Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP-Rootkit Infection


  • This topic is locked This topic is locked
26 replies to this topic

#1 tweist99

tweist99

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 01 September 2009 - 12:13 PM

I have been sent here from "> Security > Am I infected? What do I do?"
http://www.bleepingcomputer.com/forums/ind...p;#entry1407577

"You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team."

As I am unable to run full scans with RootRepeal (or any other virus / malware scanner), I have included the partial scan (Driver) below as well as a Win32kDiag report...

Any assistance that could be provided would be greatly appreciated.

x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 14:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA138000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB7902000 Size: 138496 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xB8FFC000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA278000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA6FC000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0xBA5B0000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xB504F000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xB77AB000 Size: 114688 File Visible: - Signed: -
Status: -

Name: b57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xB91B8000 Size: 176128 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xB91E3000 Size: 1123328 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB99EB000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB9A3B000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBA58C000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xB9F23000 Size: 153344 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA208000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB776B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5BC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB7C0D000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA6A9000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xB77E4000 Size: 385024 File Visible: - Signed: -
Status: -

Name: EraserUtilDrvI7.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys
Address: 0xB2B4D000 Size: 114688 File Visible: - Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xB77C7000 Size: 118784 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB28D9000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA2B8000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9EEB000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5FC000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xB9A1B000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB92F6000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xBA2D8000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBA360000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB9000000 Size: 10368 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB7C29000 Size: 731136 File Visible: - Signed: -
Status: -

Name: HSF_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Address: 0xB7CDC000 Size: 989952 File Visible: - Signed: -
Status: -

Name: HSFHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Address: 0xB7DCE000 Size: 211200 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB3B49000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA584000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB9A6B000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB9A4B000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBA2F8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB79AF000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB7A2E000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA420000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB7C25000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB28FD000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB90C2000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EC2000 Size: 92928 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xBA0F8000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB4CAE000 Size: 12672 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA618000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA458000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA418000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB8FF0000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB4DA2000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB7842000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA3A0000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA1B8000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB9DBE000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9DEE000 Size: 105344 File Visible: - Signed: -
Status: -

Name: naveng.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090105.009\naveng.sys
Address: 0xB7A61000 Size: 82400 File Visible: - Signed: -
Status: -

Name: navex15.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090105.009\navex15.sys
Address: 0xB7A76000 Size: 869408 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9E08000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA594000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB504B000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB90AB000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA1E8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA288000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB7924000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA188000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA3A8000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E35000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA7EC000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 5730304 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9356000 Size: 6835744 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA128000 Size: 61696 File Visible: - Signed: -
Status: -

Name: oz776.sys
Image Path: C:\WINDOWS\System32\Drivers\oz776.sys
Address: 0xBA298000 Size: 62208 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB90E5000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: PBADRV.sys
Image Path: PBADRV.sys
Address: 0xBA118000 Size: 45056 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB7EA2000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB909A000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA440000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA108000 Size: 37376 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB7BFD000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB99FB000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA158000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA198000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA448000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB78B2000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA620000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB906A000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB9A2B000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xBA308000 Size: 61440 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xBA318000 Size: 56832 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB9153000 Size: 331776 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB3847000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA3F8000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xB78DD000 Size: 151552 File Visible: - Signed: -
Status: -

Name: savrt.sys
Image Path: C:\Program Files\Symantec AntiVirus\savrt.sys
Address: 0xB7B81000 Size: 360448 File Visible: - Signed: -
Status: -

Name: Savrtpel.sys
Image Path: C:\Program Files\Symantec AntiVirus\Savrtpel.sys
Address: 0xB7B4B000 Size: 81920 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB91A4000 Size: 79232 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA580000 Size: 15744 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB9A5B000 Size: 64512 File Visible: - Signed: -
Status: -

Name: SMCLIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\SMCLIB.SYS
Address: 0xB7BDD000 Size: 16384 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9ED9000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB4A58000 Size: 333952 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xBA3F0000 Size: 23040 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB7EC6000 Size: 1169728 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5DA000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Address: 0xB7B5F000 Size: 139264 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xB7974000 Size: 241664 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB9121000 Size: 202912 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB46FA000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB79D5000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA428000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA1C8000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xB4841000 Size: 97280 File Visible: - Signed: -
Status: -

Name: tosporte.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tosporte.sys
Address: 0xBA1D8000 Size: 41600 File Visible: - Signed: -
Status: -

Name: tosrfcom.sys
Image Path: C:\WINDOWS\System32\Drivers\tosrfcom.sys
Address: 0xB9A0B000 Size: 64896 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB900C000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xBA470000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5C8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA410000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA1F8000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB931E000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA408000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA368000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9342000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA268000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA490000 Size: 20480 File Visible: - Signed: -
Status: -

Name: WaveFDE.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WaveFDE.sys
Address: 0xBA450000 Size: 18176 File Visible: - Signed: -
Status: -

