Tech Support Team

jackie2929 · #1 (**permalink**) **Top** 26th November 2009, 02:10 PM

My computer has been doing some odd things , random frezzing, messing with my virus scan, (destroyed it in fact) pop up etc. I did some searching and I am pretty sure I have catchme.sys I have read other posts on this site and have the same "nasty" files as some of the others. I could really use some help to clean this baby up. I have attached a regsearch log and a highjack this log.
Thanks in advance for the help..
Jackie

Jason · #2 (**permalink**) **Top** 27th November 2009, 04:32 PM

Hello jackie2929 and welcome to TechSupportTeam!

Please keep these points in mind:

If you have questions, please DON'T hesitate to ask!

The instructions I give are specific to your current problem and should not be used on other systems.

Please post your replies only to this topic, and please DO NOT start a new thread.

Since there may be multiple issues with your system, please continue to follow this thread until I have given you an "All Clean!"

Run HiJackThis and place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

===================

Now we need to scan for Rootkits with GMER.

Please download GMER from one of the following locations, and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zip Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
Close any and all open programs, as this process may crash your computer.
Double click or on your desktop.
Allow the gmer.sys driver to load if asked.
You may see this window. If you do, click No :
Click on and wait for the scan to finish.
If you see a rootkit warning window, click OK.
Push and save the logfile to your desktop.
Copy and Paste the contents of that file in your next post.

===================

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

This tool will create a diagnostic report
Double-click on Win32kDiag.exe to run and let it finish.
When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
A file called Win32kDiag.txt should be created on your Desktop.
Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

===================

Now I need you go to the Malware Removal Guide - Read Before Posting thread and follow ALL the instructions exactly. When finished, please post the following fresh logs:

SUPERAntiSpyware log
Malwarebytes' Anti-Malware log

jackie2929 · #3 (**permalink**) **Top** 28th November 2009, 08:35 PM

ok...I have done as you asked...here are the logs that you wanted..
I could not update my java..I think it is because of internet explore. I can get on the net with firefox, but not through internet explore..?? I ran SAS and it found and removed a file, I thought that the log would save after it rebooted, so I am sorry I don't have that one

here are the logs..
and thanks soo very much for your help!!

GMER 1.0.15.15252 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-28 01:28:38
Windows 5.1.2600 Service Pack 3
Running: ys8qy5ge.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\awldypow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xAFBD8C00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xAFBD8930]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xAFBD8AA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xAFBD9540]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAFBD9190]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xAFBD9E20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xAFBD8D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xAFBD72A0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xAFBD8720]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xAFBD9370]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xAFBD9AD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xAFBD9DD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xAFBDA150]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xAFBDA770]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationProcess [0xAFBDE160]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xAFBD5EC0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xAFBD9D80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xAFBD7600]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwTerminateProcess [0xAFBD9970]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xAFBD8C20]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[284] [0xAFBD4D40]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[285] [0xAFBD4D50]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[286] [0xAFBD4D60]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[287] [0xAFBD4D80]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[288] [0xAFBD4DA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[289] [0xAFBD4DD0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[290] [0xAFBD4DE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[291] [0xAFBD4E00]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[292] [0xAFBD4E10]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[293] [0xAFBD4ED0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[294] [0xAFBD4FA0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[295] [0xAFBD4FE0]
SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) SSDT[296] [0xAFBD5020]

Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KiDispatchInterrupt + 100 804DC962 7 Bytes JMP AFBDE280 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!IoIsOperationSynchronous 804EAFAE 5 Bytes JMP AFBDB150 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4593 5 Bytes JMP AFBDAB90 \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)

