Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Active Rootkit, trojans and who knows what?


  • This topic is locked This topic is locked
13 replies to this topic

#1 listall

listall

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 11 September 2009 - 10:50 PM

I was referred here by Blade Zephon when I posted my problem on the Am I Infected post. We says I have an active rootkit. Since then I've had to do a non-destructive system restore in order to get my computer to run. I still have some things going on. I immediately downloaded malwarebytes and other software I was instructed to get. I ran the malware scan and it found and removed many infections. My Norton Security informed me that I have a trojan (xvhe.exe) and it is unable to remove it. Also when I run malwarebytes now, the only things it reports are 2 - disabled.security (vendor) alerts. Anyway the following is the result of the scans.

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Owner at 19:57:36.26 on Fri 09/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.69 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\TAIFM4SV\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe /Consumer
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wincin~1.lnk - c:\program files\sandisk\common\bin\WinCinemaMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\sslaunch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2004-8-27 197992]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235168]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2004-8-27 181608]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2004-8-30 177264]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\SAVRTPEL.SYS [2004-7-23 50312]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090909.004\NAVENG.Sys [2009-9-9 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090909.004\NavEx15.Sys [2009-9-9 1323568]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\SAVRT.SYS [2004-7-23 336008]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79208]
S3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVSCAN.EXE [2004-7-23 198368]

=============== Created Last 30 ================

2009-09-11 14:30 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-09-11 14:30 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-09-11 14:30 73,728 a------- c:\windows\ALCFDRTM.VER
2009-09-11 14:30 73,728 a------- c:\windows\ALCFDRTM.EXE
2009-09-08 16:18 268,648 a------- c:\windows\system32\mucltui.dll
2009-09-08 16:18 208,744 a------- c:\windows\system32\muweb.dll
2009-09-08 16:18 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-09-08 15:51 32,592 a------- c:\windows\system32\msonpmon.dll
2009-09-08 14:07 <DIR> --dsh--- c:\documents and settings\hp_owner\IECompatCache
2009-09-07 17:33 <DIR> --d----- c:\windows\system32\LogFiles
2009-09-07 17:07 <DIR> --dsh--- c:\documents and settings\hp_owner\PrivacIE
2009-09-07 16:59 <DIR> --dsh--- c:\documents and settings\hp_owner\IETldCache
2009-09-07 16:49 100,352 -------- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 16:49 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 16:49 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 16:49 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 16:49 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 16:49 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 16:49 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 15:14 <DIR> --d----- c:\program files\Vstplugins
2009-09-07 15:14 <DIR> --d----- c:\program files\Sony
2009-09-07 15:08 <DIR> --d----- c:\program files\Sony Setup
2009-09-07 15:06 147,544,835 a------- c:\program files\vegas70e_enu.exe
2009-09-07 13:35 <DIR> --d----- c:\program files\Microsoft Games
2009-09-07 13:26 2,180,480 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-07 13:26 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-07 13:26 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-07 13:26 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-07 13:25 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-07 13:23 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-09-07 13:23 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-07 12:49 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Xfire
2009-09-06 17:33 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-09-06 17:33 <DIR> --d----- c:\windows\system32\PreInstall
2009-09-06 14:22 <DIR> --d----- c:\program files\SymNetDrv
2009-09-06 14:16 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-09-06 14:16 49,920 a----r-- c:\windows\system32\drivers\HPZid412.sys
2009-09-06 14:15 267,864 a----r-- c:\windows\system32\hpzids01.dll
2009-09-06 14:15 118,272 a------- c:\windows\system32\hpz3l5ha.dll
2009-09-06 14:15 21,568 a----r-- c:\windows\system32\drivers\HPZius12.sys
2009-09-06 14:14 309,760 a----r-- c:\windows\system32\difxapi.dll
2009-09-06 14:14 364,544 a----r-- c:\windows\system32\hppldcoi.dll
2009-09-06 14:14 303,104 a----r-- c:\windows\system32\hpovst11.dll
2009-09-06 14:14 958,464 a----r-- c:\windows\system32\hpotiop4.dll
2009-09-06 14:14 675,840 a----r-- c:\windows\system32\hpowiax4.dll
2009-09-06 14:14 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-09-06 14:14 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-09-06 14:12 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-09-06 14:11 <DIR> --d----- c:\windows\system32\Lang
2009-09-06 14:11 163,840 a------- c:\windows\system32\igfxres.dll
2009-09-06 14:10 221,184 a------- c:\windows\system32\wmpns.dll
2009-09-06 14:10 1,884 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH512_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.18_T050216_WXH2_L409_M504_J250_7Intel_8Pentium 4_93.06_#090325_N10EC8139_Z11C1048C_G80862582.MRK
2009-09-06 14:09 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Symantec
2009-09-06 14:09 <DIR> --d----- c:\documents and settings\hp_owner\WINDOWS
2009-09-06 14:09 <DIR> --d----- c:\documents and settings\HP_Owner
2009-09-06 14:07 <DIR> --d----- c:\windows\system32\RTCOM
2009-09-06 14:05 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-06 13:56 <DIR> --d----- c:\docume~1\hp_owner\applic~1\Malwarebytes
2009-09-06 13:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 13:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-06 13:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-06 13:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 13:49 <DIR> --dsh--- c:\documents and settings\hp_owner\UserData
2009-09-06 13:31 <DIR> --dshr-- C:\cmdcons
2009-09-06 13:30 <DIR> --d----- c:\windows\setupupd
2009-09-06 12:30 <DIR> --dshr-- c:\windows\system32\dllcache
2009-09-05 19:43 3,942,048 a------- c:\program files\mbam-setup.exe
2009-09-04 20:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-09-04 20:01 <DIR> --d----- c:\program files\STOPzilla!
2009-09-04 20:01 <DIR> --d----- c:\program files\common files\iS3
2009-09-04 20:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-09-04 19:17 <DIR> --d----- c:\program files\Cobian Backup 9
2009-09-04 19:15 10,314,752 a------- c:\program files\cbSetup.exe
2009-09-04 18:38 <DIR> --d----- C:\Softpaq
2009-09-03 11:07 41,872 a------- c:\windows\system32\xfcodec.dll
2009-09-02 19:48 15 a------- c:\program files\settings.dat
2009-09-02 19:39 <DIR> --d-h--- c:\windows\PIF
2009-09-01 19:49 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-01 19:49 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-01 19:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-01 19:24 472,064 a------- c:\program files\RootRepeal.exe
2009-09-01 19:23 390,656 a------- c:\program files\STOPzilla_Setup.exe
2009-09-01 19:11 359,932 a------- c:\program files\dds.scr
2009-09-01 09:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12114374
2009-09-01 09:36 46,080 a------- C:\tujfbtrj.exe
2009-09-01 09:35 210,764 a------- C:\svfp.exe
2009-09-01 09:34 2 a------- C:\1887450814
2009-09-01 09:34 73,216 a------- C:\xvhu.exe
2009-08-18 22:11 202,072 a----r-- c:\windows\cpnprt2.cid
2009-08-18 22:10 <DIR> --d----- c:\program files\Coupons
2009-08-13 11:12 13,727,048 a------- c:\program files\winzip121.exe

==================== Find3M ====================

2009-09-02 20:01 35,960 a------- c:\program files\Rootrepeal.txt
2009-08-13 11:10 466,349 a------- c:\program files\SightJacker.rar
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:11 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 15:52 841,488 a------- c:\program files\gamebooster.exe
2009-08-02 19:08 1,007,616 a------- c:\program files\DXTBmp.exe
2009-08-02 17:02 1,555,072 a------- c:\program files\HMT1.v3.5.Release.zip
2009-07-28 21:53 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:53 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 21:53 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-28 21:53 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-07-25 20:05 2,664 a------- c:\program files\Register Vegas Pro.htm
2009-07-25 19:43 172,863,112 a------- c:\program files\vegaspro90a_32bit.exe
2009-07-22 11:35 12,580,696 a------- c:\program files\mm20enu.exe
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 09:00 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\dllcache\atl.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 16:04 725,568 a------- c:\program files\gameboosterfinal.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 06:42 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-26 08:59 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll
2009-06-26 08:59 81,920 -------- c:\windows\system32\ieencode.dll
2009-06-26 08:59 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-26 08:59 55,808 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-26 08:59 1,054,208 a------- c:\windows\system32\dllcache\danim.dll
2009-06-26 08:59 151,040 a------- c:\windows\system32\dllcache\cdfview.dll
2009-06-26 08:59 1,024,000 -------- c:\windows\system32\dllcache\browseui.dll
2009-06-22 11:23 137,572,496 a------- c:\program files\zunesetuppkg-x86.exe
2009-06-22 04:40 18,432 a------- c:\windows\system32\dllcache\iedw.exe
2009-06-21 23:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-06-21 15:04 153,088 a------- c:\windows\system32\dllcache\triedit.dll
2009-06-17 11:36 7,527,090 a------- c:\program files\frostwire-4.18.0.windows.exe
2009-05-14 10:02 38,942 a------- c:\program files\uninstall.exe
2009-05-10 18:01 9,563,890 a------- c:\program files\ptlibrarian.zip
2009-05-08 13:42 5,917,258 a------- c:\program files\powertab.zip
2009-01-03 06:21 15,706 a------- c:\program files\changes.txt
2009-01-01 05:58 1,852 a------- c:\program files\README.HTM