Name: WavxDMgr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
Address: 0xB5063000 Size: 161280 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB40CD000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBA3B0000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xB99DB000 Size: 61440 File Visible: No Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA590000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x

Log file is located at: C:\Documents and Settings\TWeist\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP14B.tmp\ZAP14B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B2.tmp\ZAP1B2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP253.tmp\ZAP253.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B2.tmp\ZAP2B2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33B.tmp\ZAP33B.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Trusted Drive Manager\Trusted Drive Manager

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109450090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 03:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-295802438-2662319749-4171588680-1192\S-1-5-21-295802438-2662319749-4171588680-1192

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Adobe PDF\Settings\Settings

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\Prefs\T3SZR7PP\T3SZR7PP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v2.0.50727.190\v2.0.50727.190

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\35347d2c6df0\35347d2c6df0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\12.0\12.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help\Microsoft Help

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Toshiba\BluetoothStack\V1.0\tosOBEX\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Image Inbox\Image Inbox

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Inbox\Inbox

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\SharedFolder\SharedFolder

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 16:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log

[1] 2009-09-01 08:43:09 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log ()

[1] 2008-04-22 09:32:44 8192 C:\i386\dtctrace.log ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-24-17-26-51-0379-00

[1] 2009-08-24 15:57:38 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-24-17-26-51-0379-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-08-24-56-0531-00

[1] 2009-08-24 17:32:41 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-08-24-56-0531-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-38-08-0156-00

[1] 2009-08-25 09:32:40 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-38-08-0156-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-56-25-0498-00

[1] 2009-08-25 09:51:45 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-56-25-0498-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-10-41-46-0437-00

[1] 2009-08-25 10:39:25 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-10-41-46-0437-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-20-43-0375-00

[1] 2009-08-25 12:56:22 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-20-43-0375-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-32-49-0156-00

[1] 2009-08-25 13:20:44 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-32-49-0156-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-07-04-0796-00

[1] 2009-08-25 14:04:55 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-07-04-0796-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-44-30-0484-00

[1] 2009-08-25 14:42:24 24576 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-44-30-0484-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-50-53-0162-00

[1] 2009-08-25 14:48:46 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-50-53-0162-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-15-56-31-0687-00

[1] 2009-08-25 14:59:17 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-15-56-31-0687-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-10-27-46-0437-00

[1] 2009-08-25 16:36:45 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-10-27-46-0437-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-06-54-0890-00

[1] 2009-08-26 11:55:31 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-06-54-0890-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-49-01-0140-00

[1] 2009-08-26 12:47:04 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-49-01-0140-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-14-37-03-0312-00

[1] 2009-08-26 12:49:55 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-14-37-03-0312-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-31-13-15-15-0296-00

[1] 2009-08-26 14:37:03 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-31-13-15-15-0296-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-01-08-43-09-0015-00

[1] 2009-08-31 20:15:48 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-01-08-43-09-0015-00 ()



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-09-01 08:43:35 41913 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2008-04-22 09:35:20 29344 C:\i386\FrameWork.log ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^



Finished!

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 11:49 AM

Hello tweist99,

Let's begin....

==========

Step 1

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text)
"%userprofile%\desktop\win32kdiag.exe" -f -r
into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.

==========

Step 2

Please do this:
  • Click on the Start button, then click on Run...
  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
    NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
==========

Step 3

:( Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.
Certain misuses of this program can prevent your system from ever starting again.
For this reason, it is strongly recommended to use The Avenger only as directed and under qualified supervision.
We can accept no responsibility for damage caused by misuse of the program.
:(
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
==========

With your next post please provide:

* Win32kDiag.txt
* Avenger.txt

Edited by SifuMike, 04 September 2009 - 12:03 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 04:13 PM

Thank you for your assistance... sorry for my delay...

STEP 1:

Log file is located at: C:\Documents and Settings\TWeist\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP14B.tmp\ZAP14B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP14B.tmp\ZAP14B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A6.tmp\ZAP1A6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B2.tmp\ZAP1B2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B2.tmp\ZAP1B2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1CA.tmp\ZAP1CA.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP253.tmp\ZAP253.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP253.tmp\ZAP253.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B2.tmp\ZAP2B2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B2.tmp\ZAP2B2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33B.tmp\ZAP33B.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP33B.tmp\ZAP33B.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9.tmp\ZAP9.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\biolsp patch\biolsp patch

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Dell Drivers MSI\Dell Drivers MSI

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Fingerprint Sensor Minimum Install\Fingerprint Sensor Minimum Install

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Gemalto\Gemalto

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\GemSafe Standard Edition\GemSafe Standard Edition

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Preboot Manager\Preboot Manager

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Trusted Drive Manager\Trusted Drive Manager

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Trusted Drive Manager\Trusted Drive Manager

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\tsp patch\tsp patch

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\upekmsi\upekmsi

Found mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Downloaded Installations\{ABBA2EA4-740E-4052-902B-9CA70B081E3F}\Wave Infrastructure\Wave Infrastructure

