PDA

View Full Version : Spybot & AVG8.5 wont scan,cant save HJT,ERUNT,Malwarebytes



northernunicorn
2009-09-30, 11:18
Hi: I've been reading the threads & I think I may be infected with Rootkit malware?:confused:

I followed the steps in "Before you post". and did what I could.

I WASNT able to save anything suggested to desktop or anywhere (except I was able to save a file called ".housecall6.6" but it wont run.

For Spybot, I get this message when I right-click to run as administrator "Windows cant access the specified device,path or file.You may not have the apprpriate permission to access the item."
I can search for updates but cant get into Spybot to Immunize.
Same thing happens in Safe Mode

Antivirus program(AVG8.5) will not scan but will update. Resident Protection says not activated even though it shows it is.
Tried changing & still does the same.
In Safe Mode, most files show as LOCKED when I run a scan.

Windows Defender scans & shows no threats.

Computer Information:
Windows Vista SP2
Spybot-Search & Destroy version 1.6.2 (teatimer deactivated-couldnt figure it out)
Antivirus- AVG Free version: 8.5.409 database 270.13.113/2400
Windows Defender activated
Windows Vista Firewall

Things I've done to try to fix:

<<Turned off System Restore

<<Looked at Windows Uninstall/Change programs-nothing suspicious
<<Ran Disk Clean-up

<<Ran Disk Check with both boxes checked

<<Tried to scan with AVG-just stalls & closes itself very shortly-indicates Resident Shield not active though it is indicated as active-Resident Shield log for Sept.20&21/09 shows following moved to Virus Vault or Deleted--TrojanHorse Crypt.HOA (2 files), Trojan Horse Crypt.HOQ (44 files)
***Explanation: My son mis-typed name of a TV site & thats when all the files/pictures came flashing onto computer.

<<Tried to Save & Run Malwarebytes. Didnt show up anywhere.

<<Tried to run Spybot scan. Couldnt.see "lack of permission" quote above

<<Tried to Save & Run "ERUNT"Didnt show up anywhere.

I use my computer mostly for emails, typing minutes & documents (I am Secretary/Treasurer for 3 organizations) and going to several favourite well-known sites that are safe.
My son goes to TV channel & video game tips sites.

:red:I hope I'm posting to the correct forum. Im not much of a "Techie"; however, I do try to keep safe on the Internet. I sure hope I dont have to re-format(dont know how to do that!!) :confused:or completely clear off everything & start from scratch.

I will patiently wait for a reply; I notice Im one of a great many asking for help.
Thank you :thanks:

IndiGenus
2009-10-03, 04:38
Hello northernunicorn and welcome back to the Spybot S&D forums. Sorry for the delay in getting to your post.

Let's start with a quick diagnostic.

Please save this (http://ad13.geekstogo.com/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

northernunicorn
2009-10-07, 05:34
Hi IndiGenus:)
Thank you for your reply. I was out of town until today; thus my late reply.

I wasn't able to save the Win32Diag.exe application to my desktop or to anywhere. The "save" seemed to work but didn't show up. I did several searches for it, even after trying to save to my own file.

Seems to be having the same result as when I tried to save things suggested in "Before You Post". Any suggestions?:confused:

Waiting for your suggestion.:)

IndiGenus
2009-10-07, 05:38
Do you have another PC you can download files on and transfer over or run with a CD/DVD or USB drive?

northernunicorn
2009-10-07, 06:27
Hi IndiGenus
:red: Do you mean ...can I save the files onto a CD/DVD drive or USB stick on this computer & run from there? Sorry...not too much of a techie? :scratch:

I don't presently have access to another computer. Maybe tomorrow I can see if I can use a neighbour's...if it comes to that.

Waiting for your reply.:bigthumb:

IndiGenus
2009-10-07, 06:35
I meant downloading them on another PC and transferring over that way.

This may be a new infection or variation that is nasty. I'm watching one other thread in another forum with the same symptoms, and they haven't found a way to get around this yet.

northernunicorn
2009-10-11, 21:08
Hi from Dorothy: Sorry so long replying. Was away from home a few days.

I've found a neighbour who will let me use their computer to download onto CD. They said their computer is clean. (Thought mine was too until this happened.:sad: )
Please give a list of "things" I need to download to a CD

Thank you:thanks:

IndiGenus
2009-10-11, 23:22
Okay normally I would post the download link when I advise the tool, but here I'll advise the tools I would expect we may use here. At least to get to the point where you can download files.

Don't run or install tools until advised, but I realize you may not want to go back and forth from your neighbors, so you can get them all on disk.

The first is the Win32kDiag tool I advised earlier. Try and copy it to your desktop to run it. If you cannot then try running from the disk.

Please save this (http://ad13.geekstogo.com/Win32kDiag.exe) file. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

The other tools to save to disk are as follows.

Root Repeal:
Zip Mirrors (Recommended)

Primary Mirror (http://rootrepeal.googlepages.com/RootRepeal.zip)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.zip)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.zip)


Combofix:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

Temp File Cleaner:
TFC (http://oldtimer.geekstogo.com/TFC.exe)

DDS:
From here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).

northernunicorn
2009-10-18, 23:28
Hi IndiGenous:
Im back and at a friend's computer.
I will try to save to CD the tools you mentioned and then run them on my computer.
Hope this works. I will let you know.
I apologize for the long wait between...family & financial obligations took over my time.

from Dorothy :yes:

northernunicorn
2009-10-19, 06:30
Hi IndiGenus:

[QUOTE=IndiGenus;341460]Okay normally I would post the download link when I advise the tool, but here I'll advise the tools I would expect we may use here. At least to get to the point where you can download files.

Don't run or install tools until advised, but I realize you may not want to go back and forth from your neighbors, so you can get them all on disk.

The first is the Win32kDiag tool I advised earlier. Try and copy it to your desktop to run it. If you cannot then try running from the disk.

Please save this (http://ad13.geekstogo.com/Win32kDiag.exe) file. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.QUOTE]

I was able to save the tools to a disk.

I was able to copy the Win32Diag tool to my desktop & run it. The log from the scan was saved to my desktop but it is larger than can fit in 1 post so I'll spread it over as many as necessary because I'm not sure if it's ok to send it as an attachment.

Note: I hope I didnt mess up by running it twice. :oops: I ran it once then thought I should have done it as administrator & ran it again...thought there would be 2 logs left on desktop but there wasn't...Please let me know if I messed up or not.

Here goes with the log:

Running from: C:\Users\JeffandMom\Desktop\Win32kDiag.exe

Log file at : C:\Users\JeffandMom\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EBD.tmp\ZAP2EBD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6673.tmp\ZAP6673.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9AF7.tmp\ZAP9AF7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPA5B0.tmp\ZAPA5B0.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB0D7.tmp\ZAPB0D7.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\WATCHDOG\WATCHDOG

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

IndiGenus
2009-10-19, 06:32
You can certainly attach the file if too big.

northernunicorn
2009-10-19, 06:32
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

northernunicorn
2009-10-19, 06:35
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6000.16868_none_9a40172a0fc4863e\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6000.16868_none_9a40172a0fc4863e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6000.21065_none_9ac68b3928e50d45\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6000.21065_none_9ac68b3928e50d45

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18270_none_9c1383940cfa6868\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18270_none_9c1383940cfa6868

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.22447_none_9cc4940f25f962e7\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.22447_none_9cc4940f25f962e7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6002.18049_none_9e2369c00a004aef\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6002.18049_none_9e2369c00a004aef

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6002.22150_none_9e993405232e229b\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6002.22150_none_9e993405232e229b

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6000.16868_none_05136bbbd8da5cfa\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6000.16868_none_05136bbbd8da5cfa: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6000.21065_none_0599dfcaf1fae401\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6000.21065_none_0599dfcaf1fae401: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.18270_none_06e6d825d6103f24\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.18270_none_06e6d825d6103f24: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.22447_none_0797e8a0ef0f39a3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6001.22447_none_0797e8a0ef0f39a3: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6002.18049_none_08f6be51d31621ab\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6002.18049_none_08f6be51d31621ab: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\8515290af8e2a11b58a5fdcb5018cdf3\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6002.22150_none_096c8896ec43f957\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6002.22150_none_096c8896ec43f957: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16919_none_f0a013de6e53b9ab\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16919_none_f0a013de6e53b9ab

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.21119_none_f12988cb87718cb7\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.21119_none_f12988cb87718cb7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18322_none_f27480926b88b52c\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18322_none_f27480926b88b52c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22511_none_f307eee5849f1cd5\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22511_none_f307eee5849f1cd5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.18103_none_f4719482689de8ec\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.18103_none_f4719482689de8ec