---- Threads - GMER 1.0.15 ----

Thread System [4:196] AD796DD0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\APPSTREAM\P arameters\Drivers@RH_ExcludedKeyList ???????? ????????????????????Q???????????????????H????????? ??J???????????g?????????j????CmdWindow File???e???????????????????????B?????????????????? ?Q?????????????Qm???DEVENV.EXE,DWWIN.EXE,DRWTSN32. EXE,EXEFORSERVICE.EXE,PROCESSCREATOR.EXE?A?A??5, 1, 0, 82002????V??????o??????????????REGEDIT.EXE,REGEDT3 2.EXE,APPMGRSERVICE.EXE??{8???????????Q???????S??? ????????]???????????????????7????????n12A???????????2?????? ???n????5, 1, 0, 826C-??????????????????????????? ?????????????????????????????????????????????????? 0????????????????`???????????????????? ????????????????????? ????????????????A??? ???????????????? ?????????????:????????4??USB??S???????????c??????? ????????????n??????USBAAPL?m???? l??????5??????????USB\Vid_05ac&Pid_1262&Rev_0001?U SB\Vid_05ac&Pid_1262????? ???????.??????s?????X??????R???S??iPod?|?????????? ????????????????????????? ,??????V??????????????????????????????????? ?????????????????????j??"???&????????U?P??Apple iPod USB Driver????????????c?????????ns.??? ?????????????????????~???????????????????
Reg HKLM\SYSTEM\ControlSet003\Services\APPSTREAM\Param eters\Drivers@RH_ExcludedKeyList ???d???? %???????????????Q?????????????d?????????????H????? ??????J???????d???g?????????j????CmdWindow File???e?????d???d?????????????B???????????????d?? ?Q?????????????Qm???DEVENV.EXE,DWWIN.EXE,DRWTSN32. EXE,EXEFORSERVICE.EXE,PROCESSCREATOR.EXE?A?A??5, 1, 0, 82002????V??d???o??????????????REGEDIT.EXE,REGEDT3 2.EXE,APPMGRSERVICE.EXE??{8???????????Q???????S??? ????d???]???????d???????d???7????????n12A???????d???2?????? ???n????5, 1, 0, 826C-???d?d?d?d?d?d?d?d?d?d????? ???????k???????????d?????????????????????????????? 0????????????????`???????????????????? ????????????????????? ????????????????A??? ?????????????d?? ??Q??????????:????????4???????????h?? a ??????????n??t (??????????.???????? ?????????????????Tcpip?????????:??d???B????h???@?S ystem32\DRIVERS\arp1394.sys? `???2??d???Y?????e??8?1394 ARP Client Protocol?????????d????????H??? ??d???k??? (??????d???????????e?????d???????d?????d??? ???????.??????pn`???2??d?????????n??8?1394 ARP Client Protocol??0??d?d?d?d?d?d?d?d?d?d????? ???????d???????????d?~???????????????
Reg HKLM\SYSTEM\ControlSet004\Services\APPSTREAM\Param eters\Drivers@RH_ExcludedKeyList ???i?????????????i???????????Q?????????????i?????? ???????H???????????J???????i???g?????????j????CmdW indow File???e?????i???i?????????????B???????????????i?? ?Q?????????????Qm???DEVENV.EXE,DWWIN.EXE,DRWTSN32. EXE,EXEFORSERVICE.EXE,PROCESSCREATOR.EXE?A?A??5, 1, 0, 82002????V??i???o??????????????REGEDIT.EXE,REGEDT3 2.EXE,APPMGRSERVICE.EXE??{8???????????Q???????S??? ????i???]???????i???????i???7????????n12A???????i???2?????? ???n????5, 1, 0, 826C-???i??????????????Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.?n Firewall???? ???????i???????????i?~?????????????????????????i?? ????????????????0????????????????`???????????????? ???? ????????????????????? ????????????????1??? ???????l???????????i??????????(????????1?????????? ?4??????04????(??i???,??p0??System Bus Extender?0,?????i?????????????,??t7???????????0?g3 d???i?i?i?i?i???????????H??M,??? ???????l?????i?????i???????????????????a?????????? ?t??????NS???????i???0??p1??SCSI miniport????????????r??te??????$????e?
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistr yChangesRoot\MACHINE\SOFTWARE\Microsoft\Windows\Cu rrentVersion\Installer\Folders@~AS_~Ref~2636804348 ??????????:?????????????????????? ???????m????????????????????N????????????????????? ????????????????????????????????? ???????m??????????????????FreedomAPI?? ???????? ??????????????????????????????????????????? ?????????????????????????????????????????????????? ? ??????????????????????????????v??????????????????? ??v?????????????????WindowsLive.Writer.Interop,14. 0.8089.726,,31bf3856ad364e35?????????????????????? ????????????????????????????? ????????????????????????????(????????????????????? ?????????????????????????????????????????????????? ??????????????C:\Documents and Settings\All Users\Application Data\Rogers Online Protection\Rogers Online Protection\?????? ????????????????????????????@????? ???????????????????? ????????????????????????????@???.e ???????????????????free??????????????????????????? ?????????????????????????????????l???? ??????????????????????????? ??????????????????????????C:\Program Files\Rogers Online Protection\Rogers Online Protection\capicom.dll???????????????????????????? ??17AFD8C1970420F
Reg HKLM\SOFTWARE\Classes\CLSID\AppStream\GhostRegistr yChangesRoot\MACHINE\SOFTWARE\Oak Technology\OMSG\DriveDB@~AS_~Ref~2636804348 ???????? ???????????????????????????????C:\Program Files\Common Files\Broderbund\UMM\\adbook.exe?????????????????? ?????8?????Path??????????????????????8??????????N? ????????????????{7D1B4773-31CF-4626-B14E-0093EB83F3AE}???????c?????????????????????????8??? ??SystemId???????? ????????????????????????????????wl ???????3a?????????????? ??????????x??????????????????????????????????????? ?????????????????????????????????????????????????? ????????????????????????x????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????? ? ? ??x??????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ???????gT??????????????2??????????x?????????????x? ????????????x????????????????????????????????????? ????????????????????????????????????????????????x? ????????????x????????????????????????????????????? ?????????????????????????????????????????????????? ????

---- EOF - GMER 1.0.15 ----

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB873333\KB873333

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB888113\KB888113

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB890175\KB890175

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB893066\KB893066

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB893086\KB893086

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB896422\KB896422

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A 46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90C C0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\{A260B422-70E1-41E2-957D-F76FA21266D5}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updat es\M928366\M928366

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\Chec kPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Installe dSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\Boota bleSystemState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloade d\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\191c89919 6624d7a81a735dad2332655\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\25d72ef1a cc6d7256eb94ad3d6a21e9b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f 7c0d52d92848e52e67748bb\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2f4e3173d 752bc7e745d290c2317bc46\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586 faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\73c38420e d6fcb4d7aee2a7564af0e8f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\793f12419 5dbb56fd1932447ccb9ac04\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a8 09663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\93c9bb589 8f80e6361e0dc6ea165864f\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\986836381 2bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\bc2e08df1 3ade612507748ca3eefdc83\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe 4014749ca9bd94c51618107\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d2fcfbeca 3e284c5f8d988b1c113bb83\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8 f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c014 81096f08117233982ca37f9\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:57 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 11:39:29 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498 f4675531d9efb941ee01ef3\SP2GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 04:41:05 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498 f4675531d9efb941ee01ef3\SP2QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498 f4675531d9efb941ee01ef3\SP3GDR\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:15:13 227840 C:\WINDOWS\SoftwareDistribution\Download\51401b498 f4675531d9efb941ee01ef3\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:40 218112 C:\WINDOWS\system32\dllcache\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 05:10:02 227840 C:\WINDOWS\system32\wbem\wmiprvse.exe ()

Found mount point : C:\WINDOWS\Watson\Watson

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a 3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0 .0(2).0_x-ww_6e57c34e

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3 b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b0 3f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f 11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Finished!

