Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 goldenkrnboi

goldenkrnboi

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 09 September 2009 - 07:58 PM

I was redirected to this forum by boopme from this thread Thanks to boopme for helping me up to this point. I now give my computer's health in your hands. :(


Log file is located at: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944653\KB944653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\26a7ba71936ef28fcb3bb73b860e289e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\download\download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\download\download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2901905790-2476866396-1502017503-1005\S-1-5-21-2901905790-2476866396-1502017503-1005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\45VLV75J\45VLV75J

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM\AdobeUM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\as1.suitesmart.com\_f5e.swf\_f5e.swf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\cdn.gigya.com\cdn.gigya.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a132b6c7dedd\a132b6c7dedd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\6DFWTKBY\6DFWTKBY

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\BBH7FXSK\BBH7FXSK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SJFBI01T\SJFBI01T

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 04:00:00 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 04:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0128\__SKIP_0128

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_025F\__SKIP_025F

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_03A9\__SKIP_03A9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/09 16:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF70B4000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D98000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP3438
Image Path: \Driver\PCI_PNP3438
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: s246.sys
Image Path: C:\WINDOWS\system32\drivers\s246.sys
Address: 0xF670A000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcu.sys
Image Path: spcu.sys
Address: 0xF7742000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7B4C000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF70FC000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Stealth Objects
-------------------
Object: Hidden Module [Name: geyekrovmttapm.dll]
Process: svchost.exe (PID: 784) Address: 0x10000000 Size: 49152

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x867d51f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x866311f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x867d61f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x866774c0 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x867581f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x866921f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867d71f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x866171f8 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_CREATE]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_CLOSE]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_POWER]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: ak0g6bx9 ఄ灐畳ⓨ 琘, IRP_MJ_PNP]
Process: System Address: 0x865c1328 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8667b1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8648d1f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_CREATE]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_CLOSE]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_READ]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_SET_INFORMATION]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_SHUTDOWN]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_CLEANUP]
Process: System Address: 0x865e91f8 Size: 121

Object: Hidden Code [Driver: Cdfs ఐ卆浩 , IRP_MJ_PNP]
Process: System Address: 0x865e91f8 Size: 121

Hidden Services
-------------------
Service Name: geyekrjdpalbqq
Image Path: C:\WINDOWS\system32\drivers\geyekrhopxurur.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 10 September 2009 - 12:52 PM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)



NEXT


Ok.. copy/paste (not cut and paste) the mbr.exe that you saved on the Desktop to C:\WINDOWS folder..

Then, go to Start >> Run >> copy/paste below >> Press Enter

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\Windows\mbr.log)



NEXT


Please download The Avenger by Swandog46 and unzip it to your Desktop


Please open The Avenger. Then, please copy/paste the script inside the codebox into the Input script here: box..

Begin copying here:
Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  • Now, click on Execute. Just say Yes at every prompted
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.



NEXT


Make sure you save Win32kDiag on your Desktop BEFORE doing below fix..

Go to Start >> Run >> copy/paste below >> Enter. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 10 September 2009 - 08:49 PM

first part worked fine. was able to download it onto my computer, and it created the log on my desktop.

i can also copy and paste it into the windows folder. however, mbr -f won't run. if just double click it from the windows folder, it runs fine, but it doesn't run if i run it specifically with your directions. the error message pops up twice saying "C:WINDOWS/mbr.exe" -f, and nothing happens. don't know if i should continue with your other instructions or not.

here is the mbr log from desktop:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

Edited by goldenkrnboi, 10 September 2009 - 08:50 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 10 September 2009 - 11:57 PM

No problem.. Proceed with The Avenger and the rest steps.. Then post all logs here :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 11 September 2009 - 01:21 AM

mmm..... like mbr.exe, I couldn't run the Win32kDiag when i put in -f and -r, but was able to run it when i removed those two. otherwise, everything went pretty smoothly. no error messages makes my ears happy. :] looking very forward to making my computer completely clean.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "app97hyf" found!
Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.


Log file is located at: C:\Documents and Settings\Susie\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944653\KB944653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\26a7ba71936ef28fcb3bb73b860e289e\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\download\download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\download\download

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2901905790-2476866396-1502017503-1005\S-1-5-21-2901905790-2476866396-1502017503-1005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\45VLV75J\45VLV75J

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM\AdobeUM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\as1.suitesmart.com\_f5e.swf\_f5e.swf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\cdn.gigya.com\cdn.gigya.com

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a132b6c7dedd\a132b6c7dedd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\6DFWTKBY\6DFWTKBY

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\BBH7FXSK\BBH7FXSK

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SJFBI01T\SJFBI01T

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0128\__SKIP_0128

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_025F\__SKIP_025F

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_03A9\__SKIP_03A9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Adobe\Acrobat\6.0\6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!



