Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Infection on Computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 thefarside

thefarside

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 18 November 2009 - 05:24 PM

I was recently infected by a rogue virus (Super Security 2010?) which kept telling me that my system was infected and that I needed to purchase their program. I did some research and thought I had removed the virus using SuperAntiSpyware. All was good for a few days but now I have more issues (see below). My current system/infected system is XP Pro 2002, SP 3. I'm working off of a laptop with the same setup and can download items to a jump drive and run on the infected computer.
I ran a HJT report and it's attached below... Please help!

Symptoms that are occuring:
*Malwarebytes disabled (will not start)
*Start Menu does not load
*Network Connection is empty/blank
*Windows Installer Error


HJT Report....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:56 PM, on 11/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Concentra\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-21-2263733555-2454287660-3013475143-14161\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User '?')
O4 - HKUS\S-1-5-21-2263733555-2454287660-3013475143-14161\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User '?')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Concentra Inc Concentra VPN Client.lnk = C:\Program Files\Concentra\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: http://*.applications
O15 - Trusted Zone: http://concentra.appsint.com
O15 - Trusted Zone: *.concentra.com
O15 - Trusted Zone: http://*.cstherapy
O15 - Trusted Zone: http://www.cami.jccbi.gov
O15 - Trusted Zone: http://*.myconcentra
O15 - Trusted Zone: http://www.natldiag.com
O15 - Trusted Zone: http://system.occulink.net
O15 - Trusted Zone: http://www.p2plink.com
O15 - Trusted Zone: http://*.purchasing
O15 - Trusted Zone: http://w.pc.rlhc.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: *.webex.com
O15 - Trusted Zone: http://www.webhire.com
O15 - Trusted Zone: *.webhire.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://stay.viewnetcam.com/SysCamInst.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://access.concentra.com/dal0s1t/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133959410906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156787313562
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://69.219.210.130:8082/activex/AMC.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://69.219.210.129:8081/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = chs.concentra.corp
O17 - HKLM\Software\..\Telephony: DomainName = chs.concentra.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = chs.concentra.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = chs.concentra.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = chs.concentra.corp
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware2.0\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Concentra\VPN Client\cvpnd.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wired AutoConfig (Dot3svc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Extensible Authentication Protocol Service (EapHost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HID Input Service (HidServ) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Health Key and Certificate Management Service (hkmsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: hpqcxs08 - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: HP CUE DeviceDiscovery Service (hpqddsvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Infrared Monitor (Irmon) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: Network Access Protection Agent (napagent) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Net Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: TuneUp Theme Extension (UxTuneUp) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Time (W32Time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 17807 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:13 AM

Posted 27 November 2009 - 12:42 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 27 November 2009 - 01:36 PM

Thanks for taking the time to help!
Here is the DDS Log....

DDS (Ver_09-11-24.02) - NTFSx86
Run by Michael.Scurti at 12:29:27.57 on Fri 11/27/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Concentra\VPN Client\cvpnd.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCWLIcon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/news
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AutorunsDisabled - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TP4EX] tp4ex.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [QCWLIcon] c:\progra~1\thinkpad\connec~1\QCWLIcon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: applications
Trusted Zone: appsint.com\concentra
Trusted Zone: concentra.com
Trusted Zone: concentraaps.com\www
Trusted Zone: concentracheck.com\www
Trusted Zone: cstherapy
Trusted Zone: jccbi.gov\www.cami
Trusted Zone: libertyscreening.com\www
Trusted Zone: microsoft.com
Trusted Zone: mricentral.com\ris
Trusted Zone: myconcentra
Trusted Zone: natldiag.com\secure
Trusted Zone: natldiag.com\www
Trusted Zone: occulink.net\system
Trusted Zone: p2plink.com\www
Trusted Zone: purchasing
Trusted Zone: rlhc.com\w.pc
Trusted Zone: speechmachines.org\www
Trusted Zone: turbotax.com
Trusted Zone: webex.com
Trusted Zone: webhire.com
Trusted Zone: webhire.com\www
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://stay.viewnetcam.com/SysCamInst.cab
DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxps://access.concentra.com/dal0s1t/iNotes.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133959410906
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156787313562
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://69.219.210.130:8082/activex/AMC.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://69.219.210.129:8081/activex/AxisCamControl.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware2.0\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware2.0\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michae~1.scu\applic~1\mozilla\firefox\profiles\xx7lqc47.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news
FF - plugin: c:\documents and settings\michael.scurti\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R? ccmsetup;ccmsetup
R? getPlus® Helper;getPlus® Helper
R? MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver
R? QCNDISIF;QCNDISIF
R? SASENUM;SASENUM
R? SASKUTIL;SASKUTIL
S? ANC;ANC
S? ibmfilter;ibmfilter
S? IBMTPCHK;IBMTPCHK
S? NaiAvTdi1;NaiAvTdi1
S? SASDIFSV;SASDIFSV
S? ShockMgr;ShockMgr
S? Shockprf;Shockprf
S? TomTomHOMEService;TomTomHOMEService
S? TPDiskPM;TPDiskPM
S? TPInput;TPInput
S? TPM11;NSC Integrated Trusted Platform Module 1.1
S? TPPWRIF;TPPWRIF
S? TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service