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109450090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109450090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 03:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 16:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-295802438-2662319749-4171588680-1192\S-1-5-21-295802438-2662319749-4171588680-1192

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-295802438-2662319749-4171588680-1192\S-1-5-21-295802438-2662319749-4171588680-1192

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Adobe PDF\Settings\Settings

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Adobe PDF\Settings\Settings

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\InstallShield\ISEngine12.0\ISEngine12.0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\DswMedia\DswMedia

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\DswMedia\DswMedia

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\Prefs\T3SZR7PP\T3SZR7PP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Shockwave Player\Prefs\T3SZR7PP\T3SZR7PP

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v2.0.50727.190\v2.0.50727.190

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v2.0.50727.190\v2.0.50727.190

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Wave Systems Corp\Wave Systems Corp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\35347d2c6df0\35347d2c6df0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\35347d2c6df0\35347d2c6df0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-3533993494-1024158106-1915868708-500\S-1-5-21-3533993494-1024158106-1915868708-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\12.0\12.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\12.0\12.0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help\Microsoft Help

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft Help\Microsoft Help

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\PowerDVD DX\IEPG\IEPG

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Toshiba\BluetoothStack\V1.0\tosOBEX\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Toshiba\BluetoothStack\V1.0\tosOBEX\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Image Inbox\Image Inbox

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Image Inbox\Image Inbox

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Inbox\Inbox

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\Inbox\Inbox

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\SharedFolder\SharedFolder

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Bluetooth\SharedFolder\SharedFolder

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 03:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 16:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 16:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-04 03:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log

[1] 2009-09-04 12:40:33 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log ()

[1] 2008-04-22 09:32:44 8192 C:\i386\dtctrace.log ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-24-17-26-51-0379-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-24-17-26-51-0379-00

[1] 2009-08-24 15:57:38 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-24-17-26-51-0379-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-08-24-56-0531-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-08-24-56-0531-00

[1] 2009-08-24 17:32:41 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-08-24-56-0531-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-38-08-0156-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-38-08-0156-00

[1] 2009-08-25 09:32:40 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-38-08-0156-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-56-25-0498-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-56-25-0498-00

[1] 2009-08-25 09:51:45 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-09-56-25-0498-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-10-41-46-0437-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-10-41-46-0437-00

[1] 2009-08-25 10:39:25 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-10-41-46-0437-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-20-43-0375-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-20-43-0375-00

[1] 2009-08-25 12:56:22 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-20-43-0375-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-32-49-0156-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-32-49-0156-00

[1] 2009-08-25 13:20:44 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-13-32-49-0156-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-07-04-0796-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-07-04-0796-00

[1] 2009-08-25 14:04:55 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-07-04-0796-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-44-30-0484-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-44-30-0484-00

[1] 2009-08-25 14:42:24 24576 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-44-30-0484-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-50-53-0162-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-50-53-0162-00

[1] 2009-08-25 14:48:46 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-14-50-53-0162-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-15-56-31-0687-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-15-56-31-0687-00

[1] 2009-08-25 14:59:17 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-25-15-56-31-0687-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-10-27-46-0437-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-10-27-46-0437-00

[1] 2009-08-25 16:36:45 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-10-27-46-0437-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-06-54-0890-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-06-54-0890-00

[1] 2009-08-26 11:55:31 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-06-54-0890-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-49-01-0140-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-49-01-0140-00

[1] 2009-08-26 12:47:04 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-12-49-01-0140-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-14-37-03-0312-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-14-37-03-0312-00

[1] 2009-08-26 12:49:55 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-26-14-37-03-0312-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-31-13-15-15-0296-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-31-13-15-15-0296-00

[1] 2009-08-26 14:37:03 8192 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-08-31-13-15-15-0296-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-01-08-43-09-0015-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-01-08-43-09-0015-00

[1] 2009-08-31 20:15:48 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-01-08-43-09-0015-00 ()



Cannot access: C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-04-12-40-33-0234-00

Attempting to restore permissions of : C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-04-12-40-33-0234-00

[1] 2009-09-03 14:17:19 32768 C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log.2009-09-04-12-40-33-0234-00 ()



Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\Test\Test

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Test\Test

Cannot access: C:\WINDOWS\system32\wbem\Logs\FrameWork.log

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\Logs\FrameWork.log

[1] 2009-09-04 12:59:32 42683 C:\WINDOWS\system32\wbem\Logs\FrameWork.log ()

[1] 2008-04-22 09:35:20 29344 C:\i386\FrameWork.log ()



Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2



Finished!








STEP 3

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Edited by tweist99, 04 September 2009 - 04:26 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 04:38 PM

Hi tweist99,

Please do the following:

Tell me the antivirus program you are running.
Are you running any registry protector (like Windows Defender or Spybot Teatimer)?

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind 
    eventlog.dll
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 05:07 PM

Tell me the antivirus program you are running.