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\900b4a4eda74f4f6355031d2463ada66\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.22215_none_f4f261f581c1d755\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.22215_none_f4f261f581c1d755

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6000.16884_none_83e02be57bf1f0b4\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6000.16884_none_83e02be57bf1f0b4: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6000.21082_none_8467a03e95119112\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6000.21082_none_8467a03e95119112: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6001.18288_none_85ca6bb37914e701\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6001.18288_none_85ca6bb37914e701: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6001.22468_none_8669aa3c92224c10\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6001.22468_none_8669aa3c92224c10: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6002.18064_none_87c27e31762e9c0e\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6002.18064_none_87c27e31762e9c0e: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6002.22170_none_883d49e88f57f26d\x86_microsoft-windows-l..securityhelperclass_31bf3856ad364e35_6.0.6002.22170_none_883d49e88f57f26d: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\98feee1bafb0596b2f2987bc05c79171\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.18091_none_87a35e9f02db5bf5\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.18091_none_87a35e9f02db5bf5: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.22200_none_888d4c521bb0e416\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.22200_none_888d4c521bb0e416: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6000.16908_en-us_80aa46aabe6988cc\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6000.16908_en-us_80aa46aabe6988cc: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6000.21108_en-us_8133bb97d7875bd8\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6000.21108_en-us_8133bb97d7875bd8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6001.18311_en-us_827eb35ebb9e844d\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6001.18311_en-us_827eb35ebb9e844d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6001.22497_en-us_82b7d285d4f79ba9\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6001.22497_en-us_82b7d285d4f79ba9: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6002.18091_en-us_840ea5e6b905b8f9\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6002.18091_en-us_840ea5e6b905b8f9: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6002.22200_en-us_84f89399d1db411a\x86_microsoft-windows-netevent.resources_31bf3856ad364e35_6.0.6002.22200_en-us_84f89399d1db411a: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6000.16908_none_586821dd6d61016f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6000.16908_none_586821dd6d61016f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6000.21108_none_58f196ca867ed47b\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6000.21108_none_58f196ca867ed47b

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6001.18311_none_5a3c8e916a95fcf0\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6001.18311_none_5a3c8e916a95fcf0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6001.22497_none_5a75adb883ef144c\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6001.22497_none_5a75adb883ef144c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6002.18091_none_5bcc811967fd319c\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6002.18091_none_5bcc811967fd319c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6002.22200_none_5cb66ecc80d2b9bd\x86_microsoft-windows-netevent_31bf3856ad364e35_6.0.6002.22200_none_5cb66ecc80d2b9bd

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.16908_none_54bd3631b81fb89b\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.16908_none_54bd3631b81fb89b: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.21108_none_5546ab1ed13d8ba7\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6000.21108_none_5546ab1ed13d8ba7: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22497_none_56cac20cceadcb78\x86_microsoft-windows-netio-infrastructure_31bf3856ad364e35_6.0.6001.22497_none_56cac20cceadcb78: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.21108_none_cbcfae32467adc51\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6000.21108_none_cbcfae32467adc51

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22497_none_cd53c52043eb1c22\x86_microsoft-windows-network-security_31bf3856ad364e35_6.0.6001.22497_none_cd53c52043eb1c22

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6000.16908_en-us_f28bf998a1c9cb0c\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6000.16908_en-us_f28bf998a1c9cb0c: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6000.21108_en-us_f3156e85bae79e18\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6000.21108_en-us_f3156e85bae79e18: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6001.18311_en-us_f460664c9efec68d\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6001.18311_en-us_f460664c9efec68d: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6001.22497_en-us_f4998573b857dde9\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6001.22497_en-us_f4998573b857dde9: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6002.18091_en-us_f5f058d49c65fb39\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6002.18091_en-us_f5f058d49c65fb39: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6002.22200_en-us_f6da4687b53b835a\x86_microsoft-windows-t..p-utility.resources_31bf3856ad364e35_6.0.6002.22200_en-us_f6da4687b53b835a: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18091_none_b4a43aea63d4a25f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18091_none_b4a43aea63d4a25f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22200_none_b58e289d7caa2a80\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22200_none_b58e289d7caa2a80

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6000.16908_none_30e8bd0651b053ef\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6000.16908_none_30e8bd0651b053ef

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6000.21108_none_317231f36ace26fb\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6000.21108_none_317231f36ace26fb

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6001.18311_none_32bd29ba4ee54f70\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6001.18311_none_32bd29ba4ee54f70

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6001.22497_none_32f648e1683e66cc\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6001.22497_none_32f648e1683e66cc

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6002.18091_none_344d1c424c4c841c\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6002.18091_none_344d1c424c4c841c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6002.22200_none_353709f565220c3d\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.0.6002.22200_none_353709f565220c3d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16908_none_5fa75f38922bdbf4\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.16908_none_5fa75f38922bdbf4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21108_none_6030d425ab49af00\x86_microsoft-windows-tcpip_31bf3856ad364e35_6.0.6000.21108_none_6030d425ab49af00

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.18795_none_656cbc830d360ee8: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cc9db45d4d7a49bee9efe23f364bf80b\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_8.0.6001.22886_none_66022984264aac18: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_accessibility_b03f5f7f11d50a3a_6.0.6002.18005_none_4d866065934e5ef7\msil_accessibility_b03f5f7f11d50a3a_6.0.6002.18005_none_4d866065934e5ef7

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_aspnetmmcext_b03f5f7f11d50a3a_6.0.6002.18005_none_8054152c96e37e26\msil_aspnetmmcext_b03f5f7f11d50a3a_6.0.6002.18005_none_8054152c96e37e26

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_comsvcconfig_b03f5f7f11d50a3a_6.0.6002.18005_none_eb63fcdad4ebfd16\msil_comsvcconfig_b03f5f7f11d50a3a_6.0.6002.18005_none_eb63fcdad4ebfd16

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_cscompmgd_b03f5f7f11d50a3a_6.0.6002.18005_none_1872efd4aa5a4414\msil_cscompmgd_b03f5f7f11d50a3a_6.0.6002.18005_none_1872efd4aa5a4414

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_dfsvc_b03f5f7f11d50a3a_6.0.6002.18005_none_65a8cc0289501153\msil_dfsvc_b03f5f7f11d50a3a_6.0.6002.18005_none_65a8cc0289501153

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_eventviewer.resources_31bf3856ad364e35_6.0.6002.18005_en-us_cc17da7cb2f2920f\msil_eventviewer.resources_31bf3856ad364e35_6.0.6002.18005_en-us_cc17da7cb2f2920f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_ieexecremote_b03f5f7f11d50a3a_6.0.6002.18005_none_ef4a58c7c5889e64\msil_ieexecremote_b03f5f7f11d50a3a_6.0.6002.18005_none_ef4a58c7c5889e64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_ieexec_b03f5f7f11d50a3a_6.0.6002.18005_none_7ebbc5c007fec7a8\msil_ieexec_b03f5f7f11d50a3a_6.0.6002.18005_none_7ebbc5c007fec7a8

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_iehost_b03f5f7f11d50a3a_6.0.6002.18005_none_7e35165408616421\msil_iehost_b03f5f7f11d50a3a_6.0.6002.18005_none_7e35165408616421

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_iiehost_b03f5f7f11d50a3a_6.0.6002.18005_none_816442d68bbe18e0\msil_iiehost_b03f5f7f11d50a3a_6.0.6002.18005_none_816442d68bbe18e0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_jsc_b03f5f7f11d50a3a_6.0.6002.18005_none_a7af7d70d7c9356f\msil_jsc_b03f5f7f11d50a3a_6.0.6002.18005_none_a7af7d70d7c9356f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.build.engine_b03f5f7f11d50a3a_6.0.6002.18005_none_387c914c0ed279d3\msil_microsoft.build.engine_b03f5f7f11d50a3a_6.0.6002.18005_none_387c914c0ed279d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.build.framework_b03f5f7f11d50a3a_6.0.6002.18005_none_c2a3acd783e72d57\msil_microsoft.build.framework_b03f5f7f11d50a3a_6.0.6002.18005_none_c2a3acd783e72d57

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.build.tasks_b03f5f7f11d50a3a_6.0.6002.18005_none_9d3ca2208d80c419\msil_microsoft.build.tasks_b03f5f7f11d50a3a_6.0.6002.18005_none_9d3ca2208d80c419

