2009-07-06 17:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2009-07-06 17:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-03 05:07 . 2009-08-03 05:07 -------- d-----w- c:\program files\4U Computing
2009-07-31 10:40 . 2009-07-31 10:40 -------- d-----w- c:\documents and settings\Hal\Application Data\F-Secure
2009-07-31 01:44 . 2008-08-25 16:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-30 23:16 . 2008-01-22 03:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-29 01:11 . 2005-07-12 01:17 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-07-29 01:11 . 2005-07-12 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-27 13:51 . 2009-07-27 13:51 -------- d-----w- c:\documents and settings\Philip\Application Data\Malwarebytes
2009-07-27 02:24 . 2005-01-14 19:00 -------- d-----w- c:\program files\SPSS
2009-07-23 17:10 . 2007-02-07 00:05 -------- d-----w- c:\program files\Freecorder
2009-07-22 19:13 . 2009-07-22 19:13 28592 ----a-w- c:\windows\system32\drivers\tap0901.sys
2009-07-22 15:36 . 2009-07-22 15:36 -------- d-----w- c:\documents and settings\Phil\Application Data\Malwarebytes
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 15:49 . 2007-05-12 17:25 -------- d-----w- c:\program files\Webshots
2009-07-10 08:15 . 2009-07-07 16:30 -------- d-----w- c:\documents and settings\Philip\Application Data\F-Secure
2009-07-06 07:49 . 2009-07-06 07:49 0 ----a-w- c:\windows\system32\cd.dat
2009-07-02 02:34 . 2009-05-20 19:54 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-26 16:50 . 2003-03-31 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-12-24 00:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2003-03-31 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-03-31 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-03-31 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-03-31 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2003-03-31 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2003-03-31 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-17 00:34 . 2009-06-17 00:34 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx26F.tmp
2009-06-17 00:31 . 2009-06-17 00:31 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx26E.tmp
2009-06-17 00:29 . 2009-06-17 00:29 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx26D.tmp
2009-06-17 00:28 . 2009-06-17 00:28 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx26C.tmp
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 15:19 . 2004-12-23 23:33 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 11:53 . 2009-06-10 11:53 341376 ----a-w- c:\windows\system32\drivers\RTL8187B.sys
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2007-11-25 16:57 . 2007-11-25 16:57 604 ---ha-w- c:\program files\STLL Notifier
2004-03-11 20:27 . 2004-12-24 01:04 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2002-07-27 00:02 . 2005-01-03 16:58 153088 ----a-w- c:\program files\UNWISE.EXE
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2003-03-31 12:00 . 2003-03-31 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2003-03-31 12:00 50688 --sh--w- c:\windows\twain_32.dll
2005-04-08 03:19 . 2005-04-08 03:19 56 --sh--r- c:\windows\system32\634B638EB3.sys
2008-04-14 00:11 . 2003-03-31 12:00 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2003-03-31 12:00 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2003-03-31 12:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2003-03-31 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2003-03-31 12:00 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2003-03-31 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-23 04:33 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-19 67128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-26 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-09 32768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-03-26 1185328]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 13:39 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-02 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-04 339968]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-02 582992]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-01-08 65536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Hal\Start Menu\Programs\Startup\
BitTorrent.lnk - c:\program files\BitTorrent\bittorrent.exe [2008-9-26 637232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-10-5 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 19:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=c:\windows\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"d:\\3dsmax6\\3dsmax.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"d:\\Rakion\\Bin\\Rakion.bin"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"d:\\monitor.exe"=
"d:\\manager.exe"=
"d:\\server.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SPSS Viewer\\SPSSNAV.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:3\\Ares\\Ares.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:5\\Ares\\Ares.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\8.1.1.50-8876480SL\\Program\\Restart.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\dvd43\\DVD43_Tray.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [30/05/2005 10:50 PM 11776]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [31/01/2005 10:08 AM 4064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/05/2008 10:33 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/05/2008 10:33 AM 55024]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [06/08/2009 12:58 PM 331824]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [05/08/2009 11:59 PM 210216]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [22/07/2009 1:13 PM 28592]
S0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys --> c:\windows\system32\DRIVERS\viasraid.sys [?]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [19/09/2006 3:30 PM 17432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [31/01/2005 10:04 AM 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [10/08/2009 5:19 PM 57640]
S3 Ql1ipo;Ql1ipo; [x]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\drivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [10/06/2009 5:53 AM 341376]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/05/2008 10:33 AM 7408]
S3 Usdmpmk;Usdmpmk; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-09-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-08-04 19:32]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-08-04 19:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{013b462b-5ee3-4c46-830f-310178bcc424} - (no file)
BHO-{32566f20-b13b-4230-90b0-e70f09e6aff3} - (no file)
BHO-{A429ECAE-A5B5-44A3-BBC8-A5D063470D59} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.defaulthomepage.info
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPJPI150_11.dll
FF - plugin: c:\program files\Java\jre1.5.0_11\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 21:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruiuehfwqkk]
"imagepath"="\systemroot\system32\drivers\hjgruiqmjgvxsr.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmktmrwait]
"imagepath"="\systemroot\system32\drivers\kbiwkmnsjwlgdk.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIVXserv.sys]
"imagepath"="\systemroot\system32\drivers\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETjmeovdtm]
"imagepath"="\systemroot\system32\drivers\SKYNETpbigbmve.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{99CB6748-304E-42E9-B30B-14EA2E6E250D}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\yaywXPIx.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruiuehfwqkk]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruiqmjgvxsr.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmktmrwait]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmnsjwlgdk.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIVXserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=expand:"\\systemroot\\system32\\drivers\\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SKYNETjmeovdtm]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETpbigbmve.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1736)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\windows\system32\IoctlSvc.exe
c:\progra~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\Java\jre1.5.0_11\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-09-08 21:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 03:27

Pre-Run: 3,441,614,848 bytes free
Post-Run: 4,378,558,464 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
418 --- E O F --- 2009-09-02 09:00

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:26 PM

Posted 07 September 2009 - 11:01 PM

Hi,

It is going to take me quite a while to go thru this log.

Can I restore my McAfee Security Centre and my windows XP Firewall?

Yes

Edited by SifuMike, 07 September 2009 - 11:03 PM.
edit for clarity

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:26 PM

Posted 07 September 2009 - 11:03 PM

Thanks SifuMike.

I'll periodically check back for updates. Thanks for all your help so far!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users