Symantec Antivirus and Avira (Avira AntiVir Personal) are both installed (Symantic had not been running, and could not be deleted... Avira is active and updated)

Are you running any registry protector (like Windows Defender or Spybot Teatimer)?
Spybot had been installed previously, however i believe Teatimer was not, Teatimer is not active in my task manager processes tab.




SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:02 on 04/09/2009 by tweist (Administrator - Elevation successful)

========== filefind ==========

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [17:40 22/04/2008] [11:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [17:17 05/02/2009] [11:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [20:41 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 56320 bytes [23:00 11/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

-=End Of File=-

Edited by tweist99, 04 September 2009 - 05:08 PM.


#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 05:39 PM

Hi tweist99,

Symantec Antivirus and Avira (Avira AntiVir Personal) are both installed (Symantic had not been running, and could not be deleted... Avira is active and updated)


They make getting rid of Symantec very difficult.

To fully remove Norton AntiVirus or other Symantec related products, select the product you want to uninstall from this list in order to download the removal tool.
Please read the instructions first before you use it.

For older versions of Norton (2000, 2001, 2002), choose this link.

Also read the next article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton: http://basconotw.mvps.org/SymRem.htm

*********************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 06:17 PM

ComboFix 09-09-03.02 - tweist 2009-09-04 14:55.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1321 [GMT -8:00]
Running from: c:\documents and settings\TWeist\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\enoni.inf
c:\documents and settings\All Users\Application Data\ihukodu.ban
c:\documents and settings\All Users\Application Data\kewyf.pif
c:\documents and settings\All Users\Application Data\upagocabiv.sys
c:\documents and settings\All Users\Application Data\usyryt.com
c:\documents and settings\All Users\Documents\cuzafy.ban
c:\documents and settings\All Users\Documents\okeqemogiz.pif
c:\documents and settings\TWeist\Application Data\avaba.sys
c:\documents and settings\TWeist\Local Settings\Application Data\bytej.vbs
c:\documents and settings\TWeist\nah_log.dat
c:\program files\Common Files\omireqivy.inf
c:\program files\Common Files\ukixak.inf
c:\program files\pdfforge Toolbar\SeARchsettings.dll
c:\windows\Install.txt
c:\windows\run.log
c:\windows\system32\gagahan.scr
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\UACfvanrlerbt.dll.XXX
c:\windows\system32\UACllkxyphqps.dll.XXX
c:\windows\system32\UACukryjgeflo.db
c:\windows\system32\wygeha.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-08-26 22:48 . 2009-03-17 21:26 65320 ----a-w- c:\windows\system32\sbbd.exe
2009-08-26 22:48 . 2008-10-23 01:08 92464 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-08-26 22:48 . 2009-08-27 13:25 -------- d-----w- C:\VIPRERESCUE
2009-08-26 20:28 . 2007-05-09 09:10 237552 ----a-w- c:\windows\system32\tpuninst.exe
2009-08-26 20:28 . 2009-08-26 20:28 -------- d-----w- c:\program files\Windows Update Remover
2009-08-26 19:35 . 2009-08-26 18:54 359932 ----a-w- C:\dds.scr
2009-08-26 00:16 . 2009-08-26 18:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 00:10 . 2009-08-26 00:10 -------- d-----w- C:\VundoFix Backups
2009-08-25 22:40 . 2009-08-25 22:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-25 18:09 . 2009-08-25 18:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-24 23:46 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-24 23:46 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-24 23:46 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\program files\Avira
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-24 21:04 . 2009-08-24 21:04 -------- d--h--w- c:\windows\PIF
2009-08-24 20:34 . 2009-08-03 21:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-24 20:34 . 2009-08-03 21:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-24 20:34 . 2009-08-25 21:55 -------- d-----w- c:\program files\MWS
2009-08-23 10:47 . 2009-08-23 18:20 -------- d-----w- c:\program files\tessst4
2009-08-23 04:35 . 2009-08-23 04:35 -------- d-----w- C:\e198da8aac3b377d4bc1
2009-08-23 03:56 . 2009-08-23 03:56 -------- d-----w- c:\program files\AVG
2009-08-23 03:45 . 2009-08-23 03:46 -------- d-----w- c:\program files\tessst3
2009-08-22 18:44 . 2009-08-22 18:44 -------- d-----w- c:\program files\Alwil Software
2009-08-22 06:37 . 2009-08-22 07:38 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-21 06:08 . 2009-08-21 06:08 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-21 05:54 . 2009-08-23 03:40 -------- d-----w- c:\program files\tessst2
2009-08-21 05:29 . 2009-08-21 05:29 19851 ----a-w- c:\windows\system32\gede.com
2009-08-21 02:39 . 2009-08-21 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-21 02:39 . 2009-08-21 04:05 -------- d-----w- c:\documents and settings\TWeist\Application Data\Azureus
2009-08-19 19:46 . 2009-08-23 18:19 -------- d-----w- c:\program files\Winamp
2009-08-18 21:55 . 2009-08-19 19:51 -------- d-----w- c:\documents and settings\TWeist\Application Data\mp3Extractor
2009-08-18 21:54 . 2009-08-18 21:54 -------- d-----w- c:\program files\mp3Extractor
2009-08-17 16:07 . 2009-08-18 22:04 1049504 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-12 16:31 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-07 16:16 . 2009-08-07 16:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\Search Settings
2009-08-07 16:16 . 2009-08-07 16:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\pdfforge
2009-08-07 00:11 . 2009-08-07 16:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 22:24 . 2009-09-04 22:58 -------- d-----w- c:\program files\pdfforge Toolbar
2009-08-06 22:22 . 2001-10-29 01:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2009-08-06 22:22 . 2009-08-06 22:25 -------- d-----w- c:\program files\PDFCreator