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.build.utilities_b03f5f7f11d50a3a_6.0.6002.18005_none_e1e4fa8ea5567225\msil_microsoft.build.utilities_b03f5f7f11d50a3a_6.0.6002.18005_none_e1e4fa8ea5567225

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.jscript_b03f5f7f11d50a3a_6.0.6002.18005_none_d20884118360c004\msil_microsoft.jscript_b03f5f7f11d50a3a_6.0.6002.18005_none_d20884118360c004

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.managementconsole_31bf3856ad364e35_6.0.6002.18005_none_404ed32b1170eb50\msil_microsoft.managementconsole_31bf3856ad364e35_6.0.6002.18005_none_404ed32b1170eb50

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.transactions.bridge_b03f5f7f11d50a3a_6.0.6002.18005_none_c7bec71ffdedf435\msil_microsoft.transactions.bridge_b03f5f7f11d50a3a_6.0.6002.18005_none_c7bec71ffdedf435

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.visualbasic.compatibility.data_b03f5f7f11d50a3a_6.0.6002.18005_none_5f17fcdf1d21af33\msil_microsoft.visualbasic.compatibility.data_b03f5f7f11d50a3a_6.0.6002.18005_none_5f17fcdf1d21af33: 3
Could not open reparse point C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.visualbasic.compatibility_b03f5f7f11d50a3a_6.0.6002.18005_none_ed4030cc958ae321\msil_microsoft.visualbasic.compatibility_b03f5f7f11d50a3a_6.0.6002.18005_none_ed4030cc958ae321: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.visualbasic.vsa_b03f5f7f11d50a3a_6.0.6002.18005_none_f2b3e9f14ccc4d0f\msil_microsoft.visualbasic.vsa_b03f5f7f11d50a3a_6.0.6002.18005_none_f2b3e9f14ccc4d0f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.visualbasic_b03f5f7f11d50a3a_6.0.6002.18005_none_ad69093e0186cb39\msil_microsoft.visualbasic_b03f5f7f11d50a3a_6.0.6002.18005_none_ad69093e0186cb39

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.vsa.vb.codedomprocessor_b03f5f7f11d50a3a_6.0.6002.18005_none_44578232f2ea7160\msil_microsoft.vsa.vb.codedomprocessor_b03f5f7f11d50a3a_6.0.6002.18005_none_44578232f2ea7160

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.vsa_b03f5f7f11d50a3a_6.0.6002.18005_none_682aad423a72f74b\msil_microsoft.vsa_b03f5f7f11d50a3a_6.0.6002.18005_none_682aad423a72f74b

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.web.administration.resources_31bf3856ad364e35_6.0.6002.18005_en-us_9e7284d03365a901\msil_microsoft.web.administration.resources_31bf3856ad364e35_6.0.6002.18005_en-us_9e7284d03365a901: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_microsoft.web.administration_31bf3856ad364e35_6.0.6002.18005_none_b8c9781d8fcc849c\msil_microsoft.web.administration_31bf3856ad364e35_6.0.6002.18005_none_b8c9781d8fcc849c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_miguicontrols_31bf3856ad364e35_6.0.6002.18005_none_b034519a39bcde59\msil_miguicontrols_31bf3856ad364e35_6.0.6002.18005_none_b034519a39bcde59

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_mmcex_31bf3856ad364e35_6.0.6002.18005_none_fdd3b6785be3af44\msil_mmcex_31bf3856ad364e35_6.0.6002.18005_none_fdd3b6785be3af44

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_mmcfxcommon_31bf3856ad364e35_6.0.6002.18005_none_5452e9e5750caf3c\msil_mmcfxcommon_31bf3856ad364e35_6.0.6002.18005_none_5452e9e5750caf3c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_napsnap.resources_31bf3856ad364e35_6.0.6002.18005_en-us_d14785aeef1f0902\msil_napsnap.resources_31bf3856ad364e35_6.0.6002.18005_en-us_d14785aeef1f0902

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationbuildtasks_31bf3856ad364e35_6.0.6002.18005_none_9e0bf58c35ba287c\msil_presentationbuildtasks_31bf3856ad364e35_6.0.6002.18005_none_9e0bf58c35ba287c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationcffrasterizer_31bf3856ad364e35_6.0.6002.18005_none_43070e2e1454a6a0\msil_presentationcffrasterizer_31bf3856ad364e35_6.0.6002.18005_none_43070e2e1454a6a0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationfontcache_31bf3856ad364e35_6.0.6002.18005_none_0fb649d9ad5630d5\msil_presentationfontcache_31bf3856ad364e35_6.0.6002.18005_none_0fb649d9ad5630d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationframework.aero_31bf3856ad364e35_6.0.6002.18005_none_1b338c0e6cbb7a8b\msil_presentationframework.aero_31bf3856ad364e35_6.0.6002.18005_none_1b338c0e6cbb7a8b

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationframework.classic_31bf3856ad364e35_6.0.6002.18005_none_b244cef4e1b377d4\msil_presentationframework.classic_31bf3856ad364e35_6.0.6002.18005_none_b244cef4e1b377d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationframework.luna_31bf3856ad364e35_6.0.6002.18005_none_1a0e64ec6d65920e\msil_presentationframework.luna_31bf3856ad364e35_6.0.6002.18005_none_1a0e64ec6d65920e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationframework.royale_31bf3856ad364e35_6.0.6002.18005_none_9c96b85b8e663ccc\msil_presentationframework.royale_31bf3856ad364e35_6.0.6002.18005_none_9c96b85b8e663ccc

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationframework_31bf3856ad364e35_6.0.6002.18005_none_78a30f10f11e86c4\msil_presentationframework_31bf3856ad364e35_6.0.6002.18005_none_78a30f10f11e86c4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_presentationui_31bf3856ad364e35_6.0.6002.18005_none_ad960e0439a9be86\msil_presentationui_31bf3856ad364e35_6.0.6002.18005_none_ad960e0439a9be86

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_reachframework_31bf3856ad364e35_6.0.6002.18005_none_439ad0affea2839f\msil_reachframework_31bf3856ad364e35_6.0.6002.18005_none_439ad0affea2839f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_servicemodelreg_b03f5f7f11d50a3a_6.0.6002.18005_none_4aa84200fc580287\msil_servicemodelreg_b03f5f7f11d50a3a_6.0.6002.18005_none_4aa84200fc580287

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_smdiagnostics_b77a5c561934e089_6.0.6002.18005_none_9e6dd954b053cc6d\msil_smdiagnostics_b77a5c561934e089_6.0.6002.18005_none_9e6dd954b053cc6d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_smsvchost_b03f5f7f11d50a3a_6.0.6002.18005_none_12354c1054c35525\msil_smsvchost_b03f5f7f11d50a3a_6.0.6002.18005_none_12354c1054c35525

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_sysglobl_b03f5f7f11d50a3a_6.0.6002.18005_none_d4bb69db8a792ee2\msil_sysglobl_b03f5f7f11d50a3a_6.0.6002.18005_none_d4bb69db8a792ee2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.configuration.install_b03f5f7f11d50a3a_6.0.6002.18005_none_8b9cdc5b78f8032d\msil_system.configuration.install_b03f5f7f11d50a3a_6.0.6002.18005_none_8b9cdc5b78f8032d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.configuration_b03f5f7f11d50a3a_6.0.6002.18005_none_2afff036370d4fd2\msil_system.configuration_b03f5f7f11d50a3a_6.0.6002.18005_none_2afff036370d4fd2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.data.sqlxml_b77a5c561934e089_6.0.6002.18005_none_3153bfada5516881\msil_system.data.sqlxml_b77a5c561934e089_6.0.6002.18005_none_3153bfada5516881

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.deployment_b03f5f7f11d50a3a_6.0.6002.18005_none_5fd691f73142d41f\msil_system.deployment_b03f5f7f11d50a3a_6.0.6002.18005_none_5fd691f73142d41f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.design_b03f5f7f11d50a3a_6.0.6002.18005_none_b525864303710290\msil_system.design_b03f5f7f11d50a3a_6.0.6002.18005_none_b525864303710290

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.directoryservices.protocols_b03f5f7f11d50a3a_6.0.6002.18005_none_aef5d5a354b01224\msil_system.directoryservices.protocols_b03f5f7f11d50a3a_6.0.6002.18005_none_aef5d5a354b01224: 3
Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.directoryservices_b03f5f7f11d50a3a_6.0.6002.18005_none_5679ca4731c43ad9\msil_system.directoryservices_b03f5f7f11d50a3a_6.0.6002.18005_none_5679ca4731c43ad9