ComboFix 09-09-10.01 - Susie 0/2009 Thu 22:59.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1022.753 [GMT -7:00]
Running from: c:\documents and settings\Susie\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ytik.pif
c:\documents and settings\All Users\Documents\wimoca.sys
c:\documents and settings\Susie\Application Data\cukupu._dl
c:\documents and settings\Susie\Application Data\ybibyg._sy
c:\documents and settings\Susie\Cookies\dosavy.dat
c:\documents and settings\Susie\Local Settings\Application Data\ewunedo.inf
c:\documents and settings\Susie\Local Settings\Application Data\hyzerunece.ban
c:\documents and settings\Susie\Local Settings\Application Data\kolunyb.bat
c:\documents and settings\Susie\Local Settings\Application Data\lajadev.vbs
c:\program files\Common Files\egyzocysy.dl
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\ibitama.vbs
c:\windows\Installer\273c11.msi
c:\windows\Installer\273c12.msp
c:\windows\Installer\273c13.msp
c:\windows\Installer\273c14.msp
c:\windows\Installer\273c15.msp
c:\windows\Installer\273c16.msp
c:\windows\Installer\273c17.msp
c:\windows\Installer\273c18.msp
c:\windows\Installer\273c19.msp
c:\windows\Installer\273c1a.msp
c:\windows\Installer\273c1b.msp
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\~.exe
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\bszip.dll
c:\windows\system32\cru629.dat
c:\windows\system32\ddDEsot.dll
c:\windows\system32\desote.exe
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\drivers\geyekrhopxurur.sys
c:\windows\system32\geyekreyctlmrq.dat
c:\windows\system32\geyekrovmttapm.dll
c:\windows\system32\geyekrputoieex.dll
c:\windows\system32\geyekrroqaxumf.dat
c:\windows\system32\geyekrwfvmfdxw.dll
c:\windows\system32\hacoj.bin
c:\windows\system32\ityfaror.exe
c:\windows\system32\onhelp.htm
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\wisdstr.exe
c:\windows\Temp\3695344986.exe
c:\windows\wpd99.drv