2009-08-06 22:22 . 1998-07-06 09:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 22:59 . 2009-04-11 02:53 -------- d-----w- c:\documents and settings\TWeist\Application Data\DNA
2009-09-04 21:56 . 2008-05-10 21:10 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-04 21:18 . 2009-04-11 02:53 -------- d-----w- c:\program files\DNA
2009-09-04 21:18 . 2008-04-03 19:40 0 ----a-w- c:\documents and settings\TWeist\Local Settings\Application Data\WavXMapDrive.bat
2009-08-26 22:34 . 2009-01-06 20:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-26 00:27 . 2009-01-06 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 22:47 . 2009-03-07 20:09 -------- d-----w- c:\program files\Lavasoft
2009-08-25 22:47 . 2009-03-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-25 16:27 . 2009-01-06 20:49 -------- d-----w- c:\documents and settings\TWeist\Application Data\SUPERAntiSpyware.com
2009-08-24 20:00 . 2009-03-05 03:53 -------- d-----w- c:\program files\DivX
2009-08-23 18:38 . 2009-04-11 02:05 -------- d-----w- c:\program files\Free FLV Converter
2009-08-23 18:26 . 2009-07-07 18:19 -------- d-----w- c:\documents and settings\TWeist\Application Data\vlc
2009-08-23 18:20 . 2008-11-27 22:37 -------- d-----w- c:\program files\PartyGaming
2009-08-23 05:20 . 2009-01-06 23:05 -------- d-----w- c:\program files\Glary Utilities
2009-08-21 05:29 . 2009-08-21 05:29 13248 ----a-w- c:\documents and settings\All Users\Application Data\jinuf.dat
2009-08-21 02:53 . 2009-04-19 19:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\FrostWire
2009-08-19 17:03 . 2008-03-27 19:17 129330 ----a-w- c:\windows\system32\nvModes.dat
2009-08-12 20:03 . 2008-03-27 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 16:08 . 2009-05-22 16:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 16:32 . 2008-03-27 19:32 -------- d-----w- c:\program files\Java
2009-07-29 16:31 . 2009-07-29 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-29 00:33 . 2009-03-20 17:27 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-28 17:01 . 2009-07-28 17:01 -------- d-----w- c:\program files\Alex Feinman
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 22:21 . 2008-05-16 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-12 20:21 . 2004-08-11 23:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 04:09 . 2009-06-20 07:45 -------- d-----w- c:\documents and settings\TWeist\Application Data\dvdcss
2009-07-09 03:53 . 2009-07-09 03:53 -------- d-----w- c:\program files\Rename It 3.0
2009-07-07 01:22 . 2008-08-14 23:22 -------- d-----w- c:\documents and settings\TWeist\Application Data\Apple Computer
2009-07-03 17:09 . 2004-08-11 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-03 14:49 . 2009-03-07 20:19 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-11 23:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 23:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 17:19 . 2004-08-11 23:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-11 23:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-11 23:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 22:10 . 2008-04-03 19:40 129344 ----a-w- c:\documents and settings\TWeist\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 22:04 . 2008-03-27 19:48 129344 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 21:18 . 2009-06-08 21:18 89944 ---ha-w- c:\windows\system32\mlfcache.dat
1997-06-23 20:06 . 1997-06-23 20:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-06-25 688640]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-03-31 221184]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-11 321344]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-24 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-06-13 998400]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8466432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-06 1626112]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-08-06 81920]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-06 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-27 50688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 20:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1150\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1183\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1188\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1192\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sopidkc"=2 (0x2)
"msncache"=2 (0x2)
"6to4"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NCLaunch"=c:\windows\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SecureUpgrade"=c:\program files\Wave Systems Corp\SecureUpgrade.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-07 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-08-05 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-08-05 4:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-08-24 3:46 PM 108289]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 6:50 PM 30312]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 7:48 PM 116416]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-08-11 3:00 PM 5120]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 8:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2009-03-08 9:53 PM 101936]
S2 gupdate1c9c52666997399;Google Update Service (gupdate1c9c52666997399);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 1:48 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 6:49 AM 1029456]
S2 ucaitjau;ucaitjau;c:\windows\System32\svchost.exe -k netsvcs [2004-08-11 3:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-27 29744]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 7:07 AM 28933976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PD;PD;c:\docume~1\TWeist\LOCALS~1\Temp\PD.exe --> c:\docume~1\TWeist\LOCALS~1\Temp\PD.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 4:06 PM 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-08-26 2:48 PM 92464]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\TWeist\desktop\New Folder (2)\WinRing0.sys [2009-06-26 9:14 AM 14416]
S3 WTHU;WTHU;c:\docume~1\TWeist\LOCALS~1\Temp\WTHU.exe --> c:\docume~1\TWeist\LOCALS~1\Temp\WTHU.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ucaitjau