=============== Created Last 30 ================

2009-11-18 21:51:36 0 d-----w- c:\program files\Trend Micro
2009-11-17 23:02:06 98816 ----a-w- c:\windows\sed.exe
2009-11-17 23:02:06 77312 ----a-w- c:\windows\MBR.exe
2009-11-17 23:02:06 260608 ----a-w- c:\windows\PEV.exe
2009-11-17 23:02:06 161792 ----a-w- c:\windows\SWREG.exe
2009-11-14 19:39:37 0 d-----w- c:\windows\system32\CatRoot2
2009-11-06 00:54:21 0 d-----w- c:\program files\SUPERAntiSpyware2.0
2009-11-01 13:59:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-01 13:59:18 0 d-----w- c:\docume~1\michae~1.scu\applic~1\SUPERAntiSpyware.com
2009-10-31 15:34:30 0 d-----w- c:\docume~1\michae~1.scu\applic~1\Malwarebytes
2009-10-31 15:32:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-31 14:16:12 0 ----a-r- c:\windows\win32k.sys

==================== Find3M ====================

2009-10-01 12:29:49 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-01 12:29:43 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-09-09 13:29:04 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090920080910\index.dat

============= FINISH: 12:30:13.82 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 28 November 2009 - 05:37 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Looks like you may have a rootkit here.


With RootRepeal failing we need to try another way of finding it.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0

Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.


Finally can you also try Gmer, a similar scanner to RootRepeal

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Thanks , let's see what we find :(
Posted Image
m0le is a proud member of UNITE

#5 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 28 November 2009 - 10:58 AM

Thanks for helping me out, m0le!

Here are my logs...

Win32kDiag:

Running from: C:\Documents and Settings\Michael.Scurti\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Michael.Scurti\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB893066\KB893066

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB893066\KB893066

Found mount point : C:\WINDOWS\$hf_mig$\KB896424\KB896424

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB896424\KB896424

Found mount point : C:\WINDOWS\$hf_mig$\KB900725\KB900725

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB900725\KB900725

Found mount point : C:\WINDOWS\$hf_mig$\KB905915\KB905915

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB905915\KB905915

Found mount point : C:\WINDOWS\$hf_mig$\KB908531\KB908531

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB908531\KB908531

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Found mount point : C:\WINDOWS\$hf_mig$\KB912919\KB912919

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912919\KB912919

Found mount point : C:\WINDOWS\$hf_mig$\KB913446\KB913446

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB913446\KB913446

Found mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB916281\KB916281

Found mount point : C:\WINDOWS\$hf_mig$\KB917953\KB917953

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB917953\KB917953

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Found mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB976749-IE7\KB976749-IE7

Found mount point : C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\$NtServicePackUninstallIDNMitigationAPIs$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\$NtServicePackUninstallIDNMitigationAPIs$

Found mount point : C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\$NtServicePackUninstallNLSDownlevelMapping$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\$NtServicePackUninstallNLSDownlevelMapping$

Found mount point : C:\WINDOWS\$NtUninstallKB891122$\$NtUninstallKB891122$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB891122$\$NtUninstallKB891122$

Found mount point : C:\WINDOWS\$NtUninstallKB893066$\$NtUninstallKB893066$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB893066$\$NtUninstallKB893066$

Found mount point : C:\WINDOWS\$NtUninstallKB896422$\$NtUninstallKB896422$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB896422$\$NtUninstallKB896422$

Found mount point : C:\WINDOWS\$NtUninstallKB896428$\$NtUninstallKB896428$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB896428$\$NtUninstallKB896428$

Found mount point : C:\WINDOWS\$NtUninstallKB898461$\$NtUninstallKB898461$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB898461$\$NtUninstallKB898461$