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/28/2009 3:33:11 PM
mbam-log-2009-11-28 (15-33-11).txt

Scan type: Quick Scan
Objects scanned: 105805
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:54 PM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\downloads\HiJackThi s.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [D-Link RangeBooster G WUA-2340] C:\Program Files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\Administrator\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - HKUS\S-1-5-21-48242932-1675595624-4262954155-500\..\Run: [WeatherEye] C:\Documents and Settings\Administrator\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe (User '?')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1243187179750
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://host-d.oddcast.com/hostClientIE.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames...1.cab60096.cab
O16 - DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED} (InstallHelper Class) -
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} (There Launcher) - file://c:\Program Files\There\ThereClient\ThereLauncher.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...13/mcfscan.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

--
End of file - 8637 bytes

jackie2929 · #4 (**permalink**) **Top** 28th November 2009, 11:50 PM

hmm?..what happened to my post!

Jason · #5 (**permalink**) **Top** 29th November 2009, 12:11 PM

Sorry about that - having trouble with posts going into moderation. I'll look into it asap.

===============

Your computer is infected with a rootkit which is very persistent. Please read all of this carefully.

Backdoor Trojans, IRCBots and rootkits are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

Read this article: What danger is presented by rootkits?.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the infection has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS.

When should I re-format? How should I reinstall?.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it will be 100% secure afterwards or that the removal will be successful.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

jackie2929 · #6 (**permalink**) **Top** 29th November 2009, 02:29 PM

Hi Jason,
This computer is used mainly for my photo editing and gaming for my kids. If you could help me to clean it up I would like to go with that. For me to reinsall this would not be easy. I will eventually do a reinstall but my problem is that I don't have a lot of my info to do so. I had an external hard drive with all my back ups on it that crashed last week. (could this virus have caused that? I was going to take it to some one to have it looked it) Any how on that note if you will still help me to fix this mess up I really would be thankful.
Jackie.

**evilfantasy** · #7 (**permalink**) **Top** 29th November 2009, 03:44 PM

Hello jackie2929.

Give me a few minutes to look through your logs and I will return with new instructions.

**evilfantasy** · #8 (**permalink**) **Top** 29th November 2009, 03:49 PM

Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop.

"%userprofile%\desktop\win32kdiag.exe" -f -r

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

jackie2929 · #9 (**permalink**) **Top** 29th November 2009, 07:50 PM

combofix seems to freeze...its stuck at stage41

**evilfantasy** · #10 (**permalink**) **Top** 29th November 2009, 07:52 PM

Give it 10 minutes. If it doesn't complete then manually restart the computer and try running it again.

jackie2929 · #11 (**permalink**) **Top** 29th November 2009, 10:38 PM

ok...here are the logs

Running from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB873333\KB873333

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB873333\KB873333

Found mount point : C:\WINDOWS\$hf_mig$\KB888113\KB888113

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB888113\KB888113

Found mount point : C:\WINDOWS\$hf_mig$\KB890175\KB890175

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB890175\KB890175

Found mount point : C:\WINDOWS\$hf_mig$\KB893066\KB893066

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB893066\KB893066

Found mount point : C:\WINDOWS\$hf_mig$\KB893086\KB893086

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB893086\KB893086

Found mount point : C:\WINDOWS\$hf_mig$\KB896422\KB896422

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB896422\KB896422

Found mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB921398\KB921398

Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CAVTemp\CAVTemp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ERDNT\ERDNT

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A 46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A 46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90C C0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90C C0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}

Found mount point : C:\WINDOWS\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\{A260B422-70E1-41E2-957D-F76FA21266D5}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\{A260B422-70E1-41E2-957D-F76FA21266D5}\{A260B422-70E1-41E2-957D-F76FA21266D5}

Found mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Tempo rary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updat es\M928366\M928366

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updat es\M928366\M928366

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Minidump\Minidump

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\Chec kPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\Chec kPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Installe dSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Installe dSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\repair\Backup\BootableSystemState\Boota bleSystemState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\BootableSystemState\Boota bleSystemState

Found mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\repair\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\security\logs\logs

Found mount point : C:\WINDOWS\setup.pss\setup.pss

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\setup.pss\setup.pss

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloade d\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloade d\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b 51a37f45e0e5cf03d0d5e3c\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\191c89919 6624d7a81a735dad2332655\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\191c89919 6624d7a81a735dad2332655\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\25d72ef1a cc6d7256eb94ad3d6a21e9b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\25d72ef1a cc6d7256eb94ad3d6a21e9b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f 7c0d52d92848e52e67748bb\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2caf60f9f 7c0d52d92848e52e67748bb\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\2f4e3173d 752bc7e745d290c2317bc46\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\2f4e3173d 752bc7e745d290c2317bc46\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586 faf6d9470f0c817d855bb6b\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\5cfa09586 faf6d9470f0c817d855bb6b\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\73c38420e d6fcb4d7aee2a7564af0e8f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\73c38420e d6fcb4d7aee2a7564af0e8f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\793f12419 5dbb56fd1932447ccb9ac04\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\793f12419 5dbb56fd1932447ccb9ac04\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a8 09663c7f480717673587a59\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\85947e1a8 09663c7f480717673587a59\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\93c9bb589 8f80e6361e0dc6ea165864f\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\93c9bb589 8f80e6361e0dc6ea165864f\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\986836381 2bbe4a0a4d814b7943ba906\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\986836381 2bbe4a0a4d814b7943ba906\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\bc2e08df1 3ade612507748ca3eefdc83\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\bc2e08df1 3ade612507748ca3eefdc83\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe 4014749ca9bd94c51618107\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe 4014749ca9bd94c51618107\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d2fcfbeca 3e284c5f8d988b1c113bb83\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d2fcfbeca 3e284c5f8d988b1c113bb83\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8 f4479a8d252b47e8ec225c8\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d3767eab8 f4479a8d252b47e8ec225c8\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c014 81096f08117233982ca37f9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\f6ae6c014 81096f08117233982ca37f9\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Cannot access: C:\WINDOWS\system32\wbem\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\system32\wbem\wmiprvse.exe

Found mount point : C:\WINDOWS\Watson\Watson

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Watson\Watson

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a 3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0 .0(2).0_x-ww_6e57c34e

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a 3a_2.0.0(2).0_x-ww_6e57c34e\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0 .0(2).0_x-ww_6e57c34e

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3 b_8.0.50727.1433_x-ww_5cf844d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3 b_8.0.50727.1433_x-ww_5cf844d2

Found mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b0 3f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f 11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b0 3f5f7f11d50a3a_2.0.0(2).0_x-ww_7d5f3790\x86_System.EnterpriseServices_b03f5f7f 11d50a3a_2.0.0(2).0_x-ww_7d5f3790

Finished!