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-21 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-06 00:55]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 21:48]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 21:48]

2009-09-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 04:20]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\TWeist\Application Data\Mozilla\Firefox\Profiles\sbamjr4j.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 15:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,42,a9,92,53,95,b4,4e,b6,30,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,42,a9,92,53,95,b4,4e,b6,30,15,\

[HKEY_USERS\S-1-5-21-295802438-2662319749-4171588680-1192\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Q%^%7*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-295802438-2662319749-4171588680-1192\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Q%^%7*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1040)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1096)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-09-04 15:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-04 23:08
ComboFix2.txt 2009-03-18 19:05
ComboFix3.txt 2009-03-09 01:48

Pre-Run: 43,666,284,544 bytes free
Post-Run: 43,699,171,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

370 --- E O F --- 2009-09-04 20:54

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 06:34 PM

Hi,

Looks like Symantec AntiVirus Corporate Edition is still there. :( Please use the the Norton removal tool then we will continue with the removal process.

Is this a business, corporate or work computer?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 06:39 PM

My mistake, thought that removal was for future use... removing now... this is a buisness computer and for personal use, I am an admin... very small company.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 06:56 PM

Hi tweist99,

Since this is a business computer you should notify your IT dept ASAP.

I can not give guarantees that I have removed all malware. Do you want to risk that on a business computer?
The standard operating procedure for business and corporate computers is a reformat and reinstall of the operating system or reimaging.

In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources.

In fact, many companies will require you to read those policies and sign a statement of understanding.

Further, they usually have procedures in place to deal with infections on the network and may not approve of employees seeking help at an online forum or outside the business office.

If the IT dept typical solution is to re-image, then have your supervisor speak to them about taking another approach.

Further, the malware you are dealing with may have already infected the network. The IT Department needs to be advised right away so they can take the appropriate measures.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 06:59 PM

I am unable to download the removal tool, while using firefox i get "550 /public/english_us_canada/removal_tools/Norton_Removal_Tool.exe: Not a directory"... while using Core FTP via Internet Explorer nothing downloads.

I understand the concern, please note that this is a very small company of which have admin privileges for full access to all computers, I am part owner in this company and basically the in-house IT person... we use a third party to manage our server for basic tasks such as updating the fileserver and setting up the basic networking.

Edited by tweist99, 04 September 2009 - 07:06 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 07:20 PM

Hitweist99 ,


I dont think there is a removal tool but there is this:

How to manually uninstall Symantec AntiVirus Corporate Edition 8.x Client on Windows NT/2000/XP

Looks like you have to have some registry experince to remove it. They sure do not make it easy.:(


Uninstalling Symantec AntiVirus 10.x or Symantec Client Security 3.x silently

This one is easier to do but it looks like it is not for the corp edition .

Let me know how you make out. If it is too hard for you then lets by pass it.

Ask your IT dept to do the manual uninstall it, if you have one.

Edited by SifuMike, 04 September 2009 - 07:23 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 08:19 PM

Attempted to remove via the regedit.. obviously not completely successfull "AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled*".... below is a re-scaned combofix log...

I am sure its after 6 pm where you are, and it is the holiday weekend... i appreciate your assistance if it is acceptable to you we can continue this after the holiday? I will attempt to work on Symantec some more as necessary.