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrjdpalbqq
-------\Legacy_geyekrjdpalbqq
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 01:43 . 2009-09-11 01:42 71680 ----a-w- c:\windows\mbr.exe
2009-09-09 23:42 . 2009-09-11 05:38 -------- d-----w- c:\program files\m2904
2009-09-09 10:25 . 2009-09-10 00:05 34816 ----a-w- c:\windows\system32\drivers\rootrepeel.sys
2009-09-09 10:16 . 2009-09-09 10:16 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[2].sys
2009-09-09 10:15 . 2009-09-09 10:24 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-09-09 03:36 . 2009-09-09 03:36 -------- d-----w- c:\program files\Trend Micro
2009-09-09 03:19 . 2009-09-09 03:19 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-08 22:04 . 2009-09-08 22:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-08 21:25 . 2009-09-08 21:25 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-09-08 21:24 . 2009-09-08 22:08 29696 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 21:16 . 2009-09-08 21:16 163840 ----a-w- c:\windows\svchasts.exe
2009-09-07 23:49 . 2009-09-08 06:05 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Temp
2009-09-05 05:24 . 2009-09-05 05:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-04 13:22 . 2009-09-04 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-04 11:34 . 2009-09-04 11:34 17406 ----a-w- c:\windows\rymu.dat
2009-09-04 11:34 . 2009-09-04 11:34 16693 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\nurow.dat
2009-09-04 11:34 . 2009-09-04 11:34 12891 ----a-w- c:\windows\asifo.dat
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\documents and settings\Susie\Application Data\Sibelius Software
2009-09-02 21:11 . 2009-09-02 21:11 -------- d-----w- C:\PSFONTS
2009-09-02 21:11 . 2009-09-06 21:02 -------- d-----w- c:\program files\Finale NotePad 2009
2009-09-02 21:10 . 2009-09-02 21:10 -------- d-----w- c:\program files\Sibelius Software
2009-09-01 07:03 . 2009-09-01 07:04 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Deployment
2009-09-01 07:03 . 2005-03-23 00:20 339968 ----a-w- c:\windows\stsystra.exe
2009-09-01 06:58 . 2005-11-16 22:35 112128 ----a-w- c:\windows\system32\staco.dll
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\SigmaTel
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\MSBuild
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\Reference Assemblies
2009-09-01 06:56 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-01 06:56 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-01 05:58 . 2009-09-01 05:58 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Logitech-LS
2009-09-01 04:32 . 2005-08-24 14:40 372736 ----a-w- c:\windows\system32\stlang.dll
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Innovative Solutions
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-08-30 22:49 . 2009-08-30 22:49 -------- d-----w- c:\documents and settings\Susie\Application Data\Blitware
2009-08-30 21:46 . 2009-08-30 21:46 -------- d-----w- c:\documents and settings\Susie\Application Data\ooVoo Details
2009-08-30 21:46 . 2009-09-01 07:03 -------- d-----w- c:\program files\ooVoo
2009-08-30 21:36 . 2005-07-20 00:31 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-08-28 11:37 . 2009-08-28 11:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 10:03 . 2009-08-28 10:03 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}
2009-08-18 02:31 . 2009-08-18 02:31 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\NetWaiting
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\Modem Helper
2009-09-07 22:27 . 2009-06-12 03:06 -------- d-----w- c:\program files\Starcraft
2009-09-06 02:55 . 2009-08-09 05:02 -------- d-----w- c:\documents and settings\Susie\Application Data\Hamachi
2009-09-04 11:34 . 2009-09-04 11:34 17108 ----a-w- c:\documents and settings\Susie\Application Data\afywunih.dat
2009-09-02 21:12 . 2006-04-12 16:42 110696 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 17:12 . 2009-06-20 18:33 -------- d-----w- c:\program files\StepMania
2009-09-01 07:06 . 2009-09-01 04:32 3982 ----a-w- c:\windows\system32\drivers\sthdae.log
2009-09-01 06:53 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\DNA
2009-09-01 06:33 . 2009-06-12 04:20 -------- d-----w- c:\program files\DNA
2009-09-01 04:32 . 2006-03-23 13:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-01 01:03 . 2006-04-26 17:05 -------- d-----w- c:\documents and settings\Susie\Application Data\AdobeUM
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Logitech
2009-08-12 19:09 . 2009-08-10 03:32 -------- d-----w- c:\program files\DestinaRO
2009-08-09 18:19 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\BitTorrent
2009-08-09 05:02 . 2009-08-09 05:01 -------- d-----w- c:\program files\Hamachi
2009-08-09 05:01 . 2009-08-09 05:01 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-01 17:38 . 2009-07-31 01:17 -------- d-----w- c:\program files\ePSXe
2009-07-03 14:49 . 2009-07-31 02:29 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 06:05 . 2009-06-26 06:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 08:11 . 2009-08-09 08:11 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-09 08:30 . 2009-08-09 08:30 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-04-15 16:39 . 2006-05-23 00:58 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2009-09-08 22:08 . 9CE589C81D1D5FA9A17C8FB16F353CE0 . 29696 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-04-08 2814976]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-08-11 17385144]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-26 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-15 19520]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-23 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Susie^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Susie\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP 포트 443
"443:UDP"= 443:UDP:ooVoo UDP 포트 443
"37674:TCP"= 37674:TCP:ooVoo TCP 포트 37674
"37674:UDP"= 37674:UDP:ooVoo UDP 포트 37674
"37675:UDP"= 37675:UDP:ooVoo UDP 포트 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 6:59 PM 64160]
S2 fanesut;fanesut;c:\windows\system32\drivers\mveppxpe.sys --> c:\windows\system32\drivers\mveppxpe.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/30/2009 2:35 PM 163328]
S3 rootrepeel;rootrepeel;c:\windows\system32\drivers\rootrepeel.sys [9/9/2009 3:25 AM 34816]
S3 s246;s246;\??\c:\windows\system32\drivers\s246.sys --> c:\windows\system32\drivers\s246.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-02 c:\windows\Tasks\FOTIS US, INC 1146069321.job
- c:\program files\Intuit\QuickBooks 2006\AutoBackupEXE.exe [2005-12-08 16:47]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005Core.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005UA.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {D41944D8-9FA7-4155-8227-7002DFD72C85} = 12.127.17.71,4.2.2.1
FF - ProfilePath - c:\documents and settings\Susie\Application Data\Mozilla\Firefox\Profiles\b209qgkn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {8BC42C4C-F88A-45CC-A84C-2E3DEB88C038} - c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 23:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"