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.drawing.design_b03f5f7f11d50a3a_6.0.6002.18005_none_1be3a910b0bb38ae\msil_system.drawing.design_b03f5f7f11d50a3a_6.0.6002.18005_none_1be3a910b0bb38ae

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.drawing_b03f5f7f11d50a3a_6.0.6002.18005_none_8f6eb5fdf12629bc\msil_system.drawing_b03f5f7f11d50a3a_6.0.6002.18005_none_8f6eb5fdf12629bc

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.identitymodel.selectors_b77a5c561934e089_6.0.6002.18005_none_abcac43873eedab5\msil_system.identitymodel.selectors_b77a5c561934e089_6.0.6002.18005_none_abcac43873eedab5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.identitymodel_b77a5c561934e089_6.0.6002.18005_none_1d35f4104460221f\msil_system.identitymodel_b77a5c561934e089_6.0.6002.18005_none_1d35f4104460221f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.io.log_b03f5f7f11d50a3a_6.0.6002.18005_none_84d894282094e2b4\msil_system.io.log_b03f5f7f11d50a3a_6.0.6002.18005_none_84d894282094e2b4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.management_b03f5f7f11d50a3a_6.0.6002.18005_none_1f10f6d20cbde89f\msil_system.management_b03f5f7f11d50a3a_6.0.6002.18005_none_1f10f6d20cbde89f

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.messaging_b03f5f7f11d50a3a_6.0.6002.18005_none_2d8dcc7323f39b16\msil_system.messaging_b03f5f7f11d50a3a_6.0.6002.18005_none_2d8dcc7323f39b16

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.runtime.remoting_b77a5c561934e089_6.0.6002.18005_none_c56ff2c845843ca9\msil_system.runtime.remoting_b77a5c561934e089_6.0.6002.18005_none_c56ff2c845843ca9

Mount point destination : \Device\__max++>\^

Could not open reparse point C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\msil_system.runtime.seri..ion.formatters.soap_b03f5f7f11d50a3a_6.0.6002.18005_none_47ee75992421f088\msil_system.runtime.seri..ion.formatters.soap_b03f5f7f11d50a3a_6.0.6002.18005_none_47ee75992421f088: 3

IndiGenus
2009-10-19, 07:00
Was that the end of the report?

northernunicorn
2009-10-19, 07:00
Hi IndiGenus: :)

I just noticed your reply re: attachment.
That's what I'll do since I goofed up and lost my place doing copy/paste in sections. :oops:

Here's goes with the attachment...hopefully:red:

Thanks for your patience & ignore the reams of partial posting of the log...
from Dorothy

IndiGenus
2009-10-19, 07:01
Okay no problem, got it. I'll take a look and post back soon.

northernunicorn
2009-10-19, 07:04
Hi IndiGenus:

Thanks very much. Will await your reply.:)
from Dorothy

IndiGenus
2009-10-19, 07:06
* IMPORTANT !!! Copy ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

northernunicorn
2009-10-19, 19:50
Hi IndiGenus:
Got your reply & will do the "ComboFix.exe" instructions/scan.
and post a log.

As for "HijackThis" log, I'll give that a try after the above. I wasn't able to do that when I first asked for help (see my request for help page).

Talk with you soon. Thanks for your speedy reply.:)
from Dorothy

northernunicorn
2009-10-19, 21:46
Hi IndiGenus:

Below the info notes is the ComboFix log you requested.

I didnt notice any prompts to allow install of "Micrsoft Windows Recovery Console", so I'm thinking it's already on my computer.


I reactivated Antivirus & Antispyware applications before going onto the Internet to post here. Hope I was supposed to do that.:confused:

***Note***:
1. I still can't access Spybot-Search & Destroy...same message as before comes up saying I may not have the appropriate permissions to access item, even though I click "run as administrator". I have never had the Tea Timer running because I found all the prompts to confusing and was concerned about a conflict between Spybot Teatimer and AVG8 Resident Shield so I just used the AVG8 Resident Shield.

2. AVG8 Resident Shield will still not reactivate even after clicking the appropriate boxes.

3. Windows Defender re-enabled no problem.



Hope that's the info you were requesting.

Thanks from Dorothy
Here is the ComboFix log:

ComboFix 09-10-17.01 - JeffandMom 19/10/2009 13:16.1.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.446.119 [GMT -4:00]
Running from: c:\users\JeffandMom\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1243676550-844158297-4097513924-1001
c:\$recycle.bin\S-1-5-21-1243676550-844158297-4097513924-1002
c:\$recycle.bin\S-1-5-21-1243676550-844158297-4097513924-1003
c:\$recycle.bin\S-1-5-21-1243676550-844158297-4097513924-500
c:\$recycle.bin\S-1-5-21-1738422755-998661840-641317060-500
c:\$recycle.bin\S-1-5-21-2365545147-1999384947-2466353664-500
c:\users\JeffandMom\AppData\Roaming\.#
c:\windows\win32k.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 17:29 . 2009-10-19 17:33 -------- d-----w- c:\users\JeffandMom\AppData\Local\temp
2009-10-19 17:29 . 2009-10-19 17:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-15 03:59 . 2009-10-15 03:59 -------- d-----w- c:\program files\ESET
2009-10-14 22:58 . 2009-10-14 23:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-14 03:33 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 03:33 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 03:33 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 03:30 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 18:35 . 2009-10-13 18:35 -------- d-----w- c:\users\JeffandMom\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-13 18:15 . 2009-10-13 18:47 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-03 05:51 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-23 17:12 . 2009-09-24 00:31 -------- d-----w- c:\users\JeffandMom\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 04:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-13 18:23 . 2009-07-14 03:00 -------- d-----w- c:\programdata\NOS
2009-09-30 22:16 . 2008-11-03 18:46 -------- d-----w- c:\program files\DNA
2009-09-30 04:03 . 2008-01-11 02:28 680 ----a-w- c:\users\JeffandMom\AppData\Local\d3d9caps.dat
2009-09-27 17:21 . 2009-02-13 05:06 -------- d-----w- c:\program files\Spybot - Search & Destroy162
2009-09-23 15:22 . 2007-06-21 09:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-21 05:01 . 2008-05-25 16:40 -------- d-----w- c:\programdata\Avg8
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-12 05:10 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-09-02 06:40 . 2009-02-13 09:37 -------- d-----w- c:\program files\Java
2009-08-29 00:27 . 2009-09-03 13:57 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 13:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 13:51 . 2009-02-03 20:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:51 . 2009-02-03 20:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:51 . 2009-02-03 20:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 05:22 . 2009-10-14 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 03:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 03:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 03:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-23 04:32 . 2007-06-12 20:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-14 16:27 . 2009-09-10 00:49 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 00:49 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 00:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 00:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 00:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 00:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 00:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 00:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 00:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 00:49 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 00:49 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 12:34 . 2009-10-14 03:32 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:34 . 2009-10-14 03:32 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-25 09:23 . 2009-01-24 07:23 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-09-25 01:32 . 2007-09-25 01:32 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-06-13 03:56 . 2007-06-13 03:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-19 2025752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\users\JeffandMom\Program Files\DNA\btdna.exe"
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Corel Photo Downloader"=c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Sys7CC0.exe"=c:\windows\Sys7CC0.exe
"WPCUMI"=c:\windows\system32\WpcUmi.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"SigmatelSysTrayApp"=sttray.exe
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):40,68,88,54,68,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1243676550-844158297-4097513924-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B3575F37-250E-44F1-955F-9DBA8D31014F}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{33B940DD-6CDC-41AD-B5C0-94FFFE30F099}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{675E4329-BDAD-425B-8F52-E59340D79AE2}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{1C073947-2788-4DB5-8357-98E3E3FCDA24}c:\\program files\\maxis\\simcity 3000 unlimited\\apps\\updater\\updater.exe"= UDP:c:\program files\maxis\simcity 3000 unlimited\apps\updater\updater.exe:SC3UpdaterMFC
"UDP Query User{8CB2018A-3E7E-4C02-AF5B-51AF4CF93026}c:\\program files\\maxis\\simcity 3000 unlimited\\apps\\updater\\updater.exe"= TCP:c:\program files\maxis\simcity 3000 unlimited\apps\updater\updater.exe:SC3UpdaterMFC
"TCP Query User{C4FD23D5-2EA3-4158-A34F-46692E6CC4D4}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{40927A40-DE20-49B6-A2E7-F52B8395AA5D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{714594F5-54E7-4B6C-986C-A77C6490D6DC}"= UDP:c:\program files\SpywareBlaster\spywareblaster.exe:SpywareBlaster
"{45CDFF7D-D7E9-433E-9584-73C0A7ECF93F}"= TCP:c:\program files\SpywareBlaster\spywareblaster.exe:SpywareBlaster
"{16DCBD6D-6EA6-4CE0-A7D8-36E9E51C0130}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{0B8085F5-69B5-4EFB-A42F-6B5FEC037EA8}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"TCP Query User{78733992-4ABA-4095-9BF7-64F6EB0EBD63}c:\\users\\jeffandmom\\appdata\\local\\temp\\cryf095.tmp\\install.exe"= Disabled:UDP:c:\users\jeffandmom\appdata\local\temp\cryf095.tmp\install.exe:install.exe
"UDP Query User{5100B386-8977-488E-87A5-FD6EE52C9204}c:\\users\\jeffandmom\\appdata\\local\\temp\\cryf095.tmp\\install.exe"= Disabled:TCP:c:\users\jeffandmom\appdata\local\temp\cryf095.tmp\install.exe:install.exe
"TCP Query User{A68E209B-8B93-4E8F-AD3B-7CAF8423BEF2}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:MSN Messenger
"UDP Query User{14456106-FC4A-499C-B233-9DA902D77F8C}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:MSN Messenger
"TCP Query User{DA2C9F94-6C3A-46C3-9312-8BE90D992031}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{CAA44634-39E1-43CB-8892-D368F1834357}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{0E289CE5-5339-44C8-83BA-4250041310E6}c:\\program files\\morpheus\\morpheus.exe"= UDP:c:\program files\morpheus\morpheus.exe:Morpheus
"UDP Query User{4D3E9D19-028D-48DC-8DC3-B94B6CE2B61C}c:\\program files\\morpheus\\morpheus.exe"= TCP:c:\program files\morpheus\morpheus.exe:Morpheus
"TCP Query User{2D148C49-136C-4B8D-AFCB-C9CB301F394A}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{419A0031-93D2-4BF9-A854-F6F4F229506D}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{5C26B0C7-70E4-4FB7-BA48-D7A46CE57571}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4664334B-7196-45E1-8965-4F14BE3AE307}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{10E65A62-9E1F-4C13-96DC-6EC6E25B51BE}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AC6B501D-9E15-4FDC-BEED-80EAD63AF5BD}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{342ADA7E-1204-486D-A832-F5C6798570B8}"= UDP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\sc3U.exe:SimCity 3000 Unlimited
"{319F2B45-1BE1-4DC6-8C9B-AE7E9F61ABF9}"= TCP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\sc3U.exe:SimCity 3000 Unlimited
"{9AD0B42E-5FC0-406C-8664-6A68A668041D}"= UDP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\BAApp.exe:Building Architect Plus
"{3E1367B2-685D-4894-923E-AFD35913E544}"= TCP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\BAApp.exe:Building Architect Plus
"{B81B8BDE-CE31-4AE3-AE3E-11822A09AC36}"= Disabled:UDP:c:\program files\Blubster\Blubster.exe:Blubster
"{57B35579-93BD-4E43-A763-C6C5B815D71C}"= Disabled:TCP:c:\program files\Blubster\Blubster.exe:Blubster
"TCP Query User{EEA02241-6F2D-4A58-A957-BED349F9BD7F}c:\\program files\\yahoo! games\\jeopardy!\\jeopardy!.exe"= Disabled:UDP:c:\program files\yahoo! games\jeopardy!\jeopardy!.exe:JEOPARDY!
"UDP Query User{98A85509-9C5B-4A6F-A64B-A2CAF6A08A7B}c:\\program files\\yahoo! games\\jeopardy!\\jeopardy!.exe"= Disabled:TCP:c:\program files\yahoo! games\jeopardy!\jeopardy!.exe:JEOPARDY!
"{AF793AE3-9195-45C6-B589-B85B8CE1AACB}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{857C846E-0368-42AC-86E3-2284F4A9426E}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{DEE67F76-564B-4964-A1D2-19945441D98D}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{4914565E-0F00-4948-985F-4B448B560D0D}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{F9971E49-5AA4-477D-80D6-E12FD76C7CE0}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{FF0F290B-0A63-4B58-9DA9-F4A0DBA266DF}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"TCP Query User{E8772C2A-B0D4-460C-8DF3-35E02E89AE12}c:\\users\\jeffandmom\\program files\\dna\\btdna.exe"= UDP:c:\users\jeffandmom\program files\dna\btdna.exe:btdna.exe
"UDP Query User{B052B293-75C7-453A-8372-2C4B7F475EE4}c:\\users\\jeffandmom\\program files\\dna\\btdna.exe"= TCP:c:\users\jeffandmom\program files\dna\btdna.exe:btdna.exe
"{E9047EDA-B009-4D37-B5D0-223878263010}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{8EAC47DC-0B2D-4B94-A9BC-378DAC1FD3CB}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6C1C211A-8DA3-4CA0-AE22-1788A73C9E1C}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{311AF4CA-6404-47DC-AA44-CA46CFE86C6F}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"TCP Query User{EC185DCC-5F9D-4A17-AC8F-C22058AFB2C6}c:\\users\\jeffandmom\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\users\jeffandmom\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{EF017CC1-AA8C-470E-818B-B94E53DDF341}c:\\users\\jeffandmom\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\users\jeffandmom\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{2C30FE43-5885-4432-9C6A-5C1304483211}c:\\users\\jeffandmom\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\jeffandmom\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{87858FAD-BB85-4647-8BAB-19A30257510B}c:\\users\\jeffandmom\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\jeffandmom\program files\bittorrent_dna\dna.exe:dna.exe
"{B766EDBB-17DC-45F4-B0B6-2675A6AEE9AA}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{096035EE-C61B-4CA5-8159-D47F80B13720}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{524E00AF-11ED-4B19-9D99-111C2B612F6F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{BDC5A94C-D7AA-4B8C-92C4-249EA6779E6D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4A3A4C3F-639B-4A1B-8B64-D45A9F0F8CCC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0AA9915C-6298-4CF6-A6AA-35F53C27D723}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1BBD6D94-7589-47E1-A491-C8FAFF73A663}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [03/02/2009 4:53 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [03/02/2009 4:53 PM 108552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: avon.ca\avon
Trusted Zone: avon.com\ca2
Trusted Zone: avon.com\www.ca
Trusted Zone: care2.com
Trusted Zone: care2.com\mail
Trusted Zone: care2.com\stopglobalwarming
Trusted Zone: care2.com\www
Trusted Zone: care2.net\passport
Trusted Zone: ebay.com\signin
Trusted Zone: microsoft.com\update
Trusted Zone: pogo.com
Trusted Zone: terrapass.com\www
Trusted Zone: thepetitionsite.com
Trusted Zone: wikipedia.org\en
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 13:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
c:\windows\System32\drivers\XAudio.exe
c:\program files\Spybot - Search & Destroy162\SDWinSec.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
c:\combofix\CF28740.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\sdclt.exe
.
**************************************************************************
.
Completion time: 2009-10-19 13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 17:42

Pre-Run: 45,895,049,216 bytes free
Post-Run: 45,633,609,728 bytes free

309 --- E O F --- 2009-10-14 03:43

IndiGenus
2009-10-19, 22:34
No recovery console because you're running Vista, so no problem.

File I would like to check if present. First, please make sure you can see hidden files.

http://www.bleepingcomputer.com/tutorials/tutorial130.html

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\WINDOWS\Sys7CC0.exe

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html

northernunicorn
2009-10-20, 19:36
Hi IndiGenus: :)



File I would like to check if present. First, please make sure you can see hidden files.

I followed instructions for showing hidden files.
I clicked on Jotti link and clicked browse and tried to upload file
Sys7CC0.exe
for analysis.
This is the message that came up:

File not found.Check file name and try again

***What would you like me to do next?


Please also post an updated HijackThis log

Was still unable to save the HijackThis installer.exe to my computer.
I will contact my friend and try to save it on disk (like I did with the other tools) and will get back to you with results.

Thanks for your help and patience. Awaiting your reply. :)
from Dorothy

IndiGenus
2009-10-20, 19:41
Hi Dorothy,

One thing we may want to try. I had mentioned another thread that I was watching where the user could not download files and it ended up being a corrupted AVG install. Since you have AVG I'm wondering if this may be the same issue. You may want to uninstall and re-install AVG to see if that clears up the issue of downloading.

Also, did you download and save DDS as I had advised? If so can you run that and post the logs.

northernunicorn
2009-10-21, 00:34
Hi IndiGenus: :)

I got your reply.
I did download & save DDS to disk as you asked.
I will run that and post the logs.