============= FINISH: 19:57:54.48 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/11 19:47
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF84E3000 Size: 53248 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8344000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAA30B000 Size: 138368 File Visible: - Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AGRSM.sys
Address: 0xF7492000 Size: 1268128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF78B0000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF82FC000 Size: 95360 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8B0F000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF898B000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8883000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA964F000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF8653000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF84B3000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF84A3000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7940000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA19B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8993000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF71BA000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8AF1000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xAA1B3000 Size: 143360 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF78D0000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF82DD000 Size: 124800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8989000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8314000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF8673000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806CE000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF75EB000 Size: 147456 File Visible: - Signed: -
Status: -

Name: HPZid412.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZid412.sys
Address: 0xF8583000 Size: 49920 File Visible: - Signed: -
Status: -

Name: HPZipr12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
Address: 0xF76E0000 Size: 16224 File Visible: - Signed: -
Status: -

Name: HPZius12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Address: 0xF8843000 Size: 21568 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA90F9000 Size: 262400 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF8633000 Size: 52736 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBF068000 Size: 843776 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF03F000 Size: 167936 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF020000 Size: 126976 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF7623000 Size: 773504 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF012000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF8643000 Size: 41856 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8977000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF8613000 Size: 36096 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAA1FE000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAA515000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8473000 Size: 35840 File Visible: - Signed: -
Status: -

Name: iviaspi.sys
Image Path: C:\WINDOWS\system32\drivers\iviaspi.sys
Address: 0xF87D3000 Size: 20992 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF87C3000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8973000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF745B000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF82B4000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF898D000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF87BB000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF87CB000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8483000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA998C000 Size: 181248 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAA21F000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8803000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF86B3000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8927000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF81DF000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NAVENG.Sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090909.004\NAVENG.Sys
Address: 0xA91DA000 Size: 78208 File Visible: - Signed: -
Status: -

Name: NavEx15.Sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090909.004\NavEx15.Sys
Address: 0xA91EE000 Size: 1316864 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF81FA000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8917000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAA08B000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7413000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF86D3000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7900000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAA32D000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF8573000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF880B000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8227000 Size: 574592 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8A51000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF84D3000 Size: 61056 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF747E000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF86FB000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8333000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF86F3000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF890B000 Size: 10368 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xAA570000 Size: 135168 File Visible: - Signed: -
Status: -

Name: PS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\PS2.sys
Address: 0xF8907000 Size: 14112 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7402000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF87E3000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8703000 Size: 19936 File Visible: - Signed: -
Status: -

Name: R8139n51.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
Address: 0xF8623000 Size: 46976 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF895B000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8683000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8693000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF86A3000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF87EB000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAA28E000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF898F000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF8663000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8C7F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xAA591000 Size: 2287104 File Visible: - Signed: -
Status: -

Name: SAVRT.SYS
Image Path: c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
Address: 0xA93D0000 Size: 356352 File Visible: - Signed: -
Status: -

Name: SAVRTPEL.SYS
Image Path: c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
Address: 0xA97C1000 Size: 77824 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xA99E7000 Size: 10112 File Visible: - Signed: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xAA2B9000 Size: 335872 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF82CB000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA9747000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8983000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMDNS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMDNS.SYS
Address: 0xF8991000 Size: 5632 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xAA460000 Size: 118208 File Visible: - Signed: -
Status: -

Name: SYMFW.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMFW.SYS
Address: 0xAA397000 Size: 166080 File Visible: - Signed: -
Status: -

Name: SYMIDS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMIDS.SYS
Address: 0xF8813000 Size: 31168 File Visible: - Signed: -
Status: -

Name: symidsco.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20090826.001\symidsco.sys
Address: 0xAA355000 Size: 270336 File Visible: - Signed: -
Status: -

Name: SYMNDIS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
Address: 0xF7910000 Size: 41344 File Visible: - Signed: -
Status: -

Name: SYMREDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xF8967000 Size: 13056 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xAA47D000 Size: 260704 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA9C33000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAA4BD000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF87DB000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF86C3000 Size: 40704 File Visible: - Signed: -
Status: -

Name: uagp35.sys
Image Path: uagp35.sys
Address: 0xF84C3000 Size: 44672 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF71CE000 Size: 209408 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF8833000 Size: 31616 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF87B3000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7930000 Size: 57600 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF75C8000 Size: 143360 File Visible: - Signed: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xF883B000 Size: 25856 File Visible: - Signed: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xF76E4000 Size: 15104 File Visible: - Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF882B000 Size: 26496 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF87AB000 Size: 20480 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF87FB000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF760F000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8493000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF78C0000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8853000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA9A2E000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8975000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2057728 File Visible: - Signed: -
Status: -