ComboFix 09-09-03.02 - tweist 2009-09-04 17:00.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1381 [GMT -8:00]
Running from: c:\documents and settings\TWeist\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2009-08-26 22:48 . 2009-03-17 21:26 65320 ----a-w- c:\windows\system32\sbbd.exe
2009-08-26 22:48 . 2008-10-23 01:08 92464 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-08-26 22:48 . 2009-08-27 13:25 -------- d-----w- C:\VIPRERESCUE
2009-08-26 20:28 . 2007-05-09 09:10 237552 ----a-w- c:\windows\system32\tpuninst.exe
2009-08-26 20:28 . 2009-08-26 20:28 -------- d-----w- c:\program files\Windows Update Remover
2009-08-26 19:35 . 2009-08-26 18:54 359932 ----a-w- C:\dds.scr
2009-08-26 00:16 . 2009-08-26 18:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 00:10 . 2009-08-26 00:10 -------- d-----w- C:\VundoFix Backups
2009-08-25 22:40 . 2009-08-25 22:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-25 18:09 . 2009-08-25 18:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-24 23:46 . 2009-03-30 18:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-24 23:46 . 2009-02-13 20:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-24 23:46 . 2009-02-13 20:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\program files\Avira
2009-08-24 23:46 . 2009-08-24 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-24 21:04 . 2009-08-24 21:04 -------- d--h--w- c:\windows\PIF
2009-08-23 10:47 . 2009-08-23 18:20 -------- d-----w- c:\program files\tessst4
2009-08-23 04:35 . 2009-08-23 04:35 -------- d-----w- C:\e198da8aac3b377d4bc1
2009-08-23 03:56 . 2009-08-23 03:56 -------- d-----w- c:\program files\AVG
2009-08-23 03:45 . 2009-08-23 03:46 -------- d-----w- c:\program files\tessst3
2009-08-22 18:44 . 2009-08-22 18:44 -------- d-----w- c:\program files\Alwil Software
2009-08-22 06:37 . 2009-08-22 07:38 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-21 06:08 . 2009-08-21 06:08 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-21 05:29 . 2009-08-21 05:29 19851 ----a-w- c:\windows\system32\gede.com
2009-08-21 02:39 . 2009-08-21 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-08-21 02:39 . 2009-08-21 04:05 -------- d-----w- c:\documents and settings\TWeist\Application Data\Azureus
2009-08-19 19:46 . 2009-08-23 18:19 -------- d-----w- c:\program files\Winamp
2009-08-18 21:55 . 2009-08-19 19:51 -------- d-----w- c:\documents and settings\TWeist\Application Data\mp3Extractor
2009-08-18 21:54 . 2009-08-18 21:54 -------- d-----w- c:\program files\mp3Extractor
2009-08-17 16:07 . 2009-08-18 22:04 1049504 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-12 16:31 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-07 16:16 . 2009-08-07 16:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\Search Settings
2009-08-07 16:16 . 2009-08-07 16:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\pdfforge
2009-08-07 00:11 . 2009-08-07 16:08 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-06 22:24 . 2009-09-04 22:58 -------- d-----w- c:\program files\pdfforge Toolbar
2009-08-06 22:22 . 2001-10-29 01:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2009-08-06 22:22 . 2009-08-06 22:25 -------- d-----w- c:\program files\PDFCreator
2009-08-06 22:22 . 1998-07-06 09:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-05 01:04 . 2009-04-11 02:53 -------- d-----w- c:\documents and settings\TWeist\Application Data\DNA
2009-09-05 00:56 . 2008-05-10 21:10 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5
2009-09-05 00:54 . 2009-04-11 02:53 -------- d-----w- c:\program files\DNA
2009-09-05 00:54 . 2008-04-03 19:40 0 ----a-w- c:\documents and settings\TWeist\Local Settings\Application Data\WavXMapDrive.bat
2009-09-04 23:45 . 2008-07-21 18:21 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-04 23:43 . 2009-06-03 17:49 -------- d-----w- c:\documents and settings\TWeist\Application Data\CoreFTP
2009-08-26 22:34 . 2009-01-06 20:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-26 00:27 . 2009-01-06 17:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-25 22:47 . 2009-03-07 20:09 -------- d-----w- c:\program files\Lavasoft
2009-08-25 22:47 . 2009-03-07 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-25 16:27 . 2009-01-06 20:49 -------- d-----w- c:\documents and settings\TWeist\Application Data\SUPERAntiSpyware.com
2009-08-24 20:00 . 2009-03-05 03:53 -------- d-----w- c:\program files\DivX
2009-08-23 18:38 . 2009-04-11 02:05 -------- d-----w- c:\program files\Free FLV Converter
2009-08-23 18:26 . 2009-07-07 18:19 -------- d-----w- c:\documents and settings\TWeist\Application Data\vlc
2009-08-23 18:20 . 2008-11-27 22:37 -------- d-----w- c:\program files\PartyGaming
2009-08-23 05:20 . 2009-01-06 23:05 -------- d-----w- c:\program files\Glary Utilities
2009-08-21 05:29 . 2009-08-21 05:29 13248 ----a-w- c:\documents and settings\All Users\Application Data\jinuf.dat
2009-08-21 02:53 . 2009-04-19 19:16 -------- d-----w- c:\documents and settings\TWeist\Application Data\FrostWire
2009-08-19 17:03 . 2008-03-27 19:17 129330 ----a-w- c:\windows\system32\nvModes.dat
2009-08-12 20:03 . 2008-03-27 19:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 16:08 . 2009-05-22 16:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-29 16:32 . 2008-03-27 19:32 -------- d-----w- c:\program files\Java
2009-07-29 16:31 . 2009-07-29 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-29 00:33 . 2009-03-20 17:27 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-28 17:01 . 2009-07-28 17:01 -------- d-----w- c:\program files\Alex Feinman
2009-07-17 19:01 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 22:21 . 2008-05-16 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-07-12 20:21 . 2004-08-11 23:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 04:09 . 2009-06-20 07:45 -------- d-----w- c:\documents and settings\TWeist\Application Data\dvdcss
2009-07-09 03:53 . 2009-07-09 03:53 -------- d-----w- c:\program files\Rename It 3.0
2009-07-07 01:22 . 2008-08-14 23:22 -------- d-----w- c:\documents and settings\TWeist\Application Data\Apple Computer
2009-07-03 17:09 . 2004-08-11 23:00 915456 ------w- c:\windows\system32\wininet.dll
2009-07-03 14:49 . 2009-03-07 20:19 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-25 08:25 . 2004-08-11 23:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 23:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 23:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 23:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 23:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 23:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 23:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-11 23:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 23:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 17:19 . 2004-08-11 23:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-11 23:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-11 23:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 22:10 . 2008-04-03 19:40 129344 ----a-w- c:\documents and settings\TWeist\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 22:04 . 2008-03-27 19:48 129344 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-08 21:18 . 2009-06-08 21:18 89944 ---ha-w- c:\windows\system32\mlfcache.dat
1997-06-23 20:06 . 1997-06-23 20:06 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-04_23.02.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-05 00:42 . 2009-09-05 00:42 817152 c:\windows\Installer\5dacfa.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\pdfforgeToolbarIE.dll" [2009-06-25 688640]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-29 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"Media Codec Update Service"="c:\program files\Essentials Codec Pack\WECPUpdate.exe" [2009-03-31 221184]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-04-11 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-24 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-12-06 405504]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-06-13 998400]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8466432]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-03 29744]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-03 520024]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2007-05-11 738968]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2006-10-23 46200]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-06 1626112]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2007-08-06 81920]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-08-06 67584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-27 50688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 20:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1150\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1183\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1188\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-295802438-2662319749-4171588680-1192\Scripts\Logon\0\0]
"Script"=drives.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sopidkc"=2 (0x2)
"msncache"=2 (0x2)
"6to4"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"NCLaunch"=c:\windows\NCLAUNCH.EXe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SecureUpgrade"=c:\program files\Wave Systems Corp\SecureUpgrade.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-07 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-08-05 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-08-05 4:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-08-24 3:46 PM 108289]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 6:50 PM 30312]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 7:48 PM 116416]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-08-11 3:00 PM 5120]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 8:19 PM 13592]
S2 gupdate1c9c52666997399;Google Update Service (gupdate1c9c52666997399);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 1:48 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 6:49 AM 1029456]
S2 ucaitjau;ucaitjau;c:\windows\System32\svchost.exe -k netsvcs [2004-08-11 3:00 PM 14336]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-27 29744]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 7:07 AM 28933976]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 PD;PD;c:\docume~1\TWeist\LOCALS~1\Temp\PD.exe --> c:\docume~1\TWeist\LOCALS~1\Temp\PD.exe [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 4:06 PM 7408]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-08-26 2:48 PM 92464]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\documents and settings\TWeist\desktop\New Folder (2)\WinRing0.sys [2009-06-26 9:14 AM 14416]
S3 WTHU;WTHU;c:\docume~1\TWeist\LOCALS~1\Temp\WTHU.exe --> c:\docume~1\TWeist\LOCALS~1\Temp\WTHU.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ucaitjau