Also, I will Uninstall & Install of AVG8 and let you know what happens.

Also, I will be saving HijackThis Installer.exe to my disk and will post the log.

I will be able to do all the above tomorrow evening at the earliest since I have previous commitments tonight and all day tomorrow.

Thanks from Dorothy :)

IndiGenus
2009-10-21, 01:07
Hi Dorothy,

No need to go out of the way to get HijackThis. DDS will show us everything HJT will, and more. So just the DDS will do, and should only take a minute or 2.

northernunicorn
2009-10-22, 19:35
Hi IndiGenus :)

Here are the 2 DDS logs as requested.

DDS


DDS (Ver_09-10-13.01) - NTFSx86
Run by JeffandMom at 11:58:53.26 on 22/10/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.446.138 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy162\SDWinSec.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\JeffandMom\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy162\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy162\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: avon.ca\avon
Trusted Zone: avon.com\ca2
Trusted Zone: avon.com\www.ca
Trusted Zone: care2.com
Trusted Zone: care2.com\mail
Trusted Zone: care2.com\stopglobalwarming
Trusted Zone: care2.com\www
Trusted Zone: care2.net\passport
Trusted Zone: ebay.com\signin
Trusted Zone: microsoft.com\update
Trusted Zone: pogo.com
Trusted Zone: terrapass.com\www
Trusted Zone: thepetitionsite.com
Trusted Zone: wikipedia.org\en
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy162\SDWinSec.exe [2009-2-13 1153368]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]

=============== Created Last 30 ================

2009-10-19 13:13 236,544 a------- c:\windows\PEV.exe
2009-10-19 13:13 161,792 a------- c:\windows\SWREG.exe
2009-10-19 13:13 98,816 a------- c:\windows\sed.exe
2009-10-14 23:59 <DIR> --d----- c:\program files\ESET
2009-10-13 23:33 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-13 23:33 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-13 23:33 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-13 23:30 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 14:35 <DIR> --d----- c:\users\jeffan~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-03 01:51 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-23 13:12 <DIR> --d----- c:\users\jeffandmom\.housecall6.6

==================== Find3M ====================

2009-09-12 01:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-12 01:17 86,016 a------- c:\windows\inf\infstor.dat
2009-09-12 01:17 51,200 a------- c:\windows\inf\infpub.dat
2009-09-12 01:04 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 09:51 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 08:34 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 08:34 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2008-09-28 02:27 174 a--sh--- c:\program files\desktop.ini
2007-09-24 21:32 774,144 a------- c:\program files\RngInterstitial.dll
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 11:59:25.07 ===============

IndiGenus
2009-10-22, 19:51
How are things running? Let's run a quick cleanup script with combofix then let me know how it's running at this point.

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:



Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Sys7CC0.exe"=-




3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt A new DDS log.

northernunicorn
2009-10-23, 21:46
Hi IndiGenus :)


1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Code:
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Sys7CC0.exe"=-
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again

I did as instructed
although I forgot to deactivate any security programs running :(

I tried to run another ComboFix after deactivating but I goofed & forgot to save to desktop Do you want me to run another?


Anyway, here is the log for the run I did do. Thanks from Dorothy :)