"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[2].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[2]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3860)
c:\windows\ime\imkr6_1\imekrcic.dll
c:\program files\Common Files\Microsoft Shared\INK\PENKOR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-11 23:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-11 06:17

Pre-Run: 49,495,166,976 bytes free
Post-Run: 49,424,781,312 bytes free

283 --- E O F --- 2007-11-14 11:00

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 11 September 2009 - 05:59 AM

Ok, I'm gonna need you to run "Win32kDiag" once again.. Make sure you save Win32kDiag on your Desktop BEFORE doing below fix..

Go to Start >> Run >> copy/paste below >> Enter. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r



Also, after that, please re-run ComboFix once again.. This time, make sure you install the "Recovery Console" when asked.. Then post all logs here :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 11 September 2009 - 08:14 AM

This time win32kDiag was able to run. Thanks so much for helping me out fenzo!

I have one question though. you told me to install recovery console when asked. but combofix never asked me, so i'm a little confused as to how i'm supposed to install it.



Log file is located at: C:\Documents and Settings\Susie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Found mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943055\KB943055

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Found mount point : C:\WINDOWS\$hf_mig$\KB944653\KB944653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944653\KB944653

Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Found mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB946026\KB946026

Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\occache\occache

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\26a7ba71936ef28fcb3bb73b860e289e\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\26a7ba71936ef28fcb3bb73b860e289e\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2eef1638babab138d28fb79f2ed0bcc0\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\download\download

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\4bc27de79804b640a2e67eda87fe6cda\download\download

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\download\download

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\612ce0df709f1f49b2994166ec93f292\download\download

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a4c6f78366f403fa7e7d062ca70ddddc\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\a8a198f29fa1e0036a0893ee4e32b46a\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2901905790-2476866396-1502017503-1005\S-1-5-21-2901905790-2476866396-1502017503-1005

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2901905790-2476866396-1502017503-1005\S-1-5-21-2901905790-2476866396-1502017503-1005

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Collab

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks\eBooks

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\Preferences

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\45VLV75J\45VLV75J

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\45VLV75J\45VLV75J

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM\AdobeUM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\AdobeUM\AdobeUM

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Google\Plugin\Plugin

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}\{31391EF3-B3AC-4F12-94D8-DC2DA45E9526}

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\as1.suitesmart.com\_f5e.swf\_f5e.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\as1.suitesmart.com\_f5e.swf\_f5e.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\cdn.gigya.com\cdn.gigya.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\L3XZKBQU\cdn.gigya.com\cdn.gigya.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Adobe\Acrobat\6.0\Cache\Search\Search

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a132b6c7dedd\a132b6c7dedd

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\a132b6c7dedd\a132b6c7dedd

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2901905790-2476866396-1502017503-500\S-1-5-21-2901905790-2476866396-1502017503-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-861567501-1078081533-725345543-500\S-1-5-21-861567501-1078081533-725345543-500

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My eBooks\My eBooks

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\6DFWTKBY\6DFWTKBY

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\6DFWTKBY\6DFWTKBY

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\BBH7FXSK\BBH7FXSK

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\BBH7FXSK\BBH7FXSK

Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SJFBI01T\SJFBI01T

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SJFBI01T\SJFBI01T

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0128\__SKIP_0128

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0128\__SKIP_0128

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_0203\__SKIP_0203

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_025F\__SKIP_025F

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_025F\__SKIP_025F

Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_03A9\__SKIP_03A9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\__SKIP_03A9\__SKIP_03A9

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!



ComboFix 09-09-10.03 - Susie 1/2009 Fri 6:01.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1022.506 [GMT -7:00]
Running from: c:\documents and settings\Susie\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))
.