ComboFix 09-11-29.02 - Administrator 11/29/2009 17:17.8.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-28 16:01 . 2009-11-28 16:01 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 02:42 . 2009-11-27 02:42 34816 ----a-w- c:\windows\system32\drivers\tatertot.sys
2009-11-27 02:41 . 2009-11-27 03:04 34816 ----a-w- c:\windows\system32\drivers\tatertot.scr.sys
2009-11-27 02:25 . 2009-11-27 02:26 -------- d-----w- c:\program files\zztoy
2009-11-26 15:21 . 2009-11-28 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jffrpq
2009-11-25 23:50 . 2009-11-25 23:50 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-11-25 19:17 . 2009-11-25 19:17 1120 ------w- C:\7.reg
2009-11-25 19:17 . 2009-11-25 19:17 256 ------w- C:\6.reg
2009-11-25 19:17 . 2009-11-25 19:17 930 ------w- C:\4.reg
2009-11-25 19:17 . 2009-11-25 19:17 1132 ------w- C:\5.reg
2009-11-25 19:17 . 2009-11-25 19:17 1298 ------w- C:\3.reg
2009-11-25 19:17 . 2009-11-25 19:17 248 ------w- C:\1.reg
2009-11-25 19:17 . 2009-11-25 19:17 1096 ------w- C:\2.reg
2009-11-25 19:16 . 2009-11-25 19:16 1401 ------w- C:\avexport.bat
2009-11-24 18:58 . 2009-11-24 18:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\URSoft
2009-11-24 18:58 . 2009-11-24 19:05 -------- d-----w- c:\program files\Your Uninstaller
2009-11-18 22:43 . 2009-11-18 22:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\program files\Raxco
2009-11-12 18:50 . 2009-11-12 18:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TheWeatherNetwork
2009-11-06 14:06 . 2009-11-06 14:06 -------- d-----w- c:\program files\Lexmark_3300 Series
2009-11-06 14:03 . 2009-11-06 14:06 -------- d-----w- c:\program files\Lexmark 3300 Series
2009-11-06 02:18 . 2009-11-20 21:26 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 00:18 . 2009-11-06 00:18 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-06 00:17 . 2009-08-06 03:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-11-06 00:16 . 2009-11-06 00:16 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-06 00:11 . 2009-11-06 00:18 -------- d-----w- c:\program files\Microsoft
2009-11-06 00:10 . 2009-11-06 00:10 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-06 00:02 . 2009-11-06 00:02 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-29 22:32 . 2008-04-10 00:02 9243168 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-29 19:20 . 2008-04-10 00:02 1013024 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-29 19:06 . 2007-10-16 23:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 20:19 . 2009-04-02 02:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-11-28 20:16 . 2008-04-10 00:02 96704 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-28 20:16 . 2008-04-10 00:02 124496 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-27 19:06 . 2005-12-10 05:39 -------- d-----w- c:\program files\Lx_cats
2009-11-25 23:58 . 2005-08-04 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 23:51 . 2003-12-17 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-25 23:00 . 2007-08-28 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC
2009-11-25 22:30 . 2007-11-26 20:53 -------- d-----w- c:\program files\GetData
2009-11-24 19:13 . 2008-10-24 03:34 -------- d-----w- c:\program files\Incomplete
2009-11-24 19:08 . 2009-10-27 16:26 -------- d-----w- c:\program files\Rogers Online Protection
2009-11-18 22:41 . 2003-12-17 08:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 22:05 . 2009-10-27 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-11-16 22:05 . 2009-10-27 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Rogers Online Protection
2009-11-06 02:18 . 2006-06-19 23:35 58160 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-11-06 00:17 . 2008-03-01 18:04 -------- d-----w- c:\program files\Windows Live
2009-10-27 16:33 . 2005-06-28 00:02 -------- d-----w- c:\program files\Yahoo!
2009-10-27 16:33 . 2005-09-19 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-27 15:54 . 2009-10-27 15:54 -------- d-----w- c:\program files\ACW
2009-10-27 05:26 . 2009-10-21 00:33 -------- d-----w- c:\program files\Winamp
2009-10-27 05:22 . 2009-02-23 21:53 -------- d-----w- c:\program files\Electronic Arts
2009-10-26 22:32 . 2005-08-04 14:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 22:32 . 2009-10-26 21:51 -------- d-----w- c:\program files\kissbutt
2009-10-26 19:43 . 2009-10-26 19:43 -------- d-----w- c:\program files\asskiss
2009-10-26 02:03 . 2009-10-26 02:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-25 20:02 . 2009-10-25 20:02 27459 ------w- C:\MGlogs.zip
2009-10-24 02:34 . 2009-10-21 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-20 18:47 . 2009-10-20 18:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVS4YOU
2009-10-20 18:46 . 2009-10-20 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 00:04 . 2009-10-19 00:03 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-07 18:44 . 2007-01-21 16:33 -------- d-----w- c:\program files\VideoLAN
2009-09-11 14:18 . 2004-01-20 18:08 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-10-26 19:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-26 19:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-01-20 18:08 58880 ----a-w- c:\windows\system32\msasn1.dll
2005-05-26 18:35 . 2008-09-04 00:48 1422 ----a-w- c:\program files\ReadMe.txt
2002-07-03 22:32 . 2007-09-12 23:25 51518 ----a-w- c:\program files\Cyborg.ipt
2004-07-23 18:11 . 2005-06-14 18:49 0 -csha-w- c:\windows\SMINST\HPCD.SYS
2008-11-15 18:48 . 2008-11-15 18:48 88 --sha-r- c:\windows\system32\581B3DD1C8.sys
2008-11-15 18:49 . 2007-11-30 00:16 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot_2009-11-24_01.29.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-27 19:05 . 2009-11-29 22:10 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2009-11-27 19:05 . 2009-11-29 22:10 16384 c:\windows\temp\History\History.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 16384 c:\windows\temp\Cookies\index.dat
+ 2009-11-27 19:05 . 2009-11-29 22:10 16384 c:\windows\temp\Cookies\index.dat
+ 2003-12-17 04:29 . 2009-11-29 19:16 85140 c:\windows\system32\perfc009.dat
- 2008-12-28 20:01 . 2009-10-27 16:33 22016 c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\Wi seCustomCall.dll
+ 2009-11-25 23:50 . 2009-11-25 23:50 22016 c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\Wi seCustomCall.dll
+ 2003-12-17 04:29 . 2009-11-29 19:16 476262 c:\windows\system32\perfh009.dat
+ 2009-10-07 17:03 . 2009-11-25 18:17 156936 c:\windows\McAfee.com\FreeScan\mcfscan.dll
- 2009-10-07 17:03 . 2009-10-07 17:03 156936 c:\windows\McAfee.com\FreeScan\mcfscan.dll
+ 2009-11-25 10:40 . 2009-11-25 10:40 1423016 c:\windows\McAfee.com\FreeScan\names.DAT
+ 2009-11-25 10:40 . 2009-11-25 10:40 76612476 c:\windows\McAfee.com\FreeScan\scan.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"WeatherEye"="c:\documents and settings\Administrator\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"D-Link RangeBooster G WUA-2340"="c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2008-09-24 1667072]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X 86\3\LXCCtime.dll" [2005-01-10 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ASWLNDLL]
2007-05-14 01:45 6656 ----a-w- c:\windows\system32\ASWLNDLL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=xgusb.cpl
"midi2"=xgusb.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TypeAgent.lnk]
backup=c:\windows\pss\TypeAgent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Plus! Digital Media Edition\\PhotoStory\\PhotoStory.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-06-13 386784]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mo n.sys [2008-07-30 23888]
R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-06 704864]
R3 HNBCP;Intel(R) AnyPoint(TM) PCI 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\HNBCP_5.sys [2001-04-02 58034]
R3 HNBCU;Intel(R) AnyPoint(TM) USB 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\HNBCU_5.SYS [2001-08-01 71227]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-29 42512]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-18 2806522]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnec tDriver;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectDriver.sys [x]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnec tFilter;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectFilter.sys [x]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectS him;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectShim.sys [x]
R4 AppMgrService;AWE 5.1.0 Application Manager;c:\program files\AppStream\WindowsClient\bin\AppMgrService.ex e [2006-09-27 1990656]
R4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [2008-05-19 356434]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [x]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-22 693512]
R4 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-22 910600]
R4 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [x]
R4 RadialpointSafeConnectAgent;Rogers Online Protection SafeConnectAgent;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Bin\SanaAgent.exe RadialpointSafeConnectAgent [x]
S1 APPSTREAM;APPSTREAM;c:\windows\System32\Drivers\AP PSTREAM.SYS [2007-05-14 115284]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r_tdi.sys [2009-08-06 54752]
S2 REGHOOK;REGHOOK;c:\windows\System32\Drivers\REGHOO K.SYS [2006-09-27 54879]
S3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\DRIVERS\EvcapMau.sys [2003-10-02 177664]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-02-12 57440]