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/11 20:03
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA19B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8993000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA82DD000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setup.pss
Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00010\MCE00010
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00011\MCE00011
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00012\MCE00012
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00013\MCE00013
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00014\MCE00014
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00015\MCE00015
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00016\MCE00016
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00017\MCE00017
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00018\MCE00018
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00019\MCE00019
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001a\MCE0001a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001b\MCE0001b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001c\MCE0001c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001d\MCE0001d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001e\MCE0001e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0001f\MCE0001f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00020\MCE00020
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00021\MCE00021
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00022\MCE00022
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00024\MCE00024
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00025\MCE00025
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00026\MCE00026
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00027\MCE00027
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00028\MCE00028
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00029\MCE00029
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002a\MCE0002a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002b\MCE0002b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002c\MCE0002c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002d\MCE0002d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002e\MCE0002e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0002f\MCE0002f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00030\MCE00030
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00031\MCE00031
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00032\MCE00032
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00033\MCE00033
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00034\MCE00034
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00035\MCE00035
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00036\MCE00036
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000f\MCE0000f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00023\MCE00023
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00037\MCE00037
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004b\MCE0004b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005f\MCE0005f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00073\MCE00073
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00087\MCE00087
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009b\MCE0009b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000af\MCE000af
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c3\MCE000c3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00000\MCE00000
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00001\MCE00001
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00002\MCE00002
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00003\MCE00003
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00004\MCE00004
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00005\MCE00005
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00006\MCE00006
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00007\MCE00007
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00008\MCE00008
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00009\MCE00009
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000a\MCE0000a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000b\MCE0000b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000c\MCE0000c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000d\MCE0000d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0000e\MCE0000e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00038\MCE00038
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00039\MCE00039
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003a\MCE0003a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003b\MCE0003b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003c\MCE0003c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003d\MCE0003d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003e\MCE0003e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0003f\MCE0003f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00040\MCE00040
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00041\MCE00041
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00042\MCE00042
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00043\MCE00043
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00044\MCE00044
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00045\MCE00045
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00046\MCE00046
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00047\MCE00047
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00048\MCE00048
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00049\MCE00049
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004a\MCE0004a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004c\MCE0004c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004d\MCE0004d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004e\MCE0004e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0004f\MCE0004f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00050\MCE00050
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00051\MCE00051
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00052\MCE00052
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00053\MCE00053
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00054\MCE00054
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00055\MCE00055
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00056\MCE00056
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00057\MCE00057
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00058\MCE00058
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00059\MCE00059
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005a\MCE0005a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005b\MCE0005b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005c\MCE0005c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005d\MCE0005d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0005e\MCE0005e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00060\MCE00060
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00061\MCE00061
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00062\MCE00062
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00063\MCE00063
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00064\MCE00064
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00065\MCE00065
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00066\MCE00066
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00067\MCE00067
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00068\MCE00068
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00069\MCE00069
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006a\MCE0006a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006b\MCE0006b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006c\MCE0006c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006d\MCE0006d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006e\MCE0006e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0006f\MCE0006f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00070\MCE00070
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00071\MCE00071
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00072\MCE00072
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00074\MCE00074
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00075\MCE00075
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00076\MCE00076
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00077\MCE00077
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00078\MCE00078
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00079\MCE00079
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007a\MCE0007a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007b\MCE0007b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007c\MCE0007c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007d\MCE0007d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007e\MCE0007e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0007f\MCE0007f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00080\MCE00080
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00081\MCE00081
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00082\MCE00082
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00083\MCE00083
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00084\MCE00084
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00085\MCE00085
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00086\MCE00086
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\Google Toolbar\Google Toolbar
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00088\MCE00088
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00089\MCE00089
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008a\MCE0008a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008b\MCE0008b
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008c\MCE0008c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008d\MCE0008d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008e\MCE0008e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0008f\MCE0008f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00090\MCE00090
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00091\MCE00091
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00092\MCE00092
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00093\MCE00093
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00094\MCE00094
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00095\MCE00095
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00096\MCE00096
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00097\MCE00097
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00098\MCE00098
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE00099\MCE00099
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009a\MCE0009a
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009c\MCE0009c
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009d\MCE0009d
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009e\MCE0009e
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE0009f\MCE0009f
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a0\MCE000a0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a1\MCE000a1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a2\MCE000a2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a3\MCE000a3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a4\MCE000a4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a5\MCE000a5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a6\MCE000a6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a7\MCE000a7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a8\MCE000a8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000a9\MCE000a9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000aa\MCE000aa
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000ab\MCE000ab
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000ac\MCE000ac
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000ad\MCE000ad
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000ae\MCE000ae
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b0\MCE000b0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b1\MCE000b1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b2\MCE000b2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b3\MCE000b3
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b4\MCE000b4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b5\MCE000b5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b6\MCE000b6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b7\MCE000b7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b8\MCE000b8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000b9\MCE000b9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000ba\MCE000ba
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000bb\MCE000bb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000bc\MCE000bc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000bd\MCE000bd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000be\MCE000be
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000bf\MCE000bf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c0\MCE000c0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c1\MCE000c1
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c2\MCE000c2
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c4\MCE000c4
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c5\MCE000c5
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c6\MCE000c6
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c7\MCE000c7
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c8\MCE000c8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\MCE000c9\MCE000c9
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP286.tmp\ZAP286.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP376.tmp\ZAP376.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39F.tmp\ZAP39F.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A6.tmp\ZAP3A6.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B2.tmp\ZAP3B2.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42A.tmp\ZAP42A.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\60\60
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\policy\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\msft\windows\windows
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\windows\system\system
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\windows\net\net
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\windows\common\common
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\windows\system\system
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\windows\networking\networking
Status: Locked to the Windows API!

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x822c4ae8

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x820efd88

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x8213c208

==EOF==

I also have win32diag
Log file is located at: C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP286.tmp\ZAP286.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP376.tmp\ZAP376.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39F.tmp\ZAP39F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A6.tmp\ZAP3A6.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B2.tmp\ZAP3B2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42A.tmp\ZAP42A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\windows\networking\networking

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00000\MCE00000

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00001\MCE00001

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00002\MCE00002

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00003\MCE00003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00004\MCE00004

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00005\MCE00005

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00006\MCE00006

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00007\MCE00007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00008\MCE00008

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00009\MCE00009

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000a\MCE0000a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000b\MCE0000b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000c\MCE0000c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000d\MCE0000d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000e\MCE0000e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0000f\MCE0000f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00010\MCE00010

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00011\MCE00011

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00012\MCE00012

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00013\MCE00013

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00014\MCE00014

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00015\MCE00015

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00016\MCE00016

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00017\MCE00017

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00018\MCE00018

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00019\MCE00019

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001a\MCE0001a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001b\MCE0001b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001c\MCE0001c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001d\MCE0001d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001e\MCE0001e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0001f\MCE0001f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00020\MCE00020

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00021\MCE00021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00022\MCE00022

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00023\MCE00023

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00024\MCE00024

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00025\MCE00025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00026\MCE00026

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00027\MCE00027

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00028\MCE00028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00029\MCE00029

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002a\MCE0002a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002b\MCE0002b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002c\MCE0002c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002d\MCE0002d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002e\MCE0002e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0002f\MCE0002f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00030\MCE00030

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00031\MCE00031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00032\MCE00032

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00033\MCE00033

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00034\MCE00034

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00035\MCE00035

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00036\MCE00036

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00037\MCE00037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00038\MCE00038

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00039\MCE00039

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003a\MCE0003a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003b\MCE0003b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003c\MCE0003c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003d\MCE0003d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003e\MCE0003e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0003f\MCE0003f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00040\MCE00040

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00041\MCE00041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00042\MCE00042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00043\MCE00043

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00044\MCE00044

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00045\MCE00045

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00046\MCE00046

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00047\MCE00047

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00048\MCE00048

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00049\MCE00049

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004a\MCE0004a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004b\MCE0004b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004c\MCE0004c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004d\MCE0004d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004e\MCE0004e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0004f\MCE0004f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00050\MCE00050

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00051\MCE00051

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00052\MCE00052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00053\MCE00053

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00054\MCE00054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00055\MCE00055

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00056\MCE00056

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00057\MCE00057

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00058\MCE00058

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00059\MCE00059

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005a\MCE0005a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005b\MCE0005b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005c\MCE0005c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005d\MCE0005d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005e\MCE0005e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0005f\MCE0005f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00060\MCE00060

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00061\MCE00061

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00062\MCE00062

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00063\MCE00063

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00064\MCE00064

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00065\MCE00065

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00066\MCE00066

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00067\MCE00067

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00068\MCE00068

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00069\MCE00069

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006a\MCE0006a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006b\MCE0006b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006c\MCE0006c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006d\MCE0006d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006e\MCE0006e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0006f\MCE0006f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00070\MCE00070

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00071\MCE00071

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00072\MCE00072

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00073\MCE00073

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00074\MCE00074

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00075\MCE00075

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00076\MCE00076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00077\MCE00077

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00078\MCE00078

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00079\MCE00079

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007a\MCE0007a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007b\MCE0007b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007c\MCE0007c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007d\MCE0007d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007e\MCE0007e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0007f\MCE0007f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00080\MCE00080

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00081\MCE00081

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00082\MCE00082

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00083\MCE00083

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00084\MCE00084

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00085\MCE00085

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00086\MCE00086

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00087\MCE00087

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00088\MCE00088

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00089\MCE00089

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008a\MCE0008a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008b\MCE0008b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008c\MCE0008c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008d\MCE0008d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008e\MCE0008e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0008f\MCE0008f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00090\MCE00090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00091\MCE00091

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00092\MCE00092

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00093\MCE00093

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00094\MCE00094

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00095\MCE00095

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00096\MCE00096

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00097\MCE00097

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00098\MCE00098

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE00099\MCE00099

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009a\MCE0009a

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009b\MCE0009b

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009c\MCE0009c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009d\MCE0009d

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009e\MCE0009e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE0009f\MCE0009f

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a0\MCE000a0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a1\MCE000a1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a2\MCE000a2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a3\MCE000a3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a4\MCE000a4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a5\MCE000a5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a6\MCE000a6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a7\MCE000a7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a8\MCE000a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000a9\MCE000a9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000aa\MCE000aa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ab\MCE000ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ac\MCE000ac

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ad\MCE000ad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ae\MCE000ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000af\MCE000af

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b0\MCE000b0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b1\MCE000b1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b2\MCE000b2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b3\MCE000b3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b4\MCE000b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b5\MCE000b5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b6\MCE000b6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b7\MCE000b7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b8\MCE000b8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000b9\MCE000b9

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000ba\MCE000ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bb\MCE000bb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bc\MCE000bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bd\MCE000bd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000be\MCE000be

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000bf\MCE000bf

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c0\MCE000c0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c1\MCE000c1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c2\MCE000c2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c3\MCE000c3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c4\MCE000c4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c5\MCE000c5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c6\MCE000c6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c7\MCE000c7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c8\MCE000c8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\MCE000c9\MCE000c9

Mount point destination : \Device\__max++>\^



Finished!

hope this helps.