2009-09-11 01:43 . 2009-09-11 01:42 71680 ----a-w- c:\windows\mbr.exe
2009-09-09 23:42 . 2009-09-11 05:38 -------- d-----w- c:\program files\m2904
2009-09-09 10:25 . 2009-09-10 00:05 34816 ----a-w- c:\windows\system32\drivers\rootrepeel.sys
2009-09-09 10:16 . 2009-09-09 10:16 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[2].sys
2009-09-09 10:15 . 2009-09-09 10:24 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-09-09 03:36 . 2009-09-09 03:36 -------- d-----w- c:\program files\Trend Micro
2009-09-09 03:19 . 2009-09-09 03:19 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-08 22:04 . 2009-09-08 22:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-08 21:25 . 2009-09-08 21:25 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-09-08 21:24 . 2009-09-08 22:08 29696 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 21:16 . 2009-09-08 21:16 163840 ----a-w- c:\windows\svchasts.exe
2009-09-07 23:49 . 2009-09-08 06:05 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Temp
2009-09-05 05:24 . 2009-09-05 05:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-04 13:22 . 2009-09-04 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-04 11:34 . 2009-09-04 11:34 17406 ----a-w- c:\windows\rymu.dat
2009-09-04 11:34 . 2009-09-04 11:34 16693 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\nurow.dat
2009-09-04 11:34 . 2009-09-04 11:34 12891 ----a-w- c:\windows\asifo.dat
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\documents and settings\Susie\Application Data\Sibelius Software
2009-09-02 21:11 . 2009-09-02 21:11 -------- d-----w- C:\PSFONTS
2009-09-02 21:11 . 2009-09-06 21:02 -------- d-----w- c:\program files\Finale NotePad 2009
2009-09-02 21:10 . 2009-09-02 21:10 -------- d-----w- c:\program files\Sibelius Software
2009-09-01 07:03 . 2009-09-01 07:04 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Deployment
2009-09-01 07:03 . 2005-03-23 00:20 339968 ----a-w- c:\windows\stsystra.exe
2009-09-01 06:58 . 2005-11-16 22:35 112128 ----a-w- c:\windows\system32\staco.dll
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\SigmaTel
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\MSBuild
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\Reference Assemblies
2009-09-01 06:56 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-01 06:56 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-01 05:58 . 2009-09-01 05:58 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Logitech-LS
2009-09-01 04:32 . 2005-08-24 14:40 372736 ----a-w- c:\windows\system32\stlang.dll
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Innovative Solutions
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-08-30 22:49 . 2009-08-30 22:49 -------- d-----w- c:\documents and settings\Susie\Application Data\Blitware
2009-08-30 21:46 . 2009-08-30 21:46 -------- d-----w- c:\documents and settings\Susie\Application Data\ooVoo Details
2009-08-30 21:46 . 2009-09-01 07:03 -------- d-----w- c:\program files\ooVoo
2009-08-30 21:36 . 2005-07-20 00:31 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-08-28 11:37 . 2009-08-28 11:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 10:03 . 2009-08-28 10:03 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}
2009-08-18 02:31 . 2009-08-18 02:31 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 11:57 . 2009-06-12 03:06 -------- d-----w- c:\program files\Starcraft
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\NetWaiting
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\Modem Helper
2009-09-06 02:55 . 2009-08-09 05:02 -------- d-----w- c:\documents and settings\Susie\Application Data\Hamachi
2009-09-04 11:34 . 2009-09-04 11:34 17108 ----a-w- c:\documents and settings\Susie\Application Data\afywunih.dat
2009-09-02 21:12 . 2006-04-12 16:42 110696 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 17:12 . 2009-06-20 18:33 -------- d-----w- c:\program files\StepMania
2009-09-01 07:06 . 2009-09-01 04:32 3982 ----a-w- c:\windows\system32\drivers\sthdae.log
2009-09-01 06:53 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\DNA
2009-09-01 06:33 . 2009-06-12 04:20 -------- d-----w- c:\program files\DNA
2009-09-01 04:32 . 2006-03-23 13:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-01 01:03 . 2006-04-26 17:05 -------- d-----w- c:\documents and settings\Susie\Application Data\AdobeUM
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Logitech
2009-08-12 19:09 . 2009-08-10 03:32 -------- d-----w- c:\program files\DestinaRO
2009-08-09 18:19 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\BitTorrent
2009-08-09 05:02 . 2009-08-09 05:01 -------- d-----w- c:\program files\Hamachi
2009-08-09 05:01 . 2009-08-09 05:01 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-01 17:38 . 2009-07-31 01:17 -------- d-----w- c:\program files\ePSXe
2009-07-03 14:49 . 2009-07-31 02:29 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 06:05 . 2009-06-26 06:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 08:11 . 2009-08-09 08:11 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-09 08:30 . 2009-08-09 08:30 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-04-15 16:39 . 2006-05-23 00:58 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2009-09-08 22:08 . 9CE589C81D1D5FA9A17C8FB16F353CE0 . 29696 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-04-08 2814976]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-08-11 17385144]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-26 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-15 19520]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-23 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Susie^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Susie\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP 포트 443
"443:UDP"= 443:UDP:ooVoo UDP 포트 443
"37674:TCP"= 37674:TCP:ooVoo TCP 포트 37674
"37674:UDP"= 37674:UDP:ooVoo UDP 포트 37674
"37675:UDP"= 37675:UDP:ooVoo UDP 포트 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 6:59 PM 64160]
S2 fanesut;fanesut;c:\windows\system32\drivers\mveppxpe.sys --> c:\windows\system32\drivers\mveppxpe.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/30/2009 2:35 PM 163328]
S3 rootrepeel;rootrepeel;c:\windows\system32\drivers\rootrepeel.sys [9/9/2009 3:25 AM 34816]
S3 s246;s246;\??\c:\windows\system32\drivers\s246.sys --> c:\windows\system32\drivers\s246.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-02 c:\windows\Tasks\FOTIS US, INC 1146069321.job
- c:\program files\Intuit\QuickBooks 2006\AutoBackupEXE.exe [2005-12-08 16:47]