.
Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\backup.job
- c:\windows\system32\ntbackup.exe [2004-01-20 00:12]

2009-10-25 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-08-20 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://rogers.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: aol.com\free
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED}
DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} - file://c:\program files\There\ThereClient\ThereLauncher.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lk0lrbnl.default\
FF - prefs.js: browser.startup.homepage - hxxp://rogers.my.yahoo.com/
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-29 17:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-48242932-1675595624-4262954155-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,fb,5c ,ee,7b,6b,19,48,ad,9a,30,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,fb,5c ,ee,7b,6b,19,48,ad,9a,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1868)
c:\windows\system32\xgusb.cpl
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\ASWLNDLL.dll

- - - - - - - > 'lsass.exe'(1936)
c:\windows\system32\xgusb.cpl
.
Completion time: 2009-11-29 17:35
ComboFix-quarantined-files.txt 2009-11-29 22:35
ComboFix2.txt 2009-11-26 00:18
ComboFix3.txt 2009-11-24 01:33
ComboFix4.txt 2009-10-27 13:39
ComboFix5.txt 2009-11-29 16:20

Pre-Run: 43,189,755,904 bytes free
Post-Run: 43,203,616,768 bytes free

- - End Of File - - 84203B3810DED4EBBE2ACBBF0E439E24

**evilfantasy** · #12 (**permalink**) **Top** 29th November 2009, 11:02 PM

Are these files you created?