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 13 September 2009 - 07:50 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 14 September 2009 - 12:00 AM

Hey Sam,

Thanks for taking my virus on. I ran the combofix and the log is attached. I got a little scared when my desktop disappeared during the scan (as that's what happened when I was under attack from the various virus'.) But everything seems alright for now. Let me know what's up.

Thanks again,

Listall


ComboFix 09-09-13.04 - HP_Owner 09/13/2009 21:14.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.150 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
c:\recycler\S-1-5-21-3220647859-2281236695-2665671157-1011
c:\recycler\S-1-5-21-3687792699-870387618-2744620663-1003
C:\svfp.exe
C:\tujfbtrj.exe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\1030267.msp
c:\windows\Installer\1030279.msp
c:\windows\Installer\11b73fa.msp
c:\windows\Installer\11b73fb.msp
c:\windows\Installer\11b740e.msp
c:\windows\Installer\12e0651.msi
c:\windows\Installer\13969c.msp
c:\windows\Installer\149202.msi
c:\windows\Installer\14bdb23.msi
c:\windows\Installer\161335.msi
c:\windows\Installer\161370.msi
c:\windows\Installer\161376.msi
c:\windows\Installer\169938b.msp
c:\windows\Installer\169939d.msp
c:\windows\Installer\16993af.msp
c:\windows\Installer\16993c6.msp
c:\windows\Installer\16993da.msp
c:\windows\Installer\16993ed.msp
c:\windows\Installer\16993ff.msp
c:\windows\Installer\1699406.msi
c:\windows\Installer\1699417.msp
c:\windows\Installer\169942b.msp
c:\windows\Installer\169943f.msp
c:\windows\Installer\1699451.msp
c:\windows\Installer\1699463.msp
c:\windows\Installer\1699475.msp
c:\windows\Installer\1699486.msp
c:\windows\Installer\1c72fcd.msp
c:\windows\Installer\1c72fd5.msp
c:\windows\Installer\1c72ff5.msp
c:\windows\Installer\1c73007.msp
c:\windows\Installer\1c73019.msp
c:\windows\Installer\1c73020.msp
c:\windows\Installer\1c7310d.msp
c:\windows\Installer\1da3cd.msi
c:\windows\Installer\1da5111.msi
c:\windows\Installer\1da5119.msi
c:\windows\Installer\222dc.msi
c:\windows\Installer\22302.msi
c:\windows\Installer\22651.msi
c:\windows\Installer\22657.msi
c:\windows\Installer\251f41.msi
c:\windows\Installer\263fe30.msi
c:\windows\Installer\32f4261.msi
c:\windows\Installer\32f4267.msi
c:\windows\Installer\37643d.msp
c:\windows\Installer\376458.msp
c:\windows\Installer\37646a.msp
c:\windows\Installer\37647c.msp
c:\windows\Installer\37648e.msp
c:\windows\Installer\3764a0.msp
c:\windows\Installer\3764b2.msp
c:\windows\Installer\3764cc.msp
c:\windows\Installer\3764df.msp
c:\windows\Installer\3764f1.msp
c:\windows\Installer\376504.msp
c:\windows\Installer\37651b.msp
c:\windows\Installer\3b93b.msp
c:\windows\Installer\3b93c.msp
c:\windows\Installer\3b93d.msp
c:\windows\Installer\3b93e.msp
c:\windows\Installer\3b93f.msp
c:\windows\Installer\3b940.msp
c:\windows\Installer\3b941.msp
c:\windows\Installer\3b942.msp
c:\windows\Installer\3b943.msp
c:\windows\Installer\45a56.msi
c:\windows\Installer\4bc00a.msi
c:\windows\Installer\4d3b9c.msp
c:\windows\Installer\5aa25.msi
c:\windows\Installer\5b492.msp
c:\windows\Installer\5b4a5.msp
c:\windows\Installer\5b4b9.msp
c:\windows\Installer\5b4cc.msp
c:\windows\Installer\5b4de.msp
c:\windows\Installer\5b4f1.msp
c:\windows\Installer\5c5b2.msi
c:\windows\Installer\5c5cc.msi
c:\windows\Installer\5c5dc.msi
c:\windows\Installer\5c5e9.msi
c:\windows\Installer\5c5f3.msi
c:\windows\Installer\5c6ed.msi
c:\windows\Installer\5c708.msi
c:\windows\Installer\5c712.msi
c:\windows\Installer\5c718.msi
c:\windows\Installer\5c71e.msi
c:\windows\Installer\5c739.msi
c:\windows\Installer\5c802.msi
c:\windows\Installer\5c80c.msi
c:\windows\Installer\5c847.msi
c:\windows\Installer\5c85c.msi
c:\windows\Installer\5c866.msi
c:\windows\Installer\5c871.msi
c:\windows\Installer\5c877.msi
c:\windows\Installer\5c87d.msi
c:\windows\Installer\5c887.msi
c:\windows\Installer\5c88d.msi
c:\windows\Installer\5c8ec.msi
c:\windows\Installer\5c8ff.msi
c:\windows\Installer\5c91c.msi
c:\windows\Installer\5c924.msi
c:\windows\Installer\5c930.msi
c:\windows\Installer\5c936.msi
c:\windows\Installer\5c93c.msi
c:\windows\Installer\5c945.msi
c:\windows\Installer\5c94c.msi
c:\windows\Installer\5c952.msi
c:\windows\Installer\5c959.msi
c:\windows\Installer\611bd.msi
c:\windows\Installer\63c797.msi
c:\windows\Installer\6eb7f.msi
c:\windows\Installer\7bd5e.msi
c:\windows\Installer\7bd64.msi
c:\windows\Installer\7bd6a.msi
c:\windows\Installer\7bd70.msi
c:\windows\Installer\7bd76.msi
c:\windows\Installer\7bd80.msi
c:\windows\Installer\7bd8c.msi
c:\windows\Installer\7bd9d.msi
c:\windows\Installer\7bda5.msi
c:\windows\Installer\7bdab.msi
c:\windows\Installer\7bdb1.msi
c:\windows\Installer\7befe.msi
c:\windows\Installer\9570bd.msi
c:\windows\Installer\9570cf.msi
c:\windows\Installer\9570d5.msi
c:\windows\Installer\9570d9.msi
c:\windows\Installer\9ac1b5.msi
c:\windows\Installer\9ac1bb.msi
c:\windows\Installer\9ac1c1.msi
c:\windows\Installer\aa0a9a.msi
c:\windows\Installer\aa0ae4.msp
c:\windows\Installer\be15ee.msp
c:\windows\Installer\be15ff.msp
c:\windows\Installer\e0c890.msi
c:\windows\Installer\e0c891.msp
c:\windows\Installer\e0c892.msp
c:\windows\Installer\e0c893.msp
c:\windows\Installer\e0c894.msp
c:\windows\Installer\e0c895.msp
c:\windows\Installer\e0c896.msp
c:\windows\Installer\e0c897.msp
c:\windows\Installer\e0c898.msp
c:\windows\Installer\e0c899.msp
c:\windows\Installer\e637e4.msi
c:\windows\Installer\e637e5.msp
c:\windows\Installer\e637e6.msp
c:\windows\Installer\e637e7.msp
c:\windows\Installer\e637e8.msp
c:\windows\Installer\e637e9.msp
c:\windows\Installer\e637ea.msp
c:\windows\Installer\e637eb.msp
c:\windows\Installer\e637ec.msp
c:\windows\Installer\e637ed.msp
c:\windows\Installer\e637ee.msp
c:\windows\Installer\e6e58.msp
c:\windows\Installer\e6e6a.msp
c:\windows\Installer\e6e6c.msp
c:\windows\Installer\e82509.msi
c:\windows\Installer\e82518.msp
c:\windows\Installer\e82523.msp
c:\windows\Installer\e8252f.msp
c:\windows\system32\ps2.bat
C:\xvhu.exe
D:\Autorun.inf
c:\recycler\S-1-5-21-3220647859-2281236695-2665671157-1009 . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-11 21:30 . 2009-09-11 21:30 73728 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-08 23:18 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-08 23:18 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-08 22:51 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-09-08 22:47 . 2009-09-08 22:47 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Microsoft Help
2009-09-08 21:07 . 2009-09-08 21:07 -------- d-sh--w- c:\documents and settings\HP_Owner\IECompatCache
2009-09-08 02:24 . 2009-09-08 02:24 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Apple
2009-09-08 01:31 . 2009-09-08 01:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2009-09-08 00:33 . 2009-09-08 00:35 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-09-08 00:33 . 2009-09-08 00:33 -------- d-----w- c:\windows\system32\LogFiles
2009-09-08 00:07 . 2009-09-08 00:07 -------- d-sh--w- c:\documents and settings\HP_Owner\PrivacIE
2009-09-08 00:00 . 2009-09-08 00:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-07 23:59 . 2009-09-07 23:59 -------- d-sh--w- c:\documents and settings\HP_Owner\IETldCache
2009-09-07 23:49 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 23:49 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 23:49 . 2009-07-20 01:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 23:49 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 23:49 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 23:49 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 23:49 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 23:41 . 2009-09-13 02:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2009-09-07 23:41 . 2009-09-07 23:41 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Adobe
2009-09-07 22:24 . 2009-09-07 22:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Publish Providers
2009-09-07 22:23 . 2009-09-08 01:19 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Sony
2009-09-07 22:23 . 2009-09-07 22:23 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Sony
2009-09-07 22:14 . 2009-09-07 22:14 -------- d-----w- c:\program files\Vstplugins
2009-09-07 22:14 . 2009-09-08 00:37 -------- d-----w- c:\program files\Sony
2009-09-07 22:09 . 2009-09-07 22:09 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Sony Setup
2009-09-07 22:08 . 2009-09-08 00:32 -------- d-----w- c:\program files\Sony Setup
2009-09-07 22:06 . 2009-09-07 22:08 147544835 ----a-w- c:\program files\vegas70e_enu.exe
2009-09-07 20:42 . 2009-09-07 20:42 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WMTools Downloaded Files
2009-09-07 20:35 . 2009-09-07 20:35 -------- d-----w- c:\program files\Microsoft Games
2009-09-07 20:26 . 2009-02-06 17:24 2180480 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-07 20:26 . 2009-02-06 17:22 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-07 20:26 . 2009-02-06 16:49 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-07 20:26 . 2009-02-06 16:49 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-07 20:25 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-07 20:23 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-09-07 20:23 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-09-07 19:49 . 2009-09-14 03:50 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire
2009-09-07 00:33 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-09-06 21:22 . 2009-09-06 21:22 -------- d-----w- c:\program files\SymNetDrv
2009-09-06 21:16 . 2007-03-08 04:20 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-09-06 21:16 . 2007-03-08 04:20 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-09-06 21:15 . 2007-03-30 15:29 267864 ----a-r- c:\windows\system32\hpzids01.dll
2009-09-06 21:15 . 2007-03-28 21:01 118272 ----a-w- c:\windows\system32\hpz3l5ha.dll
2009-09-06 21:15 . 2007-03-08 04:20 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-09-06 21:14 . 2009-09-08 02:28 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-06 21:14 . 2007-03-08 04:20 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-09-06 21:14 . 2007-03-08 04:20 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-09-06 21:14 . 2007-03-17 06:39 303104 ----a-r- c:\windows\system32\hpovst11.dll
2009-09-06 21:14 . 2007-03-17 06:39 958464 ----a-r- c:\windows\system32\hpotiop4.dll
2009-09-06 21:14 . 2007-03-17 06:39 675840 ----a-r- c:\windows\system32\hpowiax4.dll
2009-09-06 21:14 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-06 21:14 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-06 21:12 . 2009-09-13 02:38 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-----w- c:\windows\system32\Lang
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\LightScribe
2009-09-06 21:11 . 2004-11-02 22:58 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-09-06 21:10 . 2004-08-04 04:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-09-06 21:08 . 2009-03-25 07:33 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-09-06 21:07 . 2009-09-06 21:07 -------- d-----w- c:\windows\system32\RTCOM
2009-09-06 20:56 . 2009-09-06 20:56 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-09-06 20:55 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 20:55 . 2009-09-06 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 20:55 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 20:55 . 2009-09-06 20:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 20:49 . 2009-09-06 20:49 -------- d-sh--w- c:\documents and settings\HP_Owner\UserData
2009-09-06 19:30 . 2009-09-10 22:42 -------- d-sh--r- c:\windows\system32\dllcache
2009-09-06 02:43 . 2009-09-06 02:43 3942048 ----a-w- c:\program files\mbam-setup.exe
2009-09-05 03:02 . 2009-09-05 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-05 03:01 . 2009-09-05 03:01 -------- d-----w- c:\program files\STOPzilla!
2009-09-05 03:01 . 2009-09-06 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-05 03:01 . 2009-09-05 03:01 -------- d-----w- c:\program files\Common Files\iS3
2009-09-05 02:17 . 2009-09-05 02:18 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-05 02:15 . 2009-09-05 02:15 10314752 ----a-w- c:\program files\cbSetup.exe
2009-09-05 01:38 . 2009-09-05 01:38 -------- d-----w- C:\Softpaq
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-03 02:48 . 2009-09-03 03:00 15 ----a-w- c:\program files\settings.dat
2009-09-03 02:39 . 2009-09-03 15:47 -------- d--h--w- c:\windows\PIF
2009-09-02 02:49 . 2009-09-02 03:39 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-02 02:49 . 2009-09-05 02:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-02 02:49 . 2009-09-02 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-02 02:24 . 2009-09-03 02:47 472064 ----a-w- c:\program files\RootRepeal.exe
2009-09-02 02:23 . 2009-09-02 02:23 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-09-02 02:11 . 2009-09-05 21:48 359932 ----a-w- c:\program files\dds.scr
2009-09-01 16:41 . 2009-09-05 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\12114374
2009-08-19 05:10 . 2009-08-19 05:10 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 04:14 . 2009-03-25 07:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-14 02:23 . 2009-03-29 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-11 19:40 . 2009-03-25 19:32 -------- d-----w- c:\program files\Xfire
2009-09-10 03:20 . 2009-05-10 01:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 22:50 . 2009-03-25 07:30 -------- d-----w- c:\program files\Microsoft Works
2009-09-08 02:32 . 2009-03-25 07:32 -------- d-----w- c:\program files\iTunes
2009-09-08 02:25 . 2009-03-25 07:33 -------- d-----w- c:\program files\QuickTime
2009-09-08 00:14 . 2009-08-13 18:12 13727048 ----a-w- c:\program files\winzip121.exe
2009-09-07 22:15 . 2009-07-26 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-09-07 00:28 . 2009-03-25 07:54 -------- d-----w- c:\program files\Norton Internet Security
2009-09-06 21:23 . 2009-03-25 07:53 -------- d-----w- c:\program files\Symantec
2009-09-06 21:17 . 2009-09-06 21:09 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Symantec
2009-09-06 21:16 . 2009-03-25 07:42 -------- d-----w- c:\program files\Easy Internet signup
2009-09-06 21:10 . 2009-09-06 21:10 1884 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH512_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.18_T050216_WXH2_L409_M504_J250_7Intel_8Pentium 4_93.06_#090325_N10EC8139_Z11C1048C_G80862582.MRK
2009-09-06 21:08 . 2009-03-25 01:36 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-09-05 22:03 . 2009-06-17 16:01 -------- d-----w- c:\documents and settings\Kids\Application Data\Xfire
2009-09-03 15:47 . 2009-06-11 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-03 15:47 . 2009-06-11 19:38 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-03 15:47 . 2009-06-11 19:38 -------- d-----w- c:\program files\McAfee
2009-09-03 03:01 . 2009-09-03 03:01 35960 ----a-w- c:\program files\Rootrepeal.txt
2009-09-01 22:33 . 2009-06-12 02:01 -------- d-----w- c:\documents and settings\Kids\Application Data\HPAppData
2009-08-22 20:32 . 2009-06-16 22:16 430 ----a-w- c:\documents and settings\Kids\Application Data\wklnhst.dat
2009-08-16 20:55 . 2009-06-25 02:31 49056 ----a-w- c:\documents and settings\Kids\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 18:00 . 2009-04-26 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-13 18:10 . 2009-08-13 18:10 466349 ----a-w- c:\program files\SightJacker.rar
2009-08-10 05:58 . 2009-04-12 22:23 -------- d-----w- c:\program files\TaxCut08
2009-08-05 09:11 . 2009-03-24 22:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:52 . 2009-08-04 22:52 -------- d-----w- c:\program files\IObit
2009-08-04 22:52 . 2009-08-04 22:51 841488 ----a-w- c:\program files\gamebooster.exe
2009-08-03 02:08 . 2009-08-03 01:53 1007616 ----a-w- c:\program files\DXTBmp.exe
2009-08-03 00:06 . 2009-08-03 00:06 -------- d-----w- c:\program files\HMT1.v3.5.Release
2009-08-03 00:02 . 2009-08-03 00:02 1555072 ----a-w- c:\program files\HMT1.v3.5.Release.zip
2009-07-29 04:53 . 2009-03-24 22:50 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2009-03-24 22:48 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 06:24 . 2009-07-27 06:24 -------- d-----w- c:\program files\MSXML 6.0
2009-07-26 03:05 . 2009-07-26 03:00 2664 ----a-w- c:\program files\Register Vegas Pro.htm
2009-07-26 02:52 . 2009-07-26 02:52 -------- d-----w- c:\program files\MSBuild
2009-07-26 02:47 . 2009-07-26 02:47 -------- d-----w- c:\program files\Reference Assemblies
2009-07-26 02:43 . 2009-07-26 02:42 172863112 ----a-w- c:\program files\vegaspro90a_32bit.exe
2009-07-22 18:35 . 2009-07-22 18:35 12580696 ----a-w- c:\program files\mm20enu.exe
2009-07-20 16:00 . 2009-07-20 15:59 -------- d-----w- c:\program files\LimeWire
2009-07-17 21:34 . 2009-07-17 21:34 -------- d-----w- c:\program files\Safari
2009-07-17 21:32 . 2009-06-17 18:21 -------- d-----w- c:\program files\Common Files\Apple
2009-07-17 18:55 . 2009-03-24 23:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 23:04 . 2009-07-13 23:04 725568 ----a-w- c:\program files\gameboosterfinal.exe
2009-07-13 17:08 . 2009-03-25 05:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2009-03-24 22:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2009-06-26 15:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-22 18:23 . 2009-06-22 18:23 137572496 ----a-w- c:\program files\zunesetuppkg-x86.exe
2009-06-17 18:36 . 2009-06-17 18:36 7527090 ----a-w- c:\program files\frostwire-4.18.0.windows.exe
2009-05-14 17:02 . 2009-05-14 17:02 38942 ----a-w- c:\program files\uninstall.exe
2009-05-11 01:01 . 2009-05-11 01:01 9563890 ----a-w- c:\program files\ptlibrarian.zip
2009-05-08 20:42 . 2009-05-08 20:42 5917258 ----a-w- c:\program files\powertab.zip
2009-01-03 13:21 . 2009-01-03 13:21 15706 ----a-w- c:\program files\changes.txt
2009-01-01 12:58 . 2009-01-01 12:58 1852 ----a-w- c:\program files\README.HTM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2009-03-25 32881]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-25 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-26 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-06 100056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-14 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-14 2742272]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 21:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Symantec Shared\NMain.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
.
**************************************************************************
.
Completion time: 2009-09-14 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 04:46