2009-09-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005Core.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005UA.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {D41944D8-9FA7-4155-8227-7002DFD72C85} = 12.127.17.71,4.2.2.1
FF - ProfilePath - c:\documents and settings\Susie\Application Data\Mozilla\Firefox\Profiles\b209qgkn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {8BC42C4C-F88A-45CC-A84C-2E3DEB88C038} - c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 06:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"

"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[2].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[2]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2308)
c:\windows\ime\imkr6_1\imekrcic.dll
c:\program files\Common Files\Microsoft Shared\INK\PENKOR.DLL
.
Completion time: 2009-09-11 6:10
ComboFix-quarantined-files.txt 2009-09-11 13:10
ComboFix2.txt 2009-09-11 06:17

Pre-Run: 49,378,697,216 bytes free
Post-Run: 49,338,171,392 bytes free

210 --- E O F --- 2007-11-14 11:00

Edited by goldenkrnboi, 11 September 2009 - 08:15 AM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 11 September 2009 - 08:37 AM

Hope you can wait.. I want to watch Spiderman3 on TV

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Net
Driver::
fanesut
rootrepeel
s246

Rootkit::
c:\windows\system32\drivers\mveppxpe.sys
c:\windows\system32\drivers\rootrepeel.sys
c:\windows\system32\drivers\s246.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 12 September 2009 - 12:51 AM

oh. um. rootrepeel and s246 are both renames of rootrepeal that i used. i don't know about the first one, but just mentioning

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 12 September 2009 - 02:01 AM

Oh.. Ok, then just do the CFScript but with this command instead..

KillAll::

Driver::
fanesut

File::
c:\windows\system32\drivers\mveppxpe.sys

Then post the log here :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 12 September 2009 - 07:58 AM

Thanks again for helping me out. =)

ComboFix 09-09-11.01 - Susie 1/2009 Fri 23:16.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1022.290 [GMT -7:00]
Running from: c:\documents and settings\Susie\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Susie\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FANESUT
-------\Legacy_S246
-------\Service_fanesut
-------\Service_rootrepeel
-------\Service_s246