Found mount point : C:\WINDOWS\$NtUninstallKB904942$\$NtUninstallKB904942$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB904942$\$NtUninstallKB904942$

Found mount point : C:\WINDOWS\$NtUninstallKB905749$\$NtUninstallKB905749$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB905749$\$NtUninstallKB905749$

Found mount point : C:\WINDOWS\$NtUninstallKB911565$\$NtUninstallKB911565$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB911565$\$NtUninstallKB911565$

Found mount point : C:\WINDOWS\$NtUninstallKB911927$\$NtUninstallKB911927$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB911927$\$NtUninstallKB911927$

Found mount point : C:\WINDOWS\$NtUninstallKB913446$\$NtUninstallKB913446$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB913446$\$NtUninstallKB913446$

Found mount point : C:\WINDOWS\$NtUninstallKB915865$\$NtUninstallKB915865$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB915865$\$NtUninstallKB915865$

Found mount point : C:\WINDOWS\$NtUninstallKB917159$\$NtUninstallKB917159$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB917159$\$NtUninstallKB917159$

Found mount point : C:\WINDOWS\$NtUninstallKB917734_WMP10$\$NtUninstallKB917734_WMP10$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB917734_WMP10$\$NtUninstallKB917734_WMP10$

Found mount point : C:\WINDOWS\$NtUninstallKB917953$\$NtUninstallKB917953$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB917953$\$NtUninstallKB917953$

Found mount point : C:\WINDOWS\$NtUninstallKB923414$\$NtUninstallKB923414$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB923414$\$NtUninstallKB923414$

Found mount point : C:\WINDOWS\$NtUninstallKB923689$\$NtUninstallKB923689$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB923689$\$NtUninstallKB923689$

Found mount point : C:\WINDOWS\$NtUninstallKB925486$\$NtUninstallKB925486$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB925486$\$NtUninstallKB925486$

Found mount point : C:\WINDOWS\$NtUninstallKB926255$\$NtUninstallKB926255$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB926255$\$NtUninstallKB926255$

Found mount point : C:\WINDOWS\$NtUninstallKB927802$\$NtUninstallKB927802$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB927802$\$NtUninstallKB927802$

Found mount point : C:\WINDOWS\$NtUninstallKB929969$\$NtUninstallKB929969$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB929969$\$NtUninstallKB929969$

Found mount point : C:\WINDOWS\$NtUninstallKB930178$\$NtUninstallKB930178$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB930178$\$NtUninstallKB930178$

Found mount point : C:\WINDOWS\$NtUninstallKB931261$\$NtUninstallKB931261$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB931261$\$NtUninstallKB931261$

Found mount point : C:\WINDOWS\$NtUninstallKB931836$\$NtUninstallKB931836$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB931836$\$NtUninstallKB931836$

Found mount point : C:\WINDOWS\$NtUninstallKB933360$\$NtUninstallKB933360$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB933360$\$NtUninstallKB933360$

Found mount point : C:\WINDOWS\$NtUninstallKB936357$\$NtUninstallKB936357$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB936357$\$NtUninstallKB936357$

Found mount point : C:\WINDOWS\$NtUninstallKB936782_WMP10$\$NtUninstallKB936782_WMP10$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB936782_WMP10$\$NtUninstallKB936782_WMP10$

Found mount point : C:\WINDOWS\$NtUninstallKB938127$\$NtUninstallKB938127$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB938127$\$NtUninstallKB938127$

Found mount point : C:\WINDOWS\$NtUninstallKB938464$\$NtUninstallKB938464$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB938464$\$NtUninstallKB938464$

Found mount point : C:\WINDOWS\$NtUninstallKB941569$\$NtUninstallKB941569$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB941569$\$NtUninstallKB941569$

Found mount point : C:\WINDOWS\$NtUninstallKB941644$\$NtUninstallKB941644$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB941644$\$NtUninstallKB941644$

Found mount point : C:\WINDOWS\$NtUninstallKB941693$\$NtUninstallKB941693$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB941693$\$NtUninstallKB941693$

Found mount point : C:\WINDOWS\$NtUninstallKB942763$\$NtUninstallKB942763$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB942763$\$NtUninstallKB942763$

Found mount point : C:\WINDOWS\$NtUninstallKB946627$\$NtUninstallKB946627$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB946627$\$NtUninstallKB946627$

Found mount point : C:\WINDOWS\$NtUninstallKB951072-v2$\$NtUninstallKB951072-v2$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB951072-v2$\$NtUninstallKB951072-v2$

Found mount point : C:\WINDOWS\$NtUninstallKB951376_0$\$NtUninstallKB951376_0$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB951376_0$\$NtUninstallKB951376_0$

Found mount point : C:\WINDOWS\$NtUninstallKB954211$\$NtUninstallKB954211$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB954211$\$NtUninstallKB954211$

Found mount point : C:\WINDOWS\$NtUninstallKB954600$\$NtUninstallKB954600$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB954600$\$NtUninstallKB954600$

Found mount point : C:\WINDOWS\$NtUninstallKB955839$\$NtUninstallKB955839$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB955839$\$NtUninstallKB955839$

Found mount point : C:\WINDOWS\$NtUninstallKB957095$\$NtUninstallKB957095$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB957095$\$NtUninstallKB957095$

Found mount point : C:\WINDOWS\$NtUninstallKB958687$\$NtUninstallKB958687$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallKB958687$\$NtUninstallKB958687$

Found mount point : C:\WINDOWS\$NtUninstallWMCSetup$\$NtUninstallWMCSetup$

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$NtUninstallWMCSetup$\$NtUninstallWMCSetup$

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP270.tmp\ZAP270.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP270.tmp\ZAP270.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP321.tmp\ZAP321.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP321.tmp\ZAP321.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3E0.tmp\ZAP3E0.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3E0.tmp\ZAP3E0.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP409.tmp\ZAP409.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP409.tmp\ZAP409.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\IBM\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IBM\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Attempting to restore permissions of : C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\backup\backup

Cannot access: C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe

Attempting to restore permissions of : C:\WINDOWS\SoftwareDistribution\Download\5760d4b301d053a8878e2025a64e5970\update\update.exe

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\sp1qfe\asms\60\msft\windows\common\common

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\sp1qfe\asms\60\msft\windows\common\common

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\sp1qfe\asms\60\policy\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\73a765a7ebf2e1b5a6655f2bb798b30f\sp1qfe\asms\60\policy\60\60

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\S-1-5-18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\S-1-5-18

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\system32\MRT.exe

Cannot access: C:\WINDOWS\system32\svchost.exe

Attempting to restore permissions of : C:\WINDOWS\system32\svchost.exe

Note: Granted Everyone Full Access to svchost.exe

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2

Finished!


Peek Log:

Volume in drive C is Local Disk
Volume Serial Number is 5835-5EE7

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 06:11 PM 61,952 eventlog.dll
3 File(s) 650,240 bytes

Total Files Listed:
6 File(s) 1,294,848 bytes
0 Dir(s) 10,475,900,928 bytes free


GMER Log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-28 09:50:58
Windows 5.1.2600 Service Pack 3
Running: GMER.exe; Driver: C:\DOCUME~1\MICHAE~1.SCU\LOCALS~1\Temp\pwtiqpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 TPInput.sys (IBM SATA Power Management Driver/IBM Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/McAfee Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- Files - GMER 1.0.15 ----

File C:\RRUbackups\Documents and Settings 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\Administrator\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\CHS 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2023011582-3198862791-3327244652-1005 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2023011582-3198862791-3327244652-1005\bb3b85b7-e813-47ae-a161-964cf6f4c7de 388 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2023011582-3198862791-3327244652-1005\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\CHS\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Default User 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak 0 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\Default User.bak\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\James 0 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\James\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\Documents and Settings\test 0 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data 0 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft 0 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft\Protect 0 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500 0 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\db734f3e-8829-4ab1-b741-68098f14c8aa 388 bytes
File C:\RRUbackups\Documents and Settings\test\Application Data\Microsoft\Protect\S-1-5-21-2525703198-1285022974-1711107474-500\Preferred 24 bytes
File C:\RRUbackups\hints.dat 8192 bytes
File C:\RRUbackups\pu.dat 224 bytes
File C:\RRUbackups\SAM 262144 bytes
File C:\RRUbackups\system 5242880 bytes
File C:\RRUbackups\system.dat 12288 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 28 November 2009 - 04:59 PM

The Max ++ rootkit is on your system. We need to remove this threat now.

The first log has helped us, the second one tells us what to do next...

  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter
    • This will launch a Command Prompt window (looks like DOS).
  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"

    NOTE: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful.
  • Exit the Command Prompt window.
(This copies the clean system file to the system root)


Now
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to move:C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log in your next reply.
Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 28 November 2009 - 05:19 PM

Here's the Avenger log....


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 28 November 2009 - 05:35 PM

Good news there :(

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks, let me know if anything unexpected happens. Rootkits are like that. :(
Posted Image
m0le is a proud member of UNITE

#9 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 28 November 2009 - 06:40 PM

ComboFix Log...

ComboFix 09-11-28.01 - Michael.Scurti 11/28/2009 17:13.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.202 [GMT -6:00]
Running from: c:\documents and settings\Michael.Scurti\Desktop\comfix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-28 22:51 . 2009-11-28 22:51 -------- d-----w- c:\windows\LastGood
2009-11-18 21:51 . 2009-11-18 21:51 -------- d-----w- c:\program files\Trend Micro
2009-11-14 19:39 . 2009-11-28 23:13 -------- d-----w- c:\windows\system32\CatRoot2
2009-11-06 00:54 . 2009-11-06 00:54 -------- d-----w- c:\program files\SUPERAntiSpyware2.0
2009-11-01 17:26 . 2009-11-01 17:26 -------- d-----w- c:\documents and settings\Michael.Scurti\Local Settings\Application Data\Threat Expert
2009-11-01 14:00 . 2009-11-01 14:00 117760 ----a-w- c:\documents and settings\Michael.Scurti\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-01 13:59 . 2009-11-01 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-01 13:59 . 2009-11-01 13:59 -------- d-----w- c:\documents and settings\Michael.Scurti\Application Data\SUPERAntiSpyware.com
2009-10-31 21:35 . 2009-11-01 17:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-31 17:38 . 2009-10-31 17:46 -------- d-----w- c:\documents and settings\Michael.Scurti\Local Settings\Application Data\Temp
2009-10-31 15:34 . 2009-11-06 00:19 -------- d-----w- c:\documents and settings\Michael.Scurti\Application Data\Malwarebytes
2009-10-31 15:32 . 2009-11-18 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-31 14:55 . 2009-10-31 14:55 0 ----a-w- c:\windows\nsreg.dat
2009-10-31 14:54 . 2009-10-31 14:54 -------- d-----w- c:\documents and settings\Michael.Scurti\Local Settings\Application Data\Mozilla
2009-10-31 14:16 . 2009-11-14 17:47 0 ----a-r- c:\windows\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 00:53 . 2005-11-20 09:32 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-06 00:00 . 2009-07-23 00:52 -------- d-----w- c:\program files\Bonjour
2009-10-22 00:57 . 2005-12-09 09:20 45720 ----a-w- c:\documents and settings\CHS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 23:42 . 2009-10-21 23:42 -------- d-----w- c:\program files\MSECache
2009-10-09 02:09 . 2006-09-24 01:37 -------- d-----w- c:\documents and settings\Michael.Scurti\Application Data\BitTorrent
2009-10-01 12:29 . 2009-10-01 12:29 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-10-01 12:29 . 2009-10-01 12:29 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-10-01 12:29 . 2009-02-15 23:56 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-09-23 01:25 . 2007-12-18 16:24 256 ----a-w- c:\windows\system32\pool.bin
2009-09-11 14:18 . 1980-01-01 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 1980-01-01 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-17_23.28.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 1980-01-01 08:00 . 2008-04-14 00:11 56320 c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 68856]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"IBMPRC"="c:\ibmtools\UTILS\ibmprc.exe" [2005-04-27 90112]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-04-14 139264]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-14 208896]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 98304]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"QCWLIcon"="c:\progra~1\ThinkPad\CONNEC~1\QCWLIcon.exe" [2005-03-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2004-11-12 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Concentra Inc Concentra VPN Client.lnk - c:\program files\Concentra\VPN Client\vpngui.exe [2005-12-8 1466384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware2.0\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware2.0\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 ----a-w- c:\windows\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 04:11 24576 ----a-w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2263733555-2454287660-3013475143-14161\Scripts\Logon\0\0]
"Script"=loginLogs.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2263733555-2454287660-3013475143-14161\Scripts\Logon\0\1]
"Script"=Adobe_scan_tool.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2263733555-2454287660-3013475143-14161\Scripts\Logon\1\0]
"Script"=outOfBandPatches-Wks.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2263733555-2454287660-3013475143-14161\Scripts\Logon\2\0]
"Script"=MS08-067-Wks.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Spooler"=2 (0x2)
"MSCamSvc"=2 (0x2)
"KodakCCS"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" -s
"BitTorrent DNA"="c:\program files\DNA\btdna.exe"
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"WinampAgent"="c:\program files\Winamp\winampa.exe"
"SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"PD6000StatusMonitor"=c:\windows\system32\PD6000SM.EXE
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"EZEJMNAP"=c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
"TpShocks"=TpShocks.exe
"dla"=c:\windows\system32\dla\tfswctrl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 TPDiskPM;TPDiskPM;c:\windows\system32\drivers\TPDiskPM.sys [11/20/2005 3:29 AM 14208]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [12/7/2005 6:34 AM 59904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware2.0\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [4/27/2005 12:27 PM 63616]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/8/2009 4:38 AM 92008]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [10/1/2009 6:29 AM 603904]
R3 TPInput;TPInput;c:\windows\system32\drivers\TPInput.sys [11/20/2005 3:29 AM 6016]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [1/1/1980 2:00 AM 14336]
S2 ccmsetup;ccmsetup;c:\windows\system32\ccmsetup\ccmsetup.exe [9/25/2007 8:36 AM 267488]
S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [11/21/2008 8:18 PM 33808]
S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [11/20/2005 3:55 AM 12288]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware2.0\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S4 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 21:28]