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-21 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-01-06 00:55]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 21:48]

2009-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-24 21:48]

2009-09-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 04:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\TWeist\Application Data\Mozilla\Firefox\Profiles\sbamjr4j.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox 3 Beta 5\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox 3 Beta 5\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 17:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,42,a9,92,53,95,b4,4e,b6,30,15,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,42,a9,92,53,95,b4,4e,b6,30,15,\

[HKEY_USERS\S-1-5-21-295802438-2662319749-4171588680-1192\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Q%^%7*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-295802438-2662319749-4171588680-1192\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*Q%^%7*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1052)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-09-05 17:07
ComboFix-quarantined-files.txt 2009-09-05 01:07
ComboFix2.txt 2009-09-04 23:08
ComboFix3.txt 2009-03-18 19:05
ComboFix4.txt 2009-03-09 01:48

Pre-Run: 43,585,134,592 bytes free
Post-Run: 43,606,142,976 bytes free

301 --- E O F --- 2009-09-05 00:43

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:39 PM

Posted 04 September 2009 - 08:29 PM

it is acceptable to you we can continue this after the holiday?


Sure. :( That will give me time to see what needs to be fixed. When will you be back? On Tuesday?

Have a great holiday!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 tweist99

tweist99
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 04 September 2009 - 09:09 PM

Yes, Tuesday morning... Thank you, have a good holiday. Tweist from iPhone




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users