((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-11 01:43 . 2009-09-11 01:42 71680 ----a-w- c:\windows\mbr.exe
2009-09-09 23:42 . 2009-09-11 05:38 -------- d-----w- c:\program files\m2904
2009-09-09 10:16 . 2009-09-09 10:16 34816 ----a-w- c:\windows\system32\drivers\rootrepeal[2].sys
2009-09-09 10:15 . 2009-09-09 10:24 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-09-09 03:36 . 2009-09-09 03:36 -------- d-----w- c:\program files\Trend Micro
2009-09-09 03:19 . 2009-09-09 03:19 -------- d-s---w- c:\documents and settings\Administrator\UserData
2009-09-08 22:04 . 2009-09-08 22:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2009-09-08 21:25 . 2009-09-08 21:25 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-09-08 21:24 . 2009-09-08 22:08 29696 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-09-08 21:16 . 2009-09-08 21:16 163840 ----a-w- c:\windows\svchasts.exe
2009-09-07 23:49 . 2009-09-08 06:05 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Temp
2009-09-05 05:24 . 2009-09-05 05:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-04 13:22 . 2009-09-04 13:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-04 11:34 . 2009-09-04 11:34 17406 ----a-w- c:\windows\rymu.dat
2009-09-04 11:34 . 2009-09-04 11:34 16693 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\nurow.dat
2009-09-04 11:34 . 2009-09-04 11:34 12891 ----a-w- c:\windows\asifo.dat
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\documents and settings\Susie\Application Data\Sibelius Software
2009-09-02 21:11 . 2009-09-02 21:11 -------- d-----w- C:\PSFONTS
2009-09-02 21:11 . 2009-09-06 21:02 -------- d-----w- c:\program files\Finale NotePad 2009
2009-09-02 21:10 . 2009-09-02 21:10 -------- d-----w- c:\program files\Sibelius Software
2009-09-01 07:03 . 2009-09-01 07:04 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Deployment
2009-09-01 07:03 . 2005-03-23 00:20 339968 ----a-w- c:\windows\stsystra.exe
2009-09-01 06:58 . 2005-11-16 22:35 112128 ----a-w- c:\windows\system32\staco.dll
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\SigmaTel
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\MSBuild
2009-09-01 06:58 . 2009-09-01 06:58 -------- d-----w- c:\program files\Reference Assemblies
2009-09-01 06:56 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-09-01 06:56 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-09-01 06:56 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-09-01 05:58 . 2009-09-01 05:58 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Logitech-LS
2009-09-01 04:32 . 2005-08-24 14:40 372736 ----a-w- c:\windows\system32\stlang.dll
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\Innovative Solutions
2009-08-31 00:49 . 2009-08-31 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2009-08-30 22:49 . 2009-08-30 22:49 -------- d-----w- c:\documents and settings\Susie\Application Data\Blitware
2009-08-30 21:46 . 2009-08-30 21:46 -------- d-----w- c:\documents and settings\Susie\Application Data\ooVoo Details
2009-08-30 21:46 . 2009-09-01 07:03 -------- d-----w- c:\program files\ooVoo
2009-08-30 21:36 . 2005-07-20 00:31 53248 ----a-r- c:\windows\system32\InstMed.exe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-08-28 11:37 . 2009-08-28 11:37 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2009-08-28 11:37 . 2009-08-28 11:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-28 10:03 . 2009-08-28 10:03 -------- d-----w- c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}
2009-08-18 02:31 . 2009-08-18 02:31 -------- d-----w- c:\program files\CCleaner

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 11:57 . 2009-06-12 03:06 -------- d-----w- c:\program files\Starcraft
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\NetWaiting
2009-09-09 02:39 . 2006-03-23 13:43 -------- d-----w- c:\program files\Modem Helper
2009-09-06 02:55 . 2009-08-09 05:02 -------- d-----w- c:\documents and settings\Susie\Application Data\Hamachi
2009-09-04 11:34 . 2009-09-04 11:34 17108 ----a-w- c:\documents and settings\Susie\Application Data\afywunih.dat
2009-09-02 21:12 . 2006-04-12 16:42 110696 ----a-w- c:\documents and settings\Susie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 17:12 . 2009-06-20 18:33 -------- d-----w- c:\program files\StepMania
2009-09-01 07:06 . 2009-09-01 04:32 3982 ----a-w- c:\windows\system32\drivers\sthdae.log
2009-09-01 06:53 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\DNA
2009-09-01 06:33 . 2009-06-12 04:20 -------- d-----w- c:\program files\DNA
2009-09-01 04:32 . 2006-03-23 13:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-01 01:03 . 2006-04-26 17:05 -------- d-----w- c:\documents and settings\Susie\Application Data\AdobeUM
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Common Files\Logitech
2009-08-30 21:35 . 2009-08-30 21:35 -------- d-----w- c:\program files\Logitech
2009-08-12 19:09 . 2009-08-10 03:32 -------- d-----w- c:\program files\DestinaRO
2009-08-09 18:19 . 2009-06-12 04:20 -------- d-----w- c:\documents and settings\Susie\Application Data\BitTorrent
2009-08-09 05:02 . 2009-08-09 05:01 -------- d-----w- c:\program files\Hamachi
2009-08-09 05:01 . 2009-08-09 05:01 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-08-01 17:38 . 2009-07-31 01:17 -------- d-----w- c:\program files\ePSXe
2009-07-03 14:49 . 2009-07-31 02:29 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-26 06:05 . 2009-06-26 06:06 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 08:11 . 2009-08-09 08:11 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-08-09 08:30 . 2009-08-09 08:30 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2008-04-15 16:39 . 2006-05-23 00:58 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2009-09-08 22:08 . 9CE589C81D1D5FA9A17C8FB16F353CE0 . 29696 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-09-11_06.14.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 06:25 . 2009-09-12 06:25 16384 c:\windows\temp\Perflib_Perfdata_408.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-04-08 2814976]
"oovoo.exe"="c:\program files\ooVoo\oovoo.exe" [2009-08-11 17385144]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Google Update"="c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-26 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"imekrmig7.0"="c:\program files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE" [2003-07-15 19520]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-20 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-23 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-12-8 811008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Susie^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Susie\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:ooVoo TCP 포트 443
"443:UDP"= 443:UDP:ooVoo UDP 포트 443
"37674:TCP"= 37674:TCP:ooVoo TCP 포트 37674
"37674:UDP"= 37674:UDP:ooVoo UDP 포트 37674
"37675:UDP"= 37675:UDP:ooVoo UDP 포트 37675