Quote:

2009-11-27 02:42 . 2009-11-27 02:42 34816 ----a-w- c:\windows\system32\drivers\tatertot.sys
2009-11-27 02:41 . 2009-11-27 03:04 34816 ----a-w- c:\windows\system32\drivers\tatertot.scr.sys
2009-11-27 02:25 . 2009-11-27 02:26 -------- d-----w- c:\program files\zztoy
2009-11-26 15:21 . 2009-11-28 20:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jffrpq
2009-11-25 23:50 . 2009-11-25 23:50 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-11-25 19:17 . 2009-11-25 19:17 1120 ------w- C:\7.reg
2009-11-25 19:17 . 2009-11-25 19:17 256 ------w- C:\6.reg
2009-11-25 19:17 . 2009-11-25 19:17 930 ------w- C:\4.reg
2009-11-25 19:17 . 2009-11-25 19:17 1132 ------w- C:\5.reg
2009-11-25 19:17 . 2009-11-25 19:17 1298 ------w- C:\3.reg
2009-11-25 19:17 . 2009-11-25 19:17 248 ------w- C:\1.reg
2009-11-25 19:17 . 2009-11-25 19:17 1096 ------w- C:\2.reg

jackie2929 · #13 (**permalink**) **Top** 29th November 2009, 11:34 PM

the tatertot is a rename of root repel
and the zztoy is malware bytes to get them to run...
the rest I have no idea...

**evilfantasy** · #14 (**permalink**) **Top** 30th November 2009, 04:34 PM

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\jffrpq

File::
c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
C:\7.reg
C:\6.reg
C:\4.reg
C:\5.reg
C:\3.reg
C:\1.reg
C:\2.reg 
C:\avexport.bat

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop.

"%userprofile%\desktop\win32kdiag.exe" -f -r

----------

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

jackie2929 · #15 (**permalink**) **Top** 30th November 2009, 09:52 PM

ok..here are the logs

ComboFix 09-11-30.01 - Administrator 11/30/2009 14:20.10.2 - x86
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Freedom *On-access scanning disabled* (Outdated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
AV: Norton Security Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Freedom *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
FW: Norton Security Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

FILE ::
"C:\1.reg"
"C:\2.reg"
"C:\3.reg"
"C:\4.reg"
"C:\5.reg"
"C:\6.reg"
"C:\7.reg"
"C:\avexport.bat"
"c:\windows\E80F62FF5D3C4A1984099721F2928206.T MP"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1.reg
C:\2.reg
C:\3.reg
C:\4.reg
C:\5.reg
C:\6.reg
C:\7.reg
C:\avexport.bat
c:\documents and settings\Administrator\Local Settings\Application Data\jffrpq