ComboFix 09-10-17.01 - JeffandMom 23/10/2009 12:18.2.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.446.109 [GMT -4:00]
Running from: c:\users\JeffandMom\Desktop\ComboFix.exe
Command switches used :: c:\users\JeffandMom\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-23 16:32 . 2009-10-23 16:32 -------- d-----w- c:\users\JeffandMom\AppData\Local\temp
2009-10-23 16:32 . 2009-10-23 16:32 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-23 16:32 . 2009-10-23 16:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-15 03:59 . 2009-10-15 03:59 -------- d-----w- c:\program files\ESET
2009-10-14 22:58 . 2009-10-14 23:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-14 03:33 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 03:33 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 03:33 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 03:30 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 18:35 . 2009-10-13 18:35 -------- d-----w- c:\users\JeffandMom\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-13 18:15 . 2009-10-13 18:47 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-03 05:51 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-23 17:12 . 2009-09-24 00:31 -------- d-----w- c:\users\JeffandMom\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 14:35 . 2008-05-25 16:40 -------- d-----w- c:\programdata\Avg8
2009-10-14 04:45 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-13 18:23 . 2009-07-14 03:00 -------- d-----w- c:\programdata\NOS
2009-09-30 22:16 . 2008-11-03 18:46 -------- d-----w- c:\program files\DNA
2009-09-30 04:03 . 2008-01-11 02:28 680 ----a-w- c:\users\JeffandMom\AppData\Local\d3d9caps.dat
2009-09-27 17:21 . 2009-02-13 05:06 -------- d-----w- c:\program files\Spybot - Search & Destroy162
2009-09-23 15:22 . 2007-06-21 09:04 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Calendar
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Sidebar
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Collaboration
2009-09-12 05:11 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-12 05:10 . 2006-11-02 12:35 -------- d-----w- c:\program files\Windows Defender
2009-09-02 06:40 . 2009-02-13 09:37 -------- d-----w- c:\program files\Java
2009-08-29 00:27 . 2009-09-03 13:57 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 13:57 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 13:51 . 2009-02-03 20:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:51 . 2009-02-03 20:53 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 13:51 . 2009-02-03 20:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-27 05:22 . 2009-10-14 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 03:32 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 03:32 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 03:32 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-10 00:49 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-10 00:49 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-10 00:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-10 00:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-10 00:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-10 00:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-10 00:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-10 00:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-10 00:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-10 00:49 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-10 00:49 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-04 12:34 . 2009-10-14 03:32 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:34 . 2009-10-14 03:32 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-09-25 01:32 . 2007-09-25 01:32 774144 ----a-w- c:\program files\RngInterstitial.dll
2007-06-13 03:56 . 2007-06-13 03:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-19_17.33.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-06-12 20:40 . 2009-10-23 14:15 55746 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2007-06-12 20:40 . 2009-10-19 15:09 55746 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-10-23 14:16 91084 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2007-06-21 22:29 . 2009-10-19 17:35 18448 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1243676550-844158297-4097513924-1000_UserData.bin
+ 2007-06-21 22:29 . 2009-10-23 14:16 18448 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1243676550-844158297-4097513924-1000_UserData.bin
- 2007-06-21 07:08 . 2009-10-19 15:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-21 07:08 . 2009-10-23 14:40 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-06-21 07:08 . 2009-10-23 14:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-06-21 07:08 . 2009-10-19 15:16 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-06-21 07:08 . 2009-10-23 14:40 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-06-21 07:08 . 2009-10-19 15:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 23:27 . 2009-07-12 17:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-04 23:27 . 2009-10-21 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-04 23:27 . 2009-10-21 00:54 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 23:27 . 2009-07-12 17:18 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 23:27 . 2009-07-12 17:18 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 23:27 . 2009-10-21 00:54 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-07-02 16:56 . 2009-09-07 19:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-07-02 16:56 . 2009-10-22 22:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-07-02 16:56 . 2009-09-07 19:46 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-07-02 16:56 . 2009-10-22 22:44 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-07-02 16:56 . 2009-09-07 19:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2007-07-02 16:56 . 2009-10-22 22:44 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:33 . 2009-10-19 15:05 599942 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-23 14:19 599942 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-19 15:05 105448 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-23 14:19 105448 c:\windows\System32\perfc009.dat
+ 2009-05-14 02:50 . 2009-10-20 15:34 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-14 02:50 . 2009-10-14 04:53 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-06-04 23:27 . 2009-07-12 17:18 245760 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-06-04 23:27 . 2009-10-21 00:54 245760 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2006-11-02 10:22 . 2009-10-23 14:27 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2009-10-19 06:13 6291456 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-10-23 16:16 . 2009-10-23 16:16 6217728 c:\windows\ERDNT\Hiv-backup\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-19 2025752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="c:\users\JeffandMom\Program Files\DNA\btdna.exe"
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Corel Photo Downloader"=c:\program files\Corel\Corel Snapfire Plus\PhotoDownloader.exe
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"WPCUMI"=c:\windows\system32\WpcUmi.exe
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"SigmatelSysTrayApp"=sttray.exe
"AVG8_TRAY"=c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):40,68,88,54,68,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1243676550-844158297-4097513924-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B3575F37-250E-44F1-955F-9DBA8D31014F}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{33B940DD-6CDC-41AD-B5C0-94FFFE30F099}"= UDP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"{675E4329-BDAD-425B-8F52-E59340D79AE2}"= TCP:c:\program files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:Yahoo! Music Jukebox
"TCP Query User{1C073947-2788-4DB5-8357-98E3E3FCDA24}c:\\program files\\maxis\\simcity 3000 unlimited\\apps\\updater\\updater.exe"= UDP:c:\program files\maxis\simcity 3000 unlimited\apps\updater\updater.exe:SC3UpdaterMFC
"UDP Query User{8CB2018A-3E7E-4C02-AF5B-51AF4CF93026}c:\\program files\\maxis\\simcity 3000 unlimited\\apps\\updater\\updater.exe"= TCP:c:\program files\maxis\simcity 3000 unlimited\apps\updater\updater.exe:SC3UpdaterMFC
"TCP Query User{C4FD23D5-2EA3-4158-A34F-46692E6CC4D4}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{40927A40-DE20-49B6-A2E7-F52B8395AA5D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{714594F5-54E7-4B6C-986C-A77C6490D6DC}"= UDP:c:\program files\SpywareBlaster\spywareblaster.exe:SpywareBlaster
"{45CDFF7D-D7E9-433E-9584-73C0A7ECF93F}"= TCP:c:\program files\SpywareBlaster\spywareblaster.exe:SpywareBlaster
"{16DCBD6D-6EA6-4CE0-A7D8-36E9E51C0130}"= UDP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"{0B8085F5-69B5-4EFB-A42F-6B5FEC037EA8}"= TCP:c:\program files\Spybot - Search & Destroy\SpybotSD.exe:Spybot - Search & Destroy
"TCP Query User{78733992-4ABA-4095-9BF7-64F6EB0EBD63}c:\\users\\jeffandmom\\appdata\\local\\temp\\cryf095.tmp\\install.exe"= Disabled:UDP:c:\users\jeffandmom\appdata\local\temp\cryf095.tmp\install.exe:install.exe
"UDP Query User{5100B386-8977-488E-87A5-FD6EE52C9204}c:\\users\\jeffandmom\\appdata\\local\\temp\\cryf095.tmp\\install.exe"= Disabled:TCP:c:\users\jeffandmom\appdata\local\temp\cryf095.tmp\install.exe:install.exe
"TCP Query User{A68E209B-8B93-4E8F-AD3B-7CAF8423BEF2}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:MSN Messenger
"UDP Query User{14456106-FC4A-499C-B233-9DA902D77F8C}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:MSN Messenger
"TCP Query User{DA2C9F94-6C3A-46C3-9312-8BE90D992031}c:\\program files\\starcraft\\starcraft.exe"= UDP:c:\program files\starcraft\starcraft.exe:Starcraft
"UDP Query User{CAA44634-39E1-43CB-8892-D368F1834357}c:\\program files\\starcraft\\starcraft.exe"= TCP:c:\program files\starcraft\starcraft.exe:Starcraft
"TCP Query User{0E289CE5-5339-44C8-83BA-4250041310E6}c:\\program files\\morpheus\\morpheus.exe"= UDP:c:\program files\morpheus\morpheus.exe:Morpheus
"UDP Query User{4D3E9D19-028D-48DC-8DC3-B94B6CE2B61C}c:\\program files\\morpheus\\morpheus.exe"= TCP:c:\program files\morpheus\morpheus.exe:Morpheus
"TCP Query User{2D148C49-136C-4B8D-AFCB-C9CB301F394A}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{419A0031-93D2-4BF9-A854-F6F4F229506D}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{5C26B0C7-70E4-4FB7-BA48-D7A46CE57571}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{4664334B-7196-45E1-8965-4F14BE3AE307}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{10E65A62-9E1F-4C13-96DC-6EC6E25B51BE}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{AC6B501D-9E15-4FDC-BEED-80EAD63AF5BD}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{342ADA7E-1204-486D-A832-F5C6798570B8}"= UDP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\sc3U.exe:SimCity 3000 Unlimited
"{319F2B45-1BE1-4DC6-8C9B-AE7E9F61ABF9}"= TCP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\sc3U.exe:SimCity 3000 Unlimited
"{9AD0B42E-5FC0-406C-8664-6A68A668041D}"= UDP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\BAApp.exe:Building Architect Plus
"{3E1367B2-685D-4894-923E-AFD35913E544}"= TCP:c:\program files\Maxis\SimCity 3000 Unlimited\Apps\BAApp.exe:Building Architect Plus
"{B81B8BDE-CE31-4AE3-AE3E-11822A09AC36}"= Disabled:UDP:c:\program files\Blubster\Blubster.exe:Blubster
"{57B35579-93BD-4E43-A763-C6C5B815D71C}"= Disabled:TCP:c:\program files\Blubster\Blubster.exe:Blubster
"TCP Query User{EEA02241-6F2D-4A58-A957-BED349F9BD7F}c:\\program files\\yahoo! games\\jeopardy!\\jeopardy!.exe"= Disabled:UDP:c:\program files\yahoo! games\jeopardy!\jeopardy!.exe:JEOPARDY!
"UDP Query User{98A85509-9C5B-4A6F-A64B-A2CAF6A08A7B}c:\\program files\\yahoo! games\\jeopardy!\\jeopardy!.exe"= Disabled:TCP:c:\program files\yahoo! games\jeopardy!\jeopardy!.exe:JEOPARDY!
"{AF793AE3-9195-45C6-B589-B85B8CE1AACB}"= Disabled:UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{857C846E-0368-42AC-86E3-2284F4A9426E}"= Disabled:TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{DEE67F76-564B-4964-A1D2-19945441D98D}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{4914565E-0F00-4948-985F-4B448B560D0D}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:AVG Control Center
"{F9971E49-5AA4-477D-80D6-E12FD76C7CE0}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{FF0F290B-0A63-4B58-9DA9-F4A0DBA266DF}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"TCP Query User{E8772C2A-B0D4-460C-8DF3-35E02E89AE12}c:\\users\\jeffandmom\\program files\\dna\\btdna.exe"= UDP:c:\users\jeffandmom\program files\dna\btdna.exe:btdna.exe
"UDP Query User{B052B293-75C7-453A-8372-2C4B7F475EE4}c:\\users\\jeffandmom\\program files\\dna\\btdna.exe"= TCP:c:\users\jeffandmom\program files\dna\btdna.exe:btdna.exe
"{E9047EDA-B009-4D37-B5D0-223878263010}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{8EAC47DC-0B2D-4B94-A9BC-378DAC1FD3CB}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{6C1C211A-8DA3-4CA0-AE22-1788A73C9E1C}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"{311AF4CA-6404-47DC-AA44-CA46CFE86C6F}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:BitTorrent DNA
"TCP Query User{EC185DCC-5F9D-4A17-AC8F-C22058AFB2C6}c:\\users\\jeffandmom\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\users\jeffandmom\program files\bittorrent\bittorrent.exe:bittorrent.exe
"UDP Query User{EF017CC1-AA8C-470E-818B-B94E53DDF341}c:\\users\\jeffandmom\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\users\jeffandmom\program files\bittorrent\bittorrent.exe:bittorrent.exe
"TCP Query User{2C30FE43-5885-4432-9C6A-5C1304483211}c:\\users\\jeffandmom\\program files\\bittorrent_dna\\dna.exe"= UDP:c:\users\jeffandmom\program files\bittorrent_dna\dna.exe:dna.exe
"UDP Query User{87858FAD-BB85-4647-8BAB-19A30257510B}c:\\users\\jeffandmom\\program files\\bittorrent_dna\\dna.exe"= TCP:c:\users\jeffandmom\program files\bittorrent_dna\dna.exe:dna.exe
"{B766EDBB-17DC-45F4-B0B6-2675A6AEE9AA}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{096035EE-C61B-4CA5-8159-D47F80B13720}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{524E00AF-11ED-4B19-9D99-111C2B612F6F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"TCP Query User{BDC5A94C-D7AA-4B8C-92C4-249EA6779E6D}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4A3A4C3F-639B-4A1B-8B64-D45A9F0F8CCC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{0AA9915C-6298-4CF6-A6AA-35F53C27D723}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{1BBD6D94-7589-47E1-A491-C8FAFF73A663}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy162\SDWinSec.exe [2009-01-26 1153368]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-28 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-11 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: avon.ca\avon
Trusted Zone: avon.com\ca2
Trusted Zone: avon.com\www.ca
Trusted Zone: care2.com
Trusted Zone: care2.com\mail
Trusted Zone: care2.com\stopglobalwarming
Trusted Zone: care2.com\www
Trusted Zone: care2.net\passport
Trusted Zone: ebay.com\signin
Trusted Zone: microsoft.com\update
Trusted Zone: pogo.com
Trusted Zone: terrapass.com\www
Trusted Zone: thepetitionsite.com
Trusted Zone: wikipedia.org\en
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 12:32
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-23 12:38
ComboFix-quarantined-files.txt 2009-10-23 16:38
ComboFix2.txt 2009-10-19 17:43

Pre-Run: 41,329,745,920 bytes free
Post-Run: 41,291,345,920 bytes free

314 --- E O F --- 2009-10-22 15:25

IndiGenus
2009-10-23, 21:54
I tried to run another ComboFix after deactivating but I goofed & forgot to save to desktop Do you want me to run another?