Pre-Run: 43,169,660,928 bytes free
Post-Run: 48,862,887,936 bytes free

468 --- E O F --- 2009-09-13 19:37

Attached Files

  • Attached File  log.txt   27.41KB   5 downloads

Edited by Buckeye_Sam, 14 September 2009 - 06:58 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 14 September 2009 - 07:00 AM

Do you have win32kdiag.exe saved on your desktop? If not, please move it there.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


====================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 14 September 2009 - 09:49 PM

I ran the scans and here are the results:

Log file is located at: C:\Documents and Settings\HP_Owner\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP286.tmp\ZAP286.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP286.tmp\ZAP286.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP376.tmp\ZAP376.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP376.tmp\ZAP376.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39F.tmp\ZAP39F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP39F.tmp\ZAP39F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A6.tmp\ZAP3A6.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3A6.tmp\ZAP3A6.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B2.tmp\ZAP3B2.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3B2.tmp\ZAP3B2.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42A.tmp\ZAP42A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP42A.tmp\ZAP42A.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\setup.pss\setup.pss

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\10\policy\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\windows\system\system

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\51\policy\msft\windows\system\system

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\windows\net\net

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\msft\windows\net\net

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\windows\networking\networking

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\52\policy\msft\windows\networking\networking

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\60\60

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\60\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\msft\windows\windows

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\msft\windows\windows

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\policy\msft\msft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\asms\70\policy\msft\msft

Found mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\EventCache\EventCache

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment



Finished!




Malwarebytes' Anti-Malware 1.41
Database version: 2798
Windows 5.1.2600 Service Pack 2

9/14/2009 7:18:41 PM
mbam-log-2009-09-14 (19-18-41).txt

Scan type: Quick Scan
Objects scanned: 103042
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12114374 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\12114374\12114374 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\12114374\pc12114374ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe (Trojan.Agent) -> Delete on reboot.


Let me know if things look okay..
Thanks!

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 15 September 2009 - 07:13 AM

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


======================


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 15 September 2009 - 10:38 PM

Hey Sam,

I'm pretty sure I did everything the way you asked. Here are the results of the combo fix scan:

ComboFix 09-09-14.02 - HP_Owner 09/15/2009 19:51.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.220 [GMT -7:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll
c:\windows\Installer\1a006f.msp
c:\windows\Installer\1a0070.msp
c:\windows\Installer\1a0071.msp
c:\windows\Installer\1a0072.msp
c:\windows\Installer\1a0073.msp
c:\windows\Installer\1a0074.msp
c:\windows\Installer\1a0075.msp
c:\windows\Installer\1a0076.msp
c:\windows\Installer\1a0077.msp
c:\windows\Installer\804180.msp
c:\windows\Installer\804181.msp
c:\windows\Installer\804182.msp
c:\windows\Installer\804183.msp
c:\windows\Installer\804184.msp
c:\windows\Installer\804185.msp
c:\windows\Installer\804186.msp
c:\windows\Installer\804187.msp
c:\windows\Installer\804188.msp
c:\windows\Installer\aae044.msp
c:\windows\Installer\aae045.msp
c:\windows\Installer\aae046.msp
c:\windows\Installer\aae047.msp
c:\windows\Installer\aae048.msp
c:\windows\Installer\aae049.msp
c:\windows\Installer\aae04a.msp
c:\windows\Installer\aae04b.msp
c:\windows\Installer\aae04c.msp
c:\recycler\S-1-5-21-3220647859-2281236695-2665671157-1009 . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 02:40 . 2009-09-16 02:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 21:30 . 2009-09-11 21:30 73728 ----a-w- c:\windows\ALCFDRTM.EXE
2009-09-08 23:18 . 2008-10-16 21:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-08 23:18 . 2008-10-16 21:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-08 22:51 . 2006-10-27 02:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-09-08 22:47 . 2009-09-08 22:47 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Microsoft Help
2009-09-08 21:07 . 2009-09-08 21:07 -------- d-sh--w- c:\documents and settings\HP_Owner\IECompatCache
2009-09-08 02:24 . 2009-09-08 02:24 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Apple
2009-09-08 01:31 . 2009-09-08 01:31 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Motive
2009-09-08 00:33 . 2009-09-08 00:35 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-09-08 00:33 . 2009-09-08 00:33 -------- d-----w- c:\windows\system32\LogFiles
2009-09-08 00:07 . 2009-09-08 00:07 -------- d-sh--w- c:\documents and settings\HP_Owner\PrivacIE
2009-09-08 00:00 . 2009-09-08 00:00 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-07 23:59 . 2009-09-07 23:59 -------- d-sh--w- c:\documents and settings\HP_Owner\IETldCache
2009-09-07 23:49 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-09-07 23:49 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-09-07 23:49 . 2009-07-20 01:48 11067392 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-07 23:49 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-07 23:49 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-07 23:49 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-07 23:49 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 23:41 . 2009-09-13 02:44 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AdobeUM
2009-09-07 23:41 . 2009-09-07 23:41 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Adobe
2009-09-07 22:24 . 2009-09-07 22:24 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Publish Providers
2009-09-07 22:23 . 2009-09-08 01:19 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\Sony
2009-09-07 22:23 . 2009-09-07 22:23 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Sony
2009-09-07 22:14 . 2009-09-07 22:14 -------- d-----w- c:\program files\Vstplugins
2009-09-07 22:14 . 2009-09-08 00:37 -------- d-----w- c:\program files\Sony
2009-09-07 22:09 . 2009-09-07 22:09 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Sony Setup
2009-09-07 22:08 . 2009-09-08 00:32 -------- d-----w- c:\program files\Sony Setup
2009-09-07 22:06 . 2009-09-07 22:08 147544835 ----a-w- c:\program files\vegas70e_enu.exe
2009-09-07 20:42 . 2009-09-07 20:42 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\WMTools Downloaded Files
2009-09-07 20:35 . 2009-09-07 20:35 -------- d-----w- c:\program files\Microsoft Games
2009-09-07 20:26 . 2009-02-06 17:24 2180480 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-09-07 20:26 . 2009-02-06 17:22 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-09-07 20:26 . 2009-02-06 16:49 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-09-07 20:26 . 2009-02-06 16:49 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-09-07 20:25 . 2008-10-24 11:10 453632 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-07 20:23 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-09-07 20:23 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-09-07 19:49 . 2009-09-16 00:16 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Xfire
2009-09-07 00:33 . 2009-01-08 01:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-09-06 21:22 . 2009-09-06 21:22 -------- d-----w- c:\program files\SymNetDrv
2009-09-06 21:16 . 2007-03-08 04:20 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-09-06 21:16 . 2007-03-08 04:20 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-09-06 21:15 . 2007-03-30 15:29 267864 ----a-r- c:\windows\system32\hpzids01.dll
2009-09-06 21:15 . 2007-03-28 21:01 118272 ----a-w- c:\windows\system32\hpz3l5ha.dll
2009-09-06 21:15 . 2007-03-08 04:20 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-09-06 21:14 . 2009-09-08 02:28 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-06 21:14 . 2007-03-08 04:20 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-09-06 21:14 . 2007-03-08 04:20 364544 ----a-r- c:\windows\system32\hppldcoi.dll
2009-09-06 21:14 . 2007-03-17 06:39 303104 ----a-r- c:\windows\system32\hpovst11.dll
2009-09-06 21:14 . 2007-03-17 06:39 958464 ----a-r- c:\windows\system32\hpotiop4.dll
2009-09-06 21:14 . 2007-03-17 06:39 675840 ----a-r- c:\windows\system32\hpowiax4.dll
2009-09-06 21:14 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-09-06 21:14 . 2004-08-04 05:58 15104 ----a-w- c:\windows\system32\dllcache\usbscan.sys
2009-09-06 21:12 . 2009-09-13 02:38 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-----w- c:\windows\system32\Lang
2009-09-06 21:11 . 2009-09-06 21:11 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\LightScribe
2009-09-06 21:11 . 2004-11-02 22:58 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-09-06 21:10 . 2004-08-04 04:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-09-06 21:08 . 2009-03-25 07:33 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2009-09-06 21:07 . 2009-09-06 21:07 -------- d-----w- c:\windows\system32\RTCOM
2009-09-06 20:56 . 2009-09-06 20:56 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes
2009-09-06 20:55 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 20:55 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 20:55 . 2009-09-06 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 20:55 . 2009-09-15 02:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 20:49 . 2009-09-06 20:49 -------- d-sh--w- c:\documents and settings\HP_Owner\UserData
2009-09-06 19:30 . 2009-09-10 22:42 -------- d-sh--r- c:\windows\system32\dllcache
2009-09-06 02:43 . 2009-09-06 02:43 3942048 ----a-w- c:\program files\mbam-setup.exe
2009-09-05 03:02 . 2009-09-05 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-05 03:01 . 2009-09-05 03:01 -------- d-----w- c:\program files\STOPzilla!
2009-09-05 03:01 . 2009-09-06 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-05 03:01 . 2009-09-05 03:01 -------- d-----w- c:\program files\Common Files\iS3
2009-09-05 02:17 . 2009-09-05 02:18 -------- d-----w- c:\program files\Cobian Backup 9
2009-09-05 02:15 . 2009-09-05 02:15 10314752 ----a-w- c:\program files\cbSetup.exe
2009-09-05 01:38 . 2009-09-05 01:38 -------- d-----w- C:\Softpaq
2009-09-03 18:07 . 2009-09-03 18:07 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-03 02:48 . 2009-09-03 03:00 15 ----a-w- c:\program files\settings.dat
2009-09-03 02:39 . 2009-09-15 02:30 -------- d--h--w- c:\windows\PIF
2009-09-02 02:49 . 2009-09-02 03:39 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-02 02:49 . 2009-09-05 02:07 -------- d-----w- c:\program files\Spyware Doctor
2009-09-02 02:49 . 2009-09-02 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-02 02:24 . 2009-09-03 02:47 472064 ----a-w- c:\program files\RootRepeal.exe
2009-09-02 02:23 . 2009-09-02 02:23 390656 ----a-w- c:\program files\STOPzilla_Setup.exe
2009-09-02 02:11 . 2009-09-05 21:48 359932 ----a-w- c:\program files\dds.scr
2009-08-19 05:10 . 2009-08-19 05:10 -------- d-----w- c:\program files\Coupons

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 02:40 . 2009-03-25 07:53 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-15 16:22 . 2009-03-25 07:54 -------- d-----w- c:\program files\Norton Internet Security
2009-09-15 03:24 . 2009-03-28 01:46 -------- d-----w- c:\program files\Microsoft Money 2006
2009-09-14 02:23 . 2009-03-29 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-11 19:40 . 2009-03-25 19:32 -------- d-----w- c:\program files\Xfire
2009-09-10 03:20 . 2009-05-10 01:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-08 22:50 . 2009-03-25 07:30 -------- d-----w- c:\program files\Microsoft Works
2009-09-08 02:32 . 2009-03-25 07:32 -------- d-----w- c:\program files\iTunes
2009-09-08 02:25 . 2009-03-25 07:33 -------- d-----w- c:\program files\QuickTime
2009-09-08 00:14 . 2009-08-13 18:12 13727048 ----a-w- c:\program files\winzip121.exe
2009-09-07 22:15 . 2009-07-26 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-09-06 21:23 . 2009-03-25 07:53 -------- d-----w- c:\program files\Symantec
2009-09-06 21:17 . 2009-09-06 21:09 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Symantec
2009-09-06 21:16 . 2009-03-25 07:42 -------- d-----w- c:\program files\Easy Internet signup
2009-09-06 21:10 . 2009-09-06 21:10 1884 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PS583AA-ABA a1020n_YC_0Pavi_QCNH512_E52NAheBLU1_47_IGoldfish3_SASUSTeK Computer INC._V1.xx_B3.18_T050216_WXH2_L409_M504_J250_7Intel_8Pentium 4_93.06_#090325_N10EC8139_Z11C1048C_G80862582.MRK
2009-09-06 21:08 . 2009-03-25 01:36 -------- d---a-w- c:\program files\Common Files\LightScribe
2009-09-05 22:03 . 2009-06-17 16:01 -------- d-----w- c:\documents and settings\Kids\Application Data\Xfire
2009-09-03 15:47 . 2009-06-11 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-03 15:47 . 2009-06-11 19:38 -------- d-----w- c:\program files\Common Files\McAfee
2009-09-03 15:47 . 2009-06-11 19:38 -------- d-----w- c:\program files\McAfee
2009-09-03 03:01 . 2009-09-03 03:01 35960 ----a-w- c:\program files\Rootrepeal.txt
2009-09-01 22:33 . 2009-06-12 02:01 -------- d-----w- c:\documents and settings\Kids\Application Data\HPAppData
2009-08-22 20:32 . 2009-06-16 22:16 430 ----a-w- c:\documents and settings\Kids\Application Data\wklnhst.dat
2009-08-16 20:55 . 2009-06-25 02:31 49056 ----a-w- c:\documents and settings\Kids\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 18:00 . 2009-04-26 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-13 18:10 . 2009-08-13 18:10 466349 ----a-w- c:\program files\SightJacker.rar
2009-08-10 05:58 . 2009-04-12 22:23 -------- d-----w- c:\program files\TaxCut08
2009-08-05 09:11 . 2009-03-24 22:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 22:52 . 2009-08-04 22:52 -------- d-----w- c:\program files\IObit
2009-08-04 22:52 . 2009-08-04 22:51 841488 ----a-w- c:\program files\gamebooster.exe
2009-08-03 02:08 . 2009-08-03 01:53 1007616 ----a-w- c:\program files\DXTBmp.exe
2009-08-03 00:06 . 2009-08-03 00:06 -------- d-----w- c:\program files\HMT1.v3.5.Release
2009-08-03 00:02 . 2009-08-03 00:02 1555072 ----a-w- c:\program files\HMT1.v3.5.Release.zip
2009-07-29 04:53 . 2009-03-24 22:50 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2009-03-24 22:48 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-27 06:24 . 2009-07-27 06:24 -------- d-----w- c:\program files\MSXML 6.0
2009-07-26 03:05 . 2009-07-26 03:00 2664 ----a-w- c:\program files\Register Vegas Pro.htm
2009-07-26 02:52 . 2009-07-26 02:52 -------- d-----w- c:\program files\MSBuild
2009-07-26 02:47 . 2009-07-26 02:47 -------- d-----w- c:\program files\Reference Assemblies
2009-07-26 02:43 . 2009-07-26 02:42 172863112 ----a-w- c:\program files\vegaspro90a_32bit.exe
2009-07-22 18:35 . 2009-07-22 18:35 12580696 ----a-w- c:\program files\mm20enu.exe
2009-07-20 16:00 . 2009-07-20 15:59 -------- d-----w- c:\program files\LimeWire
2009-07-17 18:55 . 2009-03-24 23:49 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 23:04 . 2009-07-13 23:04 725568 ----a-w- c:\program files\gameboosterfinal.exe
2009-07-13 17:08 . 2009-03-25 05:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2009-03-24 22:51 915456 ------w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2009-06-26 15:59 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-22 18:23 . 2009-06-22 18:23 137572496 ----a-w- c:\program files\zunesetuppkg-x86.exe
2009-06-17 18:36 . 2009-06-17 18:36 7527090 ----a-w- c:\program files\frostwire-4.18.0.windows.exe
2009-05-14 17:02 . 2009-05-14 17:02 38942 ----a-w- c:\program files\uninstall.exe
2009-05-11 01:01 . 2009-05-11 01:01 9563890 ----a-w- c:\program files\ptlibrarian.zip
2009-05-08 20:42 . 2009-05-08 20:42 5917258 ----a-w- c:\program files\powertab.zip
2009-01-03 13:21 . 2009-01-03 13:21 15706 ----a-w- c:\program files\changes.txt
2009-01-01 12:58 . 2009-01-01 12:58 1852 ----a-w- c:\program files\README.HTM
.

((((((((((((((((((((((((((((( SnapShot@2009-09-14_04.39.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-16 03:01 . 2009-09-16 03:01 16384 c:\windows\temp\Perflib_Perfdata_634.dat
+ 2009-09-16 02:40 . 2009-09-16 02:39 149280 c:\windows\system32\javaws.exe
+ 2009-09-16 02:40 . 2009-09-16 02:39 145184 c:\windows\system32\javaw.exe
+ 2009-09-16 02:40 . 2009-09-16 02:39 145184 c:\windows\system32\java.exe
+ 2009-09-14 05:06 . 2009-09-14 05:06 972800 c:\windows\Installer\1911fe.msi
+ 2008-08-30 03:06 . 2008-08-30 03:06 1350664 c:\windows\system32\msxml6.dll
+ 2009-09-16 02:39 . 2009-09-16 02:39 1757696 c:\windows\Installer\171890.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-25 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"PS2"="c:\windows\system32\ps2.exe" [2004-10-26 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2009-09-06 100056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-16 149280]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-18 61952]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-14 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-14 2742272]

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://shop.trendmicro.com/tmasy/eol.html?X=300&Y=300&WIDTH=690&HEIGHT=480
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2888)
c:\windows\system32\WININET.dll
c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Updates from HP\309731\Program\Updates from HP.exe
c:\program files\InterMute\SpySubtract\SpySub.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-09-16 20:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 03:10
ComboFix2.txt 2009-09-14 04:46

Pre-Run: 50,623,295,488 bytes free
Post-Run: 50,713,333,760 bytes free

315 --- E O F --- 2009-09-15 05

Thanks again! Let me know what's up.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 16 September 2009 - 07:36 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 16 September 2009 - 11:35 PM

Hi again,

I ran the scan. I noticed that it detected a couple of virus' that I thought were already detected and deleted with combofix. What can I do to keep the same virus from coming back? Anyway here's the result of Eset Scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=3179cd5ab5637c479cd7fca40b7c6efb
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-17 04:21:34
# local_time=2009-09-16 09:21:34 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=3586 21 100 89 24240625000
# scanned=91067
# found=4
# cleaned=4
# scan_time=2028
C:\Documents and Settings\Kids\My Documents\My Music\LimeWire\mixed up hannah montana [new single].au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\svfp.exe.vir a variant of Win32/Rustock.NKU trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\tujfbtrj.exe.vir Win32/Cimag.W trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\xvhu.exe.vir a variant of Win32/Injector.ZQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


The computer seems to be okay. But then I thought the same before I ran this scan. Let me know what you think and what I should do to keep virus' away. I'm currently using Norton Security(what came with the computer), as I didn't have time to uninstall it and reinstall McAfee (which was disabled by the virus and I had to uninstall). I've gotten virus' using both so I don't know which is better. I would appreciate your input and opinion in this matter. Thanks again.

listall5

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 17 September 2009 - 07:22 AM

That virus scan did detect the files that Combofix quarantined. So they're not active and it's not surprising at all. Currently I would recommend Norton over Mcafee, but truth is neither one of them is very good. I'd recommend the free versions of AVG or Avast over either of the paid versions of Norton or Mcafee. If you're looking to purchase a package check into Nod32 or Kaspersky. It will money much better spent.



We need to remove Combofix now that we're done with it.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Posted Image



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:( :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 17 September 2009 - 11:51 PM

Hey Sam,

Just wanted to let you know that I've uninstalled ComboFix. What about all the other programs I had to download. Should I keep them around, or uninstall them? (RootRepeal, DDS, JavaRa, Win32Diag) Let me know. Thanks for all the time and energy you put in to help me get my computer back, I really appreciate you doing this for me. :( Thanks for the information on Security systems as well. I will definitely do all the things on the list to avoid being infected again.

Thankfully yours,

Listall

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 18 September 2009 - 07:22 AM

Should I keep them around, or uninstall them? (RootRepeal, DDS, JavaRa, Win32Diag)

I would delete all of these. They get updated frequently and it's best just to be able to download the latest version whenever you need it. Which hopefully you won't. :(
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 listall

listall
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:44 AM

Posted 19 September 2009 - 02:21 PM

Hi again,

Just wanted to run something by you. Yesterday,my daughter downloaded limewire, after we just cleaned up the computer. After she did this, I ran Malwarebytes. I had about 80 different adware removed. Today my computer is running very slowly. Internet Explorer takes a long time to load the home page. I just ran Malwarebytes again, and it finds 2 disable.security. I am attaching the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2798
Windows 5.1.2600 Service Pack 2

9/19/2009 11:59:56 AM
mbam-log-2009-09-19 (11-59-56).txt

Scan type: Quick Scan
Objects scanned: 106613
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Before we cleaned the computer, these were detected everytime I ran the malwarebytes scan. What do you think? I Limewire the culprit? Let me know what you think (please).

listall

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:02:44 PM

Posted 19 September 2009 - 05:06 PM

Limewire is a file sharing program where you are actually downloading files from other people's computers. There's no security and this is one of the main ways that malware spreads. Having Limewire running on your computer almost guarantees that you will quickly become reinfected. And even if you don't get reinfected, you are essentially downloading songs, movies, games, and other files illegally. Here's some more info.

http://www.esecurityguy.com/p2p_file_sharing
http://www.articlealley.com/article_566415_48.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users