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\System32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-30 19:00 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-30 19:00 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-28 16:01 . 2009-11-28 16:01 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-27 02:42 . 2009-11-27 02:42 34816 ----a-w- c:\windows\system32\drivers\tatertot.sys
2009-11-27 02:41 . 2009-11-27 03:04 34816 ----a-w- c:\windows\system32\drivers\tatertot.scr.sys
2009-11-27 02:25 . 2009-11-27 02:26 -------- d-----w- c:\program files\zztoy
2009-11-25 23:50 . 2009-11-25 23:50 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-11-24 18:58 . 2009-11-24 18:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\URSoft
2009-11-24 18:58 . 2009-11-24 19:05 -------- d-----w- c:\program files\Your Uninstaller
2009-11-18 22:43 . 2009-11-18 22:43 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\program files\Raxco
2009-11-12 18:50 . 2009-11-12 18:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TheWeatherNetwork
2009-11-06 14:06 . 2009-11-06 14:06 -------- d-----w- c:\program files\Lexmark_3300 Series
2009-11-06 14:03 . 2009-11-06 14:06 -------- d-----w- c:\program files\Lexmark 3300 Series
2009-11-06 02:18 . 2009-11-20 21:26 -------- d-----w- c:\documents and settings\Administrator\Tracing
2009-11-06 00:18 . 2009-11-06 00:18 -------- d-----w- c:\program files\Microsoft Office Outlook Connector
2009-11-06 00:17 . 2009-08-06 03:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-11-06 00:16 . 2009-11-06 00:16 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-11-06 00:11 . 2009-11-06 00:18 -------- d-----w- c:\program files\Microsoft
2009-11-06 00:10 . 2009-11-06 00:10 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-06 00:02 . 2009-11-06 00:02 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-30 19:33 . 2008-04-10 00:02 97136 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-11-30 19:33 . 2008-04-10 00:02 1018400 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-11-30 19:33 . 2008-04-10 00:02 9365024 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-11-30 19:33 . 2008-04-10 00:02 125960 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-29 19:06 . 2007-10-16 23:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-28 20:19 . 2009-04-02 02:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-11-27 19:06 . 2005-12-10 05:39 -------- d-----w- c:\program files\Lx_cats
2009-11-25 23:58 . 2005-08-04 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-25 23:51 . 2003-12-17 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-25 23:00 . 2007-08-28 22:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC
2009-11-25 22:30 . 2007-11-26 20:53 -------- d-----w- c:\program files\GetData
2009-11-24 19:13 . 2008-10-24 03:34 -------- d-----w- c:\program files\Incomplete
2009-11-24 19:08 . 2009-10-27 16:26 -------- d-----w- c:\program files\Rogers Online Protection
2009-11-18 22:41 . 2003-12-17 08:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-16 22:05 . 2009-10-27 16:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-11-16 22:05 . 2009-10-27 16:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Rogers Online Protection
2009-11-06 02:18 . 2006-06-19 23:35 58160 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-11-06 00:17 . 2008-03-01 18:04 -------- d-----w- c:\program files\Windows Live
2009-10-27 16:33 . 2005-06-28 00:02 -------- d-----w- c:\program files\Yahoo!
2009-10-27 16:33 . 2005-09-19 20:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-27 15:54 . 2009-10-27 15:54 -------- d-----w- c:\program files\ACW
2009-10-27 05:26 . 2009-10-21 00:33 -------- d-----w- c:\program files\Winamp
2009-10-27 05:22 . 2009-02-23 21:53 -------- d-----w- c:\program files\Electronic Arts
2009-10-26 22:32 . 2005-08-04 14:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-26 22:32 . 2009-10-26 21:51 -------- d-----w- c:\program files\kissbutt
2009-10-26 19:43 . 2009-10-26 19:43 -------- d-----w- c:\program files\asskiss
2009-10-26 02:03 . 2009-10-26 02:03 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-25 20:02 . 2009-10-25 20:02 27459 ------w- C:\MGlogs.zip
2009-10-24 02:34 . 2009-10-21 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2009-10-20 18:47 . 2009-10-20 18:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVS4YOU
2009-10-20 18:46 . 2009-10-20 18:46 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-10-19 00:04 . 2009-10-19 00:03 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-10-07 18:44 . 2007-01-21 16:33 -------- d-----w- c:\program files\VideoLAN
2009-09-11 14:18 . 2004-01-20 18:08 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-10-26 19:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-10-26 19:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-01-20 18:08 58880 ----a-w- c:\windows\system32\msasn1.dll
2005-05-26 18:35 . 2008-09-04 00:48 1422 ----a-w- c:\program files\ReadMe.txt
2002-07-03 22:32 . 2007-09-12 23:25 51518 ----a-w- c:\program files\Cyborg.ipt
2004-07-23 18:11 . 2005-06-14 18:49 0 -csha-w- c:\windows\SMINST\HPCD.SYS
2008-11-15 18:48 . 2008-11-15 18:48 88 --sha-r- c:\windows\system32\581B3DD1C8.sys
2008-11-15 18:49 . 2007-11-30 00:16 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-11-24_01.29.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 19:34 . 2009-11-30 19:34 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2009-11-30 19:34 . 2009-11-30 19:34 16384 c:\windows\temp\History\History.IE5\index.dat
- 2009-10-30 19:34 . 2009-11-23 22:50 16384 c:\windows\temp\Cookies\index.dat
+ 2009-11-30 19:34 . 2009-11-30 19:34 16384 c:\windows\temp\Cookies\index.dat
+ 2003-12-17 04:29 . 2009-11-29 19:16 85140 c:\windows\system32\perfc009.dat
- 2008-12-28 20:01 . 2009-10-27 16:33 22016 c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\Wi seCustomCall.dll
+ 2009-11-25 23:50 . 2009-11-25 23:50 22016 c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP\Wi seCustomCall.dll
+ 2003-12-17 04:29 . 2009-11-29 19:16 476262 c:\windows\system32\perfh009.dat
+ 2009-10-07 17:03 . 2009-11-25 18:17 156936 c:\windows\McAfee.com\FreeScan\mcfscan.dll
- 2009-10-07 17:03 . 2009-10-07 17:03 156936 c:\windows\McAfee.com\FreeScan\mcfscan.dll
+ 2009-11-25 10:40 . 2009-11-25 10:40 1423016 c:\windows\McAfee.com\FreeScan\names.DAT
+ 2009-11-25 10:40 . 2009-11-25 10:40 76612476 c:\windows\McAfee.com\FreeScan\scan.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"WeatherEye"="c:\documents and settings\Administrator\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"D-Link RangeBooster G WUA-2340"="c:\program files\D-Link\RangeBooster G WUA-2340\AirPlusCFG.exe" [2008-09-24 1667072]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X 86\3\LXCCtime.dll" [2005-01-10 69632]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-05-23 483328]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ASWLNDLL]
2007-05-14 01:45 6656 ----a-w- c:\windows\system32\ASWLNDLL.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=xgusb.cpl
"midi2"=xgusb.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TotalMedia Backup Monitor.lnk]
backup=c:\windows\pss\TotalMedia Backup Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TypeAgent.lnk]
backup=c:\windows\pss\TypeAgent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Plus! Digital Media Edition\\PhotoStory\\PhotoStory.exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2008-06-13 386784]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mo n.sys [2008-07-30 23888]
R3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-08-06 704864]
R3 HNBCP;Intel(R) AnyPoint(TM) PCI 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\HNBCP_5.sys [2001-04-02 58034]
R3 HNBCU;Intel(R) AnyPoint(TM) USB 10 Mbps Network Adapter Driver;c:\windows\system32\DRIVERS\HNBCU_5.SYS [2001-08-01 71227]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-29 42512]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-18 2806522]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnec tDriver;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectDriver.sys [x]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnec tFilter;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectFilter.sys [x]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectS him;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Driver\platform_XP\SafeConn ectShim.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
R3 tatertot.scr;tatertot.scr;c:\windows\system32\driv ers\tatertot.scr.sys [2009-11-27 34816]
R3 tatertot;tatertot;c:\windows\system32\drivers\tate rtot.sys [2009-11-27 34816]
R3 XDva008;XDva008;c:\windows\System32\XDva008.sys [x]
R4 AppMgrService;AWE 5.1.0 Application Manager;c:\program files\AppStream\WindowsClient\bin\AppMgrService.ex e [2006-09-27 1990656]
R4 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [2008-05-19 356434]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [x]
R4 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-09-22 693512]
R4 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-09-22 910600]
R4 Radialpoint Security Services;Rogers Online Protection;c:\program files\Rogers Online Protection\Rogers Online Protection\RpsSecurityAwareR.exe [x]
R4 RadialpointSafeConnectAgent;Rogers Online Protection SafeConnectAgent;c:\program files\Rogers Online Protection\Rogers Online Protection\SafeConnect\Bin\SanaAgent.exe RadialpointSafeConnectAgent [x]
S1 APPSTREAM;APPSTREAM;c:\windows\System32\Drivers\AP PSTREAM.SYS [2007-05-14 115284]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssflt r_tdi.sys [2009-08-06 54752]
S2 REGHOOK;REGHOOK;c:\windows\System32\Drivers\REGHOO K.SYS [2006-09-27 54879]
S2 VSPD;VSPD;c:\windows\System32\Drivers\VSPD.SYS [2006-09-27 31321]
S3 EvcapMaui;Emuzed EvcapMaui Device;c:\windows\system32\DRIVERS\EvcapMau.sys [2003-10-02 177664]
S3 JSWSCIMD;jswscimd Service;c:\windows\system32\DRIVERS\jswscimd.sys [2008-02-12 57440]