2009-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2263733555-2454287660-3013475143-14161Core.job
- c:\documents and settings\Michael.Scurti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-31 17:38]

2009-11-28 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-11-20 09:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/news
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: applications
Trusted Zone: appsint.com\concentra
Trusted Zone: concentra.com
Trusted Zone: concentraaps.com\www
Trusted Zone: concentracheck.com\www
Trusted Zone: cstherapy
Trusted Zone: jccbi.gov\www.cami
Trusted Zone: libertyscreening.com\www
Trusted Zone: microsoft.com
Trusted Zone: mricentral.com\ris
Trusted Zone: myconcentra
Trusted Zone: natldiag.com\secure
Trusted Zone: natldiag.com\www
Trusted Zone: occulink.net\system
Trusted Zone: p2plink.com\www
Trusted Zone: purchasing
Trusted Zone: rlhc.com\w.pc
Trusted Zone: speechmachines.org\www
Trusted Zone: turbotax.com
Trusted Zone: webex.com
Trusted Zone: webhire.com
Trusted Zone: webhire.com\www
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://stay.viewnetcam.com/SysCamInst.cab
FF - ProfilePath - c:\documents and settings\Michael.Scurti\Application Data\Mozilla\Firefox\Profiles\xx7lqc47.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news
FF - plugin: c:\documents and settings\Michael.Scurti\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{91810AFC-A4F8-4EBA-A5AA-B198BBC81144} - c:\program files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe REMOVEALL



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 17:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ccmsetup]
"ImagePath"="\"c:\windows\system32\ccmsetup\ccmsetup.exe\" /runservice /config:MobileClient.tcf"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware2.0\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\tphklock.dll

- - - - - - - > 'explorer.exe'(488)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-28 17:37
ComboFix-quarantined-files.txt 2009-11-28 23:37
ComboFix2.txt 2009-11-17 23:35

Pre-Run: 10,365,943,808 bytes free
Post-Run: 10,336,657,408 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - B7D6F13FC87A6989D4C33A2109A0AB5F

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 28 November 2009 - 06:57 PM

That's a good Combofix log. :(

How is the PC running now?


One final scan I think, an online scan from ESET to pick off any infected files

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :(
Posted Image
m0le is a proud member of UNITE

#11 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 28 November 2009 - 11:11 PM

Computer looks like it's back to normal as it's functioning properly, but I'm holding off hope until I get your seal of approval...


ESET Log...

C:\Documents and Settings\Michael.Scurti\Application Data\Sun\Java\Deployment\cache\6.0\13\799a240d-31578d99 Win32/Kryptik.BAK.gen trojan cleaned by deleting - quarantined

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 29 November 2009 - 05:43 AM

ESET found a Java cache entry but there hasn't been any live malware on the PC since you ran Combofix.

You're clean. Good stuff! :(

Let's do some clearing up

Old versions of Java are big doors to malware. JavaRa removes them and updates your version to the most current.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Please make sure you turn on the Java Automatic Update Feature

    Then you will not have to remember to update it when Java introduces a new version.
    Java is updated very frequently, and the old versions are malware magnets.

    Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it thefarside, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#13 thefarside

thefarside
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 29 November 2009 - 11:07 AM

M0le,

Thank you so much for taking the time to help me out, much appreciated.
You are the, Man! :(
Be well...

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 29 November 2009 - 11:35 AM

You're welcome, thefarside.

Cheers :(
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:13 AM

Posted 05 December 2009 - 07:42 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users