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/30/2009 6:59 PM 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [8/30/2009 2:35 PM 163328]
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-02 c:\windows\Tasks\FOTIS US, INC 1146069321.job
- c:\program files\Intuit\QuickBooks 2006\AutoBackupEXE.exe [2005-12-08 16:47]

2009-09-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005Core.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]

2009-09-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2901905790-2476866396-1502017503-1005UA.job
- c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-07 23:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Microsoft Excel로 내보내기(&X) - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {D41944D8-9FA7-4155-8227-7002DFD72C85} = 12.127.17.71,4.2.2.1
FF - ProfilePath - c:\documents and settings\Susie\Application Data\Mozilla\Firefox\Profiles\b209qgkn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\Susie\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {8BC42C4C-F88A-45CC-A84C-2E3DEB88C038} - c:\documents and settings\Susie\Local Settings\Application Data\{8BC42C4C-F88A-45CC-A84C-2E3DEB88C038}\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-11 23:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[1].sys"

"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
[2].sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[1]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rootrepeal[2]]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3176)
c:\windows\ime\imkr6_1\imekrcic.dll
c:\program files\Common Files\Microsoft Shared\INK\PENKOR.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-12 23:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-12 06:29
ComboFix2.txt 2009-09-11 13:10
ComboFix3.txt 2009-09-11 06:17

Pre-Run: 49,337,323,520 bytes free
Post-Run: 49,299,816,448 bytes free

235 --- E O F --- 2007-11-14 11:00




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:52 AM, on 9/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\ooVoo\oovoo.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imekrmig7.0] "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR7\IMEKRMIG.EXE"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe
O4 - HKCU\..\Run: [oovoo.exe] C:\Program Files\ooVoo\oovoo.exe /minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Susie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: A - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41944D8-9FA7-4155-8227-7002DFD72C85}: NameServer = 12.127.17.71,4.2.2.1
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 5244 bytes

Edited by goldenkrnboi, 12 September 2009 - 08:02 AM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 12 September 2009 - 08:58 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 12 September 2009 - 10:11 PM

it's working much better now. no visible problems at all, just the few undercover stuff that still needs to be deleted. I'd even say it's faster than before I got the infection. Thanks so much :D


Malwarebytes' Anti-Malware 1.41
Database version: 2787
Windows 5.1.2600 Service Pack 2

9/12/2009 7:33:54 PM
mbam-log-2009-09-12 (19-33-54).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 151453
Time elapsed: 24 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\desote.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrovmttapm.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tajf83ikdmf.dll.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dllcache\figaro.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\geyekrhopxurur.sys.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\svchasts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=e55f96d3d2d263428ac50720113e6095
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-13 03:08:39
# local_time=2009-09-12 08:08:40 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=49579
# found=6
# cleaned=6
# scan_time=1370
C:\w1hva13.exe Win32/PSW.OnLineGames.NNU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrputoieex.dll.vir Win32/Olmarik.KW trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir Win32/TrojanDownloader.FakeAlert.AIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP2\A0000378.exe Win32/PSW.OnLineGames.NNU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 13 September 2009 - 12:56 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 goldenkrnboi

goldenkrnboi
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:10 AM

Posted 13 September 2009 - 09:11 PM

The computer is working very well. :D the only problem is that firefox is running a little slow, but it was like that before the infection. i'm probably going to switch over to chrome anyways. otherwise, there's no problems at all. I'm very thankful of your hard work. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users