Hi.....no, looks like it took care of what we needed it to. I think we can move on with the fix and do some cleanup and scans.

How's it running BTW.

Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select "Perform Quick Scan", then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a DDS log.

northernunicorn
2009-10-23, 22:17
Hi Indigenus:)


How are things running?

Same as before really...no noticeable changes in speed etc. That wasn't a problem though much.

My computer still wont let me save .exe files anywhere on it...even to a CD.

Spybot-Search and Destroy still says same adminstrator error message(see previous posts) and I cant do Immunize after updates or do a scan. I can do updates though, it seems, but I have no way to verify in Spybot itself if these are truly happening. I think I'm going to do a complete uninstall of Spybot and then install Spybot most recent version from my CD.

AVG8.5 still wont let me reactivate resident shield and I cant do a scan. I went on the AVG site and couldnt download the uninstall/reinstall .exe tool directly to my computer so Im going to try a COMPLETE uninstall and check for any leftover files,then from my CD try to do an install of most recent AVG version.

***Please let me know what you think of my list above.



Let's run a quick cleanup script with combofix then let me know how it's running at this point...
After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new DDS log.

My previous reply was the Combofix.txt log.

Here is A new DDS log.

thanks from Dorothy :) I appreciate your help and patience.:bigthumb:

northernunicorn
2009-10-23, 22:20
Hi Indigenus:)


How are things running?

Same as before really...no noticeable changes in speed etc. That wasn't a problem though much.

My computer still wont let me save .exe files anywhere on it...even to a CD.

Spybot-Search and Destroy still says same adminstrator error message(see previous posts) and I cant do Immunize after updates or do a scan. I can do updates though, it seems, but I have no way to verify in Spybot itself if these are truly happening. I think I'm going to do a complete uninstall of Spybot and then install Spybot most recent version from my CD.

AVG8.5 still wont let me reactivate resident shield and I cant do a scan. I went on the AVG site and couldnt download the uninstall/reinstall .exe tool directly to my computer so Im going to try a COMPLETE uninstall and check for any leftover files,then from my CD try to do an install of most recent AVG version.

***Please let me know what you think of my list above.



Let's run a quick cleanup script with combofix then let me know how it's running at this point...
After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new DDS log.

My previous reply was the Combofix.txt log.

Here is A new DDS log.

thanks from Dorothy :) I appreciate your help and patience.:bigthumb:


==================== Find3M ====================

2009-09-12 01:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-12 01:17 86,016 a------- c:\windows\inf\infstor.dat
2009-09-12 01:17 51,200 a------- c:\windows\inf\infpub.dat
2009-09-12 01:04 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 09:51 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 08:34 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 08:34 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2008-09-28 02:27 174 a--sh--- c:\program files\desktop.ini
2007-09-24 21:32 774,144 a------- c:\program files\RngInterstitial.dll
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:52:15.89 =========

IndiGenus
2009-10-23, 22:29
Before doing any re-installation there are a couple things we can try. Let's do this first...

Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then try running your programs.

northernunicorn
2009-10-24, 00:37
Hi IndiGenus:)

Please ignore post #30. It was posted in error.
Post#31 is the correct one.

from post#29


Use ATF Cleaner to remove temp files, cookies, cache, ect...
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Computer wont let download/save ATF Cleaner.
You had previously listed TFC(Temp File Cleaner) as a tool that I saved to the CD.
***Can I use that instead?:scratch: Please let me know. :)


from post #32


Before doing any re-installation there are a couple things we can try. Let's do this first...Please download exeHelper to your desktop.

Computer wont let me download exeHelper.
I can go to my friend's tomorrow to save it to the CD and will get back to you with the results.

Thanks from Dorothy :)

IndiGenus
2009-10-24, 00:53
Yes, you can use TFC instead of ATF.

I was hoping that you would be able to download files. It's up to you if you want to get the tools from another PC that's fine. You could also try just completely removing AVG and see if you can then download.

northernunicorn
2009-10-24, 01:17
Hi IndiGenus:)


Yes, you can use TFC instead of ATF.

Will do that. Thanks :)


It's up to you if you want to get the tools from another PC that's fine. You could also try just completely removing AVG and see if you can then download.

Will try just completely removing AVG and will let you know the results :)
Will then try to download exeHelperand
Malwarebytes as you requested inpost#32

If I cant then I'll wait til tomorrow to go to my friend's

Will talk with you later. Thanks:bigthumb:
from Dorothy

northernunicorn
2009-10-24, 20:55
Hi IndiGenus:)


Yesterday 17:53
IndiGenus Yes, you can use TFC instead of ATF.

I was hoping that you would be able to download files. It's up to you if you want to get the tools from another PC that's fine. You could also try just completely removing AVG and see if you can then download.

I used TFC as requested. Something like 85Mb was deleted.
Seemed to go ok. :)

I was unable to uninstall AVGFree 8.5. :sad:

Message came up "Uninstall failed. 1 warning, 1 error occurred"
These both referred to avgcsrvx.exe.
I clicked on the Detailsbox and wrote down the info given.
You may just have got it right when you said in post #23 Might be AVG

I tried the uninstall thru Windowsuninstall a program in regular mode as well as in safe mode.
I also tried using the uninstall AVGFree from Start Menu. No go.:sad:

As I previously mentioned (post#31 How are things running and NEW DDS logs) my computer wont let me downloadthe uninstall/reinstall.exe tool on the AVGFree site.

So... :surrender:I'll contact my friend to save to CD the exeHelper
and Malwarebytes' Anti-Malwaretools you suggested as well as the AVGFree uninstall/install.exe tool and get back to you.

Hopefully these tools will fix or give light to fix any of the problems .

:thanks: from Dorothy

northernunicorn
2009-10-24, 22:58
Hi IndiGenus:)


Before doing any re-installation there are a couple things we can try. Let's do this first...
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
Post the contents of exehelperlog.txt


Here is the exehelperlog requested
Thanks from Dorothy :)

exeHelper by Raktor
Build 20091021
Run at 15:46:50 on 10/24/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

northernunicorn
2009-10-24, 23:04
Hi IndiGenus:)


Before doing any re-installation there are a couple things we can try. Let's do this first...
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
Post the contents of exehelperlog.txt

Here is the exehelperlog requested
Thanks from Dorothy

exeHelper by Raktor
Build 20091021
Run at 15:46:50 on 10/24/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

northernunicorn
2009-10-24, 23:48
Hi IndiGenus:)

After doing the exehelper and posting the log, I
still wasnt able to download/save the Malwarebytes Anti-Malware.

Seemed like it had saved to desktop-even said there was already a copy(I had saved it from my CD to desktop already) and did I want to replace?
I said yes.
:sad:however, nothing showed up & the one that was on the desktop previous was gone too.

Back to the grinding board...copying to desktop from my CD for Malwarebytes, AVGFree uninstall/repair/install tool.

Awaiting your reply of what I should do next or run next.
Thanks from Dorothy:thanks:

northernunicorn
2009-10-25, 00:44
Hi IndiGenus:)


Please download Malwarebytes' Anti-Malware from Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
Copy and Paste the entire report in your next reply along with a DDS log.

Here are the logs you requested.
Thanks from Dorothy:thanks: Awaiting your reply :)

Malwarebytes' Anti-Malware log

Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 6.0.6002 Service Pack 2

24/10/2009 5:02:51 PM
mbam-log-2009-10-24 (17-02-51).txt

Scan type: Quick Scan
Objects scanned: 88673
Time elapsed: 6 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_________________________________________________________________
DDS logs

DDS (Ver_09-10-13.01) - NTFSx86
Run by JeffandMom at 17:17:04.71 on 24/10/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.446.142 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy162\SDWinSec.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\JeffandMom\Desktop\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy162\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy162\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: avon.ca\avon
Trusted Zone: avon.com\ca2
Trusted Zone: avon.com\www.ca
Trusted Zone: care2.com
Trusted Zone: care2.com\mail
Trusted Zone: care2.com\stopglobalwarming
Trusted Zone: care