.
Contents of the 'Scheduled Tasks' folder

2009-11-30 c:\windows\Tasks\backup.job
- c:\windows\system32\ntbackup.exe [2004-01-20 00:12]

2009-11-30 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-08-20 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://rogers.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
Trusted Zone: aol.com\free
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {88D8E8B7-A33B-4417-A385-8373484D43ED}
DPF: {AAF421E6-7914-430A-9981-72B31AFF3BF4} - file://c:\program files\There\ThereClient\ThereLauncher.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lk0lrbnl.default\
FF - prefs.js: browser.startup.homepage - hxxp://rogers.my.yahoo.com/
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-30 16:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtim e.dll,_RunDLLEntry@16????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ??????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n pggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-48242932-1675595624-4262954155-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,fb,5c ,ee,7b,6b,19,48,ad,9a,30,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,fb,5c ,ee,7b,6b,19,48,ad,9a,30,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1888)
c:\windows\system32\xgusb.cpl
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\ASWLNDLL.dll

- - - - - - - > 'lsass.exe'(1956)
c:\windows\system32\xgusb.cpl

- - - - - - - > 'explorer.exe'(2588)
c:\windows\system32\WININET.dll
c:\windows\system32\xgusb.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
************************************************** ************************
.
Completion time: 2009-11-30 16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-30 21:40
ComboFix2.txt 2009-11-29 22:35
ComboFix3.txt 2009-11-26 00:18
ComboFix4.txt 2009-11-24 01:33
ComboFix5.txt 2009-11-30 18:59

Pre-Run: 43,231,334,400 bytes free
Post-Run: 43,174,641,664 bytes free

- - End Of File - - DF593654A34E15E9CD5406C4FC9239BB
Running from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
ESET Online Scanner
RPS Firewall
Antivirus out of date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

**evilfantasy** · #16 (**permalink**) **Top** 1st December 2009, 09:22 PM

Sorry for the delay. I missed your reply...

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

Also let me know how the computer is running now?

jackie2929 · #17 (**permalink**) **Top** 1st December 2009, 10:09 PM

here is the log

as for the computer...well have not done a lot of surfing...still seems slugish but could just be the computer in general..
again I thank you for all your help.

3D Groove Playback Engine
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11
AiO_Scan
AIOMinimal
AiOSoftware
ANIO Service
ANIWZCS2 Service
Apple Software Update
AppStream Technology Windows Edition Client
ArcSoft DVD SlideShow (Shared Components)
ArcSoft ShowBiz 2
ATI Control Panel
ATI Display Driver
Bonjour
Button Manager v1.874
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon EOS 5D WIA Driver
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.3
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities WFT-E1/E2/E3 Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Corel Paint Shop Pro Photo X2
DivX Content Uploader
EA Download Manager
ESET Online Scanner
ESET Online Scanner v3
ezManager Plus International 6.1.1
Fax
Grand Chase
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB970653-v3)
HP Instant Support
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.0
HP Software Update
HpSdpAppCoreApp
ImageMixer for HDD Camcorder
ImgBurn
Intel(R) Extreme Graphics 2 Driver
IntelliMover Data Transfer Demo
Java(TM) 6 Update 13
Junk Mail filter update
Lexmark 3300 Series
LimeWire 4.8.1
LiveUpdate (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft IntelliPoint 5.2
Microsoft Managed DirectX (1126)
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Mozilla Firefox (3.0.15)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Multimedia Card Reader
MUSICMATCH Media Center
Nero 8
neroxml
Otto
PC-Doctor for Windows
PerfectDisk 2008
Photo Viewer 2.24
Photodex Presenter
Photosmart 140,240,7200,7600,7700,7900 Series
Pictures Slideshow Maker
PL-2303 USB-to-Serial
PrintScreen
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RangeBooster G WUA-2340
Readme
Rogers Yahoo! Applications
RPS Burn
RPS CRT
RPS Diagnostic Utility
RPS Firewall
RPS Ksdk
RPS ParentalControl
RPS PerfectDiskStub
RPS PopupBlocker
RPS RpsCore
RPS SafeConnect
Safari
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975467)
Segoe UI
Serif PhotoPlus 6.0
Sonic Update Manager
Spybot - Search & Destroy
Steam
There (remove only)
toolkit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Manager
Update Manager (remove only)
Updates from HP
VCRedistSetup
Visual J# .NET Redistributable Package
WeatherEye
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPcap 4.0.1
Wizard101
WordPerfect Office X3
Your Uninstaller! Version 6.3

**evilfantasy** · #18 (**permalink**) **Top** 1st December 2009, 10:14 PM

Do you use any of these?

Quote:

RPS Burn
RPS CRT
RPS Diagnostic Utility
RPS Firewall
RPS Ksdk
RPS ParentalControl
RPS PerfectDiskStub
RPS PopupBlocker
RPS RpsCore
RPS SafeConnect

I also see Live Update from Symantec but don't see any Norton software installed. What do you use for antivirus?

jackie2929 · #19 (**permalink**) **Top** 1st December 2009, 10:19 PM

RPS would be from my virus scanner, It is through Rogers (Rogers personal Security..it's nortons I belive) But the think went crap when I got this virus!! I have to reinstall it again!

**evilfantasy** · #20 (**permalink**) **Top** 1st December 2009, 10:42 PM

RPS is actually from F-secure and I would suggest uninstalling that and the Live Update and getting something better and free.

Personally I suggest Avira or Microsoft Security Essentials and Online Armor but these are all good.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus