Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Huge Nasty Rootkit - kills MBAM and HJT


  • This topic is locked This topic is locked
27 replies to this topic

#1 DakotaCat

DakotaCat

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 22 October 2009 - 07:36 PM

Referred from other forum by GARMANMA.

My daughter has a Compaq laptop running Vista Home Premium. Her antivirus somehow got disabled and she got infected with a big nasty. She is required by her college to use Trend Micro OfficeScan. She called me for help when it was in an endless reboot loop whenever she wouuld try to login. Got it to stop rebooting and now it will boot into normal or safe modes. However, neither MBAM or HJT will run even if they are renamed. They start and then terminate and disappear. Spybot S&D won't install at all because it fails at a point where it says "files are read only" and it won't go further. Officescan blue icon shows up in tray again but she also gets a warning that malware protection is off. Windows says it is up to date but I am suspicious because it was disabled by this bugger before and now it suddenly reports that it is up to date. Ran SuperAnitSpyware and it found trogan.agent/gen and said that it quarantined it. She said she also had trojan.dropper and w32/gaobot.gen.u messages previous to all of this mess. MSRT will not run and now most things say "you don't have permission to run this" even though it is an Administrator login.

Please tell me what is needed so I can begin to get some help.

Thanks.

Update 10/22 around 5pm: First occurrance of a popup - "Alpha Online Scan" notification that MalWare protection is needed. Closed the window without running or clicking anything.

Logs to follow...

BC AdBot (Login to Remove)

 


#2 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 22 October 2009 - 07:40 PM

Here are logs from Win32kDiag and RootRepeal. Thanks a lot, I appreciate the help.
-------------------------------------------------------------------------------------------
RootRepeal log
---------------------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/22 11:46
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xAC1A6000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8F4B4000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8F4BF000 Size: 40960 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\Windows\system32\Drivers\PROCEXP90.SYS
Address: 0xAC1AE000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAC1B0000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4af016f7-bdcc-11de-83fe-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{9c092ff0-b91c-11de-b3f1-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{bceb9838-beb5-11de-8bdd-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f077aa76-be0d-11de-9921-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{182d47f6-becc-11de-98b0-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{182d47fa-becc-11de-98b0-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f0e19c98-ad05-11de-9f92-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f0e1a115-ad05-11de-9f92-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f0e1a185-ad05-11de-9f92-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{f0e1a189-ad05-11de-9f92-001f16d21532}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: c:\windows\prefetch\aggluad_p_s-1-5-21-4282784694-3393288294-1352681575-1000.db
Status: Size mismatch (API: 1048185, Raw: 1027151)

Path: c:\windows\prefetch\aggluad_s-1-5-21-4282784694-3393288294-1352681575-1000.db
Status: Size mismatch (API: 2049654, Raw: 2124771)

Path: C:\Windows\ehome\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: c:\windows\softwaredistribution\eventcache\{118760fd-9970-4826-9c64-cf9cdab149dd}.bin
Status: Allocation size mismatch (API: 24576, Raw: 0)

Path: C:\Windows\System32\wbem\MSFEED~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat

Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c
e6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d
d7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea
1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc
0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588
43c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd
a6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003
bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_7ab8
cc63a6e4c2a3.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d
131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5
6e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_4ddf
c6cd11929a02.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c
2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_d088a2ec442ef17
b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c
0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850
4d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.openmp_1fc8b3b9a1e18e3b_9.0.21022.8_none_ecdf8c290e547f3
9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c
.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c
at
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab
ac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.1801_none_5169
53ad0f4d16c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d
f268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a
620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.
cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053
e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\msil_ehexthost_31bf3856ad364e35_6.0.6000.16856_none_bcd26caac1d45e84\EHEXTH~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdproxy_31bf3856ad364e35_6.1.6001.22000_none_441eba1a267a5ad3\$$DeleteMe.fdProxy.dll.01ca12667d6d0f80.001d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdssdp_31bf3856ad364e35_6.0.6001.18000_none_3addf297743e6161\$$DeleteMe.fdSSDP.dll.01ca12667e839060.0049
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_fdwsd_31bf3856ad364e35_6.0.6001.18000_none_7da88373c225d895\$$DeleteMe.fdWSD.dll.01ca126681bd8d80.008a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..dcredentialprovider_31bf3856ad364e35_6.0.6001.18000_none_420aa4b9c28d5162\$$DeleteMe.SmartcardCredentialProvider.dll.01ca12667fe3dbe0.0069
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_d51103be4cb9d6c3\$$DeleteMe.apphelp.dll.01ca126681c25040.008d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-a..terface-ldapc-layer_31bf3856ad364e35_6.0.6001.18000_none_5f327439667d597c\$$DeleteMe.adsldpc.dll.01ca12667dfbe200.0034
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_18897833b0d4ef97\$$DeleteMe.advapi32.dll.mui.01ca12668442a220.00b6
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0\$$DeleteMe.advapi32.dll.01ca12667d2f2bc0.0018
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-atl_31bf3856ad364e35_6.0.6001.18000_none_ab203fc659b26ce7\$$DeleteMe.atl.dll.01ca1bed716a7de0.0008
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiodg.exe.01ca12667d3fd560.0019
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.AudioSes.dll.01ca12667fd33240.0064
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-audiocore_31bf3856ad364e35_6.0.6001.18000_none_769fc426e49fbfda\$$DeleteMe.audiosrv.dll.01ca126681a82120.0085
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-audio-mmecore-base_31bf3856ad364e35_6.0.6001.18000_none_b5dfbc3a51b01b87\$$DeleteMe.winmm.dll.01ca126681631940.0079
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-authentication-authui_31bf3856ad364e35_6.0.6001.18000_none_0bf37d16f567e1f7\$$DeleteMe.authui.dll.01ca12667f84a4e0.005d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bcrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_ee8c936cef65a88f\$$DeleteMe.bcrypt.dll.01ca12667d4e1da0.001b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-client_31bf3856ad364e35_6.0.6001.18000_none_2390c4ecf9720b8c\$$DeleteMe.qmgr.dll.01ca12667f041aa0.0054
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-bits-igdsearcher_31bf3856ad364e35_6.0.6001.18000_none_b16c3d098f004f58\$$DeleteMe.bitsigd.dll.01ca12667ea28240.004e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..complus-eventsystem_31bf3856ad364e35_6.0.6001.18057_none_0cbe918751dfdd3f\$$DeleteMe.es.dll.01ca126681a5bfc0.0084
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..rformance-xperfcore_31bf3856ad364e35_6.0.6001.18000_none_d71173946e986845\$$DeleteMe.diagperf.dll.01ca1266822b0cc0.009e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-c..tionauthorityclient_31bf3856ad364e35_6.0.6001.18000_none_d77db57c3ca78826\$$DeleteMe.certcli.dll.01ca12667e0a2a40.0039
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cmi_31bf3856ad364e35_6.0.6001.18000_none_a9ce4a485a8ade99\$$DeleteMe.cmiv2.dll.01ca126683523740.00b2
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.6001.18000_none_b5b111a1a5a793a5\$$DeleteMe.comdlg32.dll.01ca12667e0a2a40.003a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.0.6001.18000_none_7701ab362cebf905\$$DeleteMe.umpnpmgr.dll.01ca126681e604e0.0095
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-credui_31bf3856ad364e35_6.0.6001.18000_none_db374cc18eed7408\$$DeleteMe.credui.dll.01ca12667c9df7e0.0009
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-crypt32-dll_31bf3856ad364e35_6.0.6001.18000_none_5b6fc1dbddd3c6da\$$DeleteMe.crypt32.dll.01ca12667ff6e6e0.0070
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptsvc-dll_31bf3856ad364e35_6.0.6001.18000_none_75ff99649acf4de9\$$DeleteMe.cryptsvc.dll.01ca12667e40e9e0.0040
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.0.6001.18000_none_85ee5b5e98235317\$$DeleteMe.cryptui.dll.01ca12667f4de540.0059
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6001.18000_none_8da39414bd31fb37\$$DeleteMe.uxsms.dll.01ca126681ce3720.0090
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc.dll.01ca126681d09880.0092
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dhcp-client-dll_31bf3856ad364e35_6.0.6001.18000_none_d75a29a02e8fcf7a\$$DeleteMe.dhcpcsvc6.dll.01ca12667cc1ac80.000c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samlib.dll.01ca12667ecaf9a0.0050
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-directory-services-sam_31bf3856ad364e35_6.0.6001.18000_none_b1ee595da0f48e64\$$DeleteMe.samsrv.dll.01ca12667d1039e0.0015
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client-winrnr_31bf3856ad364e35_6.0.6000.16386_none_571790f3532b2696\$$DeleteMe.winrnr.dll.01ca1266823e17c0.00a1
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsapi.dll.01ca12667cf14800.0014
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-dns-client_31bf3856ad364e35_6.0.6001.18000_none_e1e27cdd8259636b\$$DeleteMe.dnsrslvr.dll.01ca12667dbdfe40.002f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eappcfg.dll.01ca12667cc1ac80.000d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..-protocol-host-peer_31bf3856ad364e35_6.0.6001.18000_none_64138b2cc36a286b\$$DeleteMe.eapphost.dll.01ca12668228ab60.009d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..emorydevicesservice_31bf3856ad364e35_6.0.6001.18098_none_9e329f52f6fc276d\$$DeleteMe.emdmgmt.dll.01ca12667ffe0b00.0072
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-e..estorageengine-isam_31bf3856ad364e35_6.0.6001.18000_none_f1e446e12c0bbf09\$$DeleteMe.esent.dll.01ca12667f908bc0.0060
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-errorreportingcore_31bf3856ad364e35_6.0.6001.18000_none_2076b21605e43be9\$$DeleteMe.wer.dll.01ca12667e66ffe0.0045
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\$$DeleteMe.Faultrep.dll.01ca12667fda5660.0067
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-eventlog_31bf3856ad364e35_6.0.6001.18000_none_dcc45c1a12d92f84\$$DeleteMe.wevtsvc.dll.01ca12667d2f2bc0.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feclient_31bf3856ad364e35_6.0.6001.18000_none_beda112b5794d4e0\$$DeleteMe.feclient.dll.01ca126681f1ebc0.0097
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18000_none_79cbf36190e59fa9\$$DeleteMe.wersvc.dll.01ca11aed4df9c0f.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-feedback-service_31bf3856ad364e35_6.0.6001.18145_none_79a5b70991018b47\$$DeleteMe.wersvc.dll.01ca12667fe89ea0.006a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.0.6001.18000_none_282361dee702a605\$$DeleteMe.gpapi.dll.01ca12667eec4ce0.0053
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..oexistencemigration_31bf3856ad364e35_6.0.6001.18000_none_11e312d27c5a6ba6\$$DeleteMe.iphlpsvc.dll.01ca1266795813e0.0004
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\$$DeleteMe.wininet.dll.01ca11aed4fc2c8f.000e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18294_none_018ba925a2186d09\$$DeleteMe.wininet.dll.01ca11b42f487d30.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-imm32_31bf3856ad364e35_6.0.6001.18000_none_5c561e167a6afd02\$$DeleteMe.imm32.dll.01ca12667d84dd40.0025
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ldap-client_31bf3856ad364e35_6.0.6001.18000_none_f33c4797566bb3db\$$DeleteMe.Wldap32.dll.01ca12667ee06600.0052
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.lsasrv.dll.01ca11aed522428f.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18000_none_a64a8ac25ccb3836\$$DeleteMe.secur32.dll.01ca11aed524a3ef.0010
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\$$DeleteMe.lsasrv.dll.01ca1266795a7540.0005
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6001.18215_none_a644c0145ccecd28\$$DeleteMe.secur32.dll.01ca1266797705c0.0007
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18289_none_0b1c4a254f52777a\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22470_none_0ba7b6286870146b\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18005_none_0d553c2b4c3b84e1\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18065_none_0d145ca34c6c2c87\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22172_none_0d9028a465949c3d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mfplat_31bf3856ad364e35_6.0.6001.18000_none_f6aa98ad53755122\$$DeleteMe.mfplat.dll.01ca12667cd4b780.0011
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mmdeviceapi_31bf3856ad364e35_6.0.6001.18000_none_55044397b961da8a\$$DeleteMe.MMDevAPI.dll.01ca12668215a060.009b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mprapi_31bf3856ad364e35_6.0.6001.18000_none_140c84ec53049b39\$$DeleteMe.mprapi.dll.01ca12667ca2baa0.000b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msasn1_31bf3856ad364e35_6.0.6000.16386_none_c52353cea8765257\$$DeleteMe.msasn1.dll.01ca4d2886d6c870.0000
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.0.6001.18000_none_c7427a4e786d74bc\$$DeleteMe.adtschema.dll.01ca12667fefc2c0.006d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mpr_31bf3856ad364e35_6.0.6001.18000_none_add5c97257f151a1\$$DeleteMe.mpr.dll.01ca12667e1d3540.003d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18136_none_8853d47896e90b40\$$DeleteMe.msxml3.dll.01ca1266819e9ba0.0083
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-msvcrt_31bf3856ad364e35_6.0.6001.18000_none_d15536209ee61dad\$$DeleteMe.msvcrt.dll.01ca12667e91d8a0.004d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18000_none_440e77d1ec053e6c\$$DeleteMe.FwRemoteSvr.dll.01ca12667f445fc0.0058
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.FwRemoteSvr.dll.01ca12667f445fc0.0058
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-n..-domain-clients-svc_31bf3856ad364e35_6.0.6001.18094_none_43b129adec4a9f41\$$DeleteMe.IPSECSVC.DLL.01ca12667e7c6c40.0048
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.0.6001.18098_none_9d81873e2afd9b5e\$$DeleteMe.NaturalLanguage6.dll.01ca12668209b980.009a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ncrypt-dll_31bf3856ad364e35_6.0.6001.18000_none_5dde5591f19c0ea3\$$DeleteMe.ncrypt.dll.01ca12667f6f3880.005b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netfx3-core_31bf3856ad364e35_6.0.6001.18096_none_67458179da6478e3\FRAMEW~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netapi32_31bf3856ad364e35_6.0.6001.18157_none_8d050f6301b2186f\$$DeleteMe.netapi32.dll.01ca1266817fa9c0.007d
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\$$DeleteMe.netshell.dll.01ca12668199d8e0.0081
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.BFE.DLL.01ca12667950efc0.0002
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.FWPUCLNT.DLL.01ca1266794e8e60.0001
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.18000_none_cd246fe92a8ad809\$$DeleteMe.IKEEXT.DLL.01ca1266797705c0.0006
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ntdll_31bf3856ad364e35_6.0.6001.18000_none_58d6de41fc2dac16\$$DeleteMe.ntdll.dll.01ca12667955b280.0003
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-o..inefiles-win32-apis_31bf3856ad364e35_6.0.6001.18000_none_ab6af9d0f92539f0\$$DeleteMe.cscapi.dll.01ca126681d09880.0091
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-ole-automation_31bf3856ad364e35_6.0.6001.18000_none_bd002a8dfb7a3328\$$DeleteMe.oleaut32.dll.01ca12667dbb9ce0.002e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-onex_31bf3856ad364e35_6.0.6001.18000_none_a5cb1bed1d5ba052\$$DeleteMe.onex.dll.01ca12667ccd9360.000f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.16830_none_29a6eeebde589a97\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6000.21023_none_2a3e34a2f76b9db7\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.18226_none_2b9dff39db71a7a1\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6001.22389_none_2be9bd5af4bd3b16\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..oler-filterpipeline_31bf3856ad364e35_6.0.6002.18005_none_2d991295d888a8b3\PRINTF~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18000_none_301b5dfb92ae18db\$$DeleteMe.localspl.dll.01ca11aed60deaaf.0016
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.0.6001.18247_none_2ff7241d92c8344e\$$DeleteMe.localspl.dll.01ca126681c4b1a0.008e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..pooler-core-spoolss_31bf3856ad364e35_6.0.6001.18000_none_5b3992df8e604356\$$DeleteMe.spoolss.dll.01ca12667f908bc0.005f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rnetprinting-client_31bf3856ad364e35_6.0.6001.18000_none_8ad265adc8633a42\$$DeleteMe.inetpp.dll.01ca12667dad54a0.002b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor-tcpmondll_31bf3856ad364e35_6.0.6001.18000_none_d2ac9d5aa723258e\$$DeleteMe.tcpmon.dll.01ca12668223e8a0.009c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\$$DeleteMe.pdh.dll.01ca12667e8ab480.004b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-wsdportmonitor_31bf3856ad364e35_6.0.6001.18000_none_16d3442ddf994157\$$DeleteMe.WSDMon.dll.01ca12667d71d240.001f
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_6.0.6001.18000_none_932df61f18add086\$$DeleteMe.winspool.drv.01ca126681951620.0080
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-pantherengine_31bf3856ad364e35_6.0.6001.18000_none_ae116f90a5d6b7d4\$$DeleteMe.wdscore.dll.01ca12667f3154c0.0056
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.0.6001.18000_none_d64ba321c188c516\$$DeleteMe.spoolsv.exe.01ca126681ace3e0.0087
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-profsvc_31bf3856ad364e35_6.0.6001.18000_none_fbb1576d32ad0ba9\$$DeleteMe.profsvc.dll.01ca12668015d8c0.0074
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-propsys_31bf3856ad364e35_7.0.6001.16503_none_f3d11aeeb9526bbb\$$DeleteMe.propsys.dll.01ca12667d873ea0.0026
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-raschap_31bf3856ad364e35_6.0.6001.18000_none_12bf0305774c76e6\$$DeleteMe.raschap.dll.01ca12667db21760.002c
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasdlg_31bf3856ad364e35_6.0.6001.18000_none_6d133c0e4fa0edb1\$$DeleteMe.rasdlg.dll.01ca12667ca05940.000a
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasrtutils_31bf3856ad364e35_6.0.6001.18000_none_0d159410ea7a8f9d\$$DeleteMe.rtutils.dll.01ca12667dd10940.0030
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasmanservice_31bf3856ad364e35_6.0.6001.18136_none_9ea32a1fa0bb6c5d\$$DeleteMe.rasmans.dll.01ca12667fdcb7c0.0068
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasplap_31bf3856ad364e35_6.0.6001.18000_none_1236753177b2477f\$$DeleteMe.rasplap.dll.01ca126681b66960.0089
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rasppp_31bf3856ad364e35_6.0.6001.18000_none_6c94b11e4fff8902\$$DeleteMe.rasppp.dll.01ca12667e21f800.003e
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastapi_31bf3856ad364e35_6.0.6001.18000_none_0ee42a5979dd0144\$$DeleteMe.rastapi.dll.01ca12667feb0000.006b
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rastls_31bf3856ad364e35_6.0.6001.18000_none_6c652bee5023e04d\$$DeleteMe.rastls.dll.01ca12667f3878e0.0057
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-rsaenh-dll_31bf3856ad364e35_6.0.6001.18000_none_5fc70fc7b14478d4\$$DeleteMe.rsaenh.dll.01ca12667e13afc0.003b
Status: Locked to the Windows API!

Path: C:\WindProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1236 Status: Locked to the Windows API!

==EOF==


----------------------------------------------------------------------------------------
Win32Diag log
-------------------------------------------------------------------------------------------
Running from: C:\Users\Kylie\Desktop\Win32kDiag.exe

Log file at : C:\Users\Kylie\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5C42.tmp\ZAP5C42.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEC1.tmp\ZAPEEC1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\788E47A8F0F87104FA35BC4A2211AA5A\1.0.1215\1.0.1215

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 04:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[1] 2006-11-02 04:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-22 01:12:43 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\WerFault.exe

[1] 2009-04-10 23:28:12 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-10 23:28:12 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()



Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\SMARTAUDIO\SMARTAUDIO

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\{4d36e96c-e325-11ce-bfc1-08002be10318}0000\{4d36e96c-e325-11ce-bfc1-08002be10318}0000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\{4d36e96d-e325-11ce-bfc1-08002be10318}0000\{4d36e96d-e325-11ce-bfc1-08002be10318}0000

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

[1] 2009-04-10 23:28:12 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)

[1] 2008-01-20 21:24:06 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)

[1] 2008-09-19 23:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-10 23:28:12 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()

Finished!

-------------------------------------------------------------------

Thanks!


ere is the log.txt after running step 3. Thanks!!!!
----------------------------------------------------------------------------------

Volume in drive C has no label.
Volume Serial Number is 5DD8-5BA3

Directory of C:\Windows\ERDNT\cache

04/10/2009 11:28 PM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\Windows\System32

04/10/2009 11:28 PM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/20/2008 09:24 PM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/10/2009 11:28 PM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
4 File(s) 2,371,072 bytes
0 Dir(s) 108,359,073,792 bytes free

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 08:29 AM

Hi DakotaCat,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Please download the attachment. Right-click it and select "Run as Administrator"

    A log file opens. In case the log says: "1 file(s) copied" proceed with the next step. Otherwise stop here and tell me the content of it.

  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.

    Files to move:
    C:\cngaudit.dll | C:\Windows\System32\cngaudit.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.


#4 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 09:29 AM

Thank you very much for your help farbar! I will get this completed as soon as possible and paste the results. I really appreciate your help.

Edited by DakotaCat, 23 October 2009 - 09:32 AM.


#5 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 10:58 AM

.

Edited by DakotaCat, 23 October 2009 - 11:01 AM.


#6 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 11:00 AM

I downloaded copy.bat and ran it. Windows said no program associated with this type of file. Made a copy called copy.exe and ran it. Flashed black box real quick then closed. It didn't open notepad. Computer froze up so had to reboot. Started back up in Safe Mode using F8. Tried to run copy.bat and got "no file association error, choose a program to run this file" so I ran copy.exe and black box flashed, notepad didn't open. I went to C:\ and opened log.txt manually and it is blank. Not good!

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 11:17 AM

Not good at all, and I don't mean not being able to run the tool. From my first post:

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.



#8 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 11:22 AM

Ok. Sorry. You mean because I changed the extension to exe to get it to run? I understand and will follow your directions. I realize I need to slow down and be patient since you are helping me. Again, I apologize.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 11:38 AM

Go to Start > Run. Type cmd and press Enter. Tell me if the command window opens and stands.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 11:44 AM

Please don't miss my previous post.

In order to be notified immediately via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

* Click on the My Controls link at the top of the page to enter your control panel.
* Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
* Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
* Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replies.


Also when we both are on line you can refresh the page by pressing F5 to see my reply.

Regards,

farbar

#11 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 02:40 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\cngaudit.dll|c:\windows\system32\cngaudit.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 02:47 PM

We need to run the tool with the following command to fix some malware related changes.
Run Command Prompt as administrator:
  • Click on Start button.
  • Type Cmd in the Start Search text box.
  • Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator.
Copy and paste the following command (the bold text) into the open command window, and press Enter:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

#13 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 05:50 PM

Running from: C:\Users\Kylie\desktop\win32kdiag.exe

Log file at : C:\Users\Kylie\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...





Finished!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:40 AM

Posted 23 October 2009 - 05:54 PM

Good.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#15 DakotaCat

DakotaCat
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:40 AM

Posted 23 October 2009 - 06:34 PM

Thanks for all of your help. We seem to be making good progress. I really appreciate it! Here is my Combofix log
------------------------------------------------------------------------------------------------------------------

ComboFix 09-10-22.01 - Kylie 10/23/2009 18:21.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1755 [GMT -5:00]
Running from: c:\users\Kylie\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Updated) {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Trend Micro OfficeScan Anti-spyware *disabled* (Updated) {6D124117-24A2-4555-BD42-A763D52CFEB2}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kylie\AppData\Local\Temp\Temp2_RootRepeal.zip\RootRepeal.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 23:27 . 2009-10-23 23:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-23 23:27 . 2009-10-23 23:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-23 15:43 . 2009-10-23 15:43 38556 ----a-w- c:\users\Kylie\AppData\Local\prvlcl.dat
2009-10-23 03:58 . 2009-10-23 03:58 127872 ----a-w- c:\users\Kylie\AppData\Roaming\Move Networks\uninstall.exe
2009-10-23 00:41 . 2009-10-23 00:41 -------- d-----w- c:\users\Kylie\AppData\Local\AVG Security Toolbar
2009-10-22 23:03 . 2009-10-22 23:03 -------- d-----w- C:\$AVG
2009-10-22 23:03 . 2009-10-22 23:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-22 23:03 . 2009-10-22 23:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-22 23:02 . 2009-10-22 23:02 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-22 23:02 . 2009-10-22 23:02 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-22 23:02 . 2009-10-23 22:40 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-22 23:02 . 2009-10-22 23:04 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-10-22 23:02 . 2009-10-22 23:02 -------- d-----w- c:\program files\AVG
2009-10-22 23:02 . 2009-10-22 23:02 -------- d-----w- c:\programdata\avg9
2009-10-22 15:20 . 2006-11-02 09:46 61952 ----a-w- C:\logevent.dll
2009-10-22 13:18 . 2009-10-22 13:28 -------- d-----w- c:\program files\Mahey
2009-10-22 06:05 . 2009-10-22 06:07 -------- d-----w- C:\MGtools
2009-10-22 04:15 . 2009-10-22 04:15 117760 ----a-w- c:\users\Kylie\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-22 04:14 . 2009-10-23 23:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 04:01 . 2009-10-21 20:30 2383047 ----a-w- C:\MGtools.exe
2009-10-22 03:36 . 2009-10-22 03:36 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-10-21 23:31 . 2009-10-21 23:31 15 ----a-w- c:\windows\system32\settings.dat
2009-10-21 23:27 . 2009-10-21 23:28 -------- d-----w- C:\32788R22FWJFW.3.tmp
2009-10-21 23:27 . 2009-10-21 23:27 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-10-21 21:08 . 2009-10-21 21:08 -------- d-----w- c:\program files\CCleaner
2009-10-21 21:06 . 2009-10-21 21:07 -------- d-----w- C:\antivirus
2009-10-21 21:05 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-21 21:04 . 2009-10-22 06:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-21 21:04 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 21:03 . 2009-10-21 21:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-21 17:46 . 2009-10-21 17:46 -------- d-----w- c:\users\Kylie\AppData\Roaming\SUPERAntiSpyware.com
2009-10-21 17:46 . 2009-10-21 17:46 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-21 03:32 . 2009-10-21 03:33 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-10-21 03:28 . 2008-11-06 07:03 -------- d-----w- C:\SDFix
2009-10-21 03:01 . 2009-10-21 03:01 -------- d-----w- c:\program files\IObit
2009-10-21 02:19 . 2009-10-21 02:37 -------- d-----w- c:\users\Kylie\.housecall6.6
2009-10-20 13:54 . 2009-10-20 13:54 -------- d-----w- c:\users\Kylie\AppData\Roaming\Uniblue
2009-10-20 13:04 . 2009-10-20 14:19 -------- d-----w- c:\program files\W32.Gaobot.AZT Removal Tool
2009-10-20 05:32 . 2009-10-20 05:32 -------- d-----w- c:\users\Kylie\AppData\Roaming\Malwarebytes
2009-10-20 05:32 . 2009-10-20 05:32 -------- d-----w- c:\programdata\Malwarebytes
2009-10-19 19:04 . 2009-10-21 21:38 1356 ----a-w- c:\users\Kylie\AppData\Local\d3d9caps.dat
2009-10-14 23:45 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 23:44 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 23:44 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 23:42 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 23:41 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 23:41 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-14 23:35 . 2009-10-14 23:35 -------- d-----w- c:\program files\Bradford Networks
2009-10-13 23:49 . 2009-10-15 23:10 -------- d-----w- c:\users\Kylie\dwhelper
2009-09-30 01:03 . 2009-09-30 01:03 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 23:11 . 2009-08-28 23:31 -------- d-----w- c:\users\Kylie\AppData\Roaming\Skype
2009-10-23 21:45 . 2009-08-28 23:32 -------- d-----w- c:\users\Kylie\AppData\Roaming\skypePM
2009-10-23 04:35 . 2009-09-15 02:49 -------- d-----w- c:\users\Kylie\AppData\Roaming\Move Networks
2009-10-23 03:58 . 2009-06-16 06:35 4183416 ----a-w- c:\users\Kylie\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-10-22 15:10 . 2009-07-31 15:39 -------- d-----w- c:\users\Kylie\AppData\Roaming\uTorrent
2009-10-22 06:11 . 2009-09-23 17:24 0 ----a-r- c:\windows\win32k.sys
2009-10-22 05:44 . 2009-04-22 14:16 -------- d-----w- c:\programdata\WildTangent
2009-10-22 05:44 . 2009-04-22 14:16 -------- d-----w- c:\program files\HP Games
2009-10-22 04:12 . 2009-08-01 03:39 -------- d-----w- c:\program files\Trend Micro
2009-10-21 19:46 . 2009-09-15 15:12 -------- d-----w- c:\users\Kylie\AppData\Roaming\vlc
2009-10-21 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-10-21 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-10-21 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-10-21 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-10-21 19:27 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-10-21 19:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-21 19:26 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-21 19:19 . 2009-07-31 15:55 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-10-21 19:19 . 2009-07-31 20:09 -------- d-----w- c:\programdata\FLEXnet
2009-10-21 19:19 . 2009-04-22 14:57 -------- d-----w- c:\programdata\Microsoft Help
2009-10-21 19:19 . 2009-08-28 23:30 -------- d-----r- c:\program files\Skype
2009-10-21 19:19 . 2009-07-31 15:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-21 19:19 . 2009-05-17 02:26 -------- d-----w- c:\program files\NetWaiting
2009-10-21 19:19 . 2009-04-22 14:45 -------- d-----w- c:\program files\Microsoft Works
2009-10-21 19:19 . 2009-04-22 13:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 19:19 . 2009-08-28 23:30 -------- d-----w- c:\program files\Common Files\Skype
2009-10-13 00:26 . 2009-09-15 15:08 -------- d-----w- c:\users\Kylie\AppData\Roaming\MozillaControl
2009-10-09 00:51 . 2009-10-09 00:51 32 ----a-w- c:\programdata\ezsid.dat
2009-09-15 15:06 . 2009-09-15 15:06 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-09-09 13:06 . 2009-09-09 13:06 -------- d-----r- c:\users\Kylie\AppData\Roaming\Brother
2009-09-09 04:21 . 2009-09-05 20:35 -------- d-----w- c:\program files\Brownie
2009-09-08 23:42 . 2009-09-05 20:35 34 ----a-w- c:\windows\system32\BD2170W.DAT
2009-09-08 23:38 . 2009-09-08 23:38 -------- d-----w- c:\programdata\Brother
2009-09-06 22:19 . 2009-04-22 15:13 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 22:03 . 2009-07-31 06:16 -------- d-----w- c:\users\Kylie\AppData\Roaming\Hewlett-Packard
2009-09-06 20:31 . 2009-04-22 13:59 -------- d-----w- c:\programdata\Hewlett-Packard
2009-09-06 03:17 . 2009-09-06 03:12 -------- d-----w- c:\program files\Microsoft
2009-09-06 03:16 . 2009-09-06 03:16 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-09-06 03:16 . 2009-09-06 03:11 -------- d-----w- c:\program files\Windows Live
2009-09-06 03:15 . 2009-09-06 03:15 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-09-06 03:13 . 2009-09-06 03:13 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-09-06 03:12 . 2009-09-06 03:12 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-06 02:56 . 2009-09-06 02:56 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-05 20:35 . 2009-09-05 20:32 -------- d-----w- c:\program files\Brother
2009-08-28 23:35 . 2009-08-28 23:35 -------- d-----w- c:\program files\Microsoft LifeCam
2009-08-28 23:30 . 2009-08-28 23:30 -------- d-----w- c:\programdata\Skype
2009-08-27 05:22 . 2009-10-14 23:43 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 23:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 23:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 23:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 22:04 . 2009-08-14 22:04 239088 ----a-w- c:\users\Kylie\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-08-14 16:27 . 2009-09-10 08:03 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 08:03 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 08:03 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 08:03 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 08:03 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 08:03 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 08:03 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 08:03 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 08:03 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 08:03 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 08:03 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-06 03:48 . 2009-09-06 03:16 54632 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2009-08-05 03:42 . 2009-08-04 04:13 34 ----a-w- c:\users\Kylie\jagex_runescape_preferences.dat
2009-07-31 20:10 . 2009-07-31 06:13 106944 ----a-w- c:\users\Kylie\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-31 17:14 . 2009-07-31 17:14 10134 ----a-r- c:\users\Kylie\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-07-26 21:44 . 2009-07-26 21:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-04-22 14:18 . 2009-04-22 14:09 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-22_14.59.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-22 23:01 . 2009-10-22 23:01 65536 c:\windows\winsxs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.4053_none_3b0e32bdc9afe437\vcomp.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 49152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80KOR.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 49152 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80JPN.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ITA.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80FRA.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 61440 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ESP.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 57344 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80ENU.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 65536 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80DEU.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 45056 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHT.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 40960 c:\windows\winsxs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_03ca5532205cb096\mfc80CHS.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 57856 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80u.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 69632 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfcm80.dll
+ 2008-01-21 01:58 . 2009-10-23 19:35 44648 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-23 22:40 86838 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-31 06:10 . 2009-10-23 22:42 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-31 06:10 . 2009-10-22 14:59 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-31 06:10 . 2009-10-22 14:59 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-31 06:10 . 2009-10-23 22:42 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-31 06:10 . 2009-10-23 22:42 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-31 06:10 . 2009-10-22 14:59 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-31 06:35 . 2009-10-23 22:40 7568 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4282784694-3393288294-1352681575-1000_UserData.bin
+ 2009-10-23 19:33 . 2009-10-23 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-23 19:33 . 2009-10-23 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-22 23:01 . 2009-10-22 23:01 632656 c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcr80.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 554832 c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcp80.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 479232 c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\msvcm80.dll
+ 2009-07-31 03:32 . 2009-10-23 21:45 316720 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-10-22 14:52 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-23 22:44 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-23 22:44 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-10-22 14:52 101350 c:\windows\System32\perfc009.dat
- 2009-07-31 07:57 . 2009-10-22 14:59 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-31 07:57 . 2009-10-23 22:42 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-10-22 23:01 . 2009-10-22 23:01 424448 c:\windows\Installer\1b9a2eb.msi
+ 2009-10-22 23:01 . 2009-10-22 23:01 1093120 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80u.dll
+ 2009-10-22 23:01 . 2009-10-22 23:01 1105920 c:\windows\winsxs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.4053_none_cbf21254470d8752\mfc80.dll
+ 2006-11-02 10:22 . 2009-10-22 23:01 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-10-14 23:47 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-07-31 07:23 . 2009-10-22 23:01 146459521 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-18 17:27 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-09-18 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\skype.exe" [2009-07-16 25604904]
"Google Update"="c:\users\Kylie\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-08-29 133104]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-24 174104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-24 151064]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-03-31 718120]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2008-09-18 880640]
"bncsaui.exe"="c:\program files\Bradford Networks\Persistent Agent\bncsaui.exe" [2009-02-04 2612960]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-22 2010904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:0c,1c,cc,ef,66,12,ca,01

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [10/22/2009 6:02 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\drivers\avgtdix.sys [10/22/2009 6:03 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\System32\drivers\tmlwf.sys [3/30/2009 7:34 PM 143376]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/22/2009 6:02 PM 285392]
R2 BNPagent;Bradford Persistent Agent Service;c:\program files\Bradford Networks\Persistent Agent\bndaemon.exe [2/4/2009 9:33 AM 2944736]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [4/22/2009 10:17 AM 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [7/31/2009 10:55 AM 1153368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\System32\drivers\tmwfp.sys [3/30/2009 7:34 PM 235024]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [4/22/2009 9:14 AM 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [5/26/2009 4:12 AM 122368]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [5/22/2009 1:02 AM 225296]
S2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [5/22/2009 1:00 AM 36368]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [9/5/2009 10:16 PM 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S3 TmPfw;OfficeScan NT Firewall;c:\program files\Trend Micro\OfficeScan Client\TmPfw.exe [3/30/2009 7:34 PM 488768]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/11/2009 3:36 PM 652552]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4282784694-3393288294-1352681575-1000Core.job
- c:\users\Kylie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-29 19:35]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4282784694-3393288294-1352681575-1000UA.job
- c:\users\Kylie\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-29 19:35]

2009-10-14 c:\windows\Tasks\HPCeeScheduleForKylie.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
FF - ProfilePath - c:\users\Kylie\AppData\Roaming\Mozilla\Firefox\Profiles\sg8ho7hx.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/webhp?complete=1&hl=en
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Kylie\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\users\Kylie\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Kylie\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 18:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Kylie\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-23 18:30
ComboFix-quarantined-files.txt 2009-10-23 23:30
ComboFix2.txt 2009-10-22 15:07

Pre-Run: 110,232,932,352 bytes free
Post-Run: 110,405,132,288 bytes free

- - End Of File - - C50971FE911B71ADA52B6FA18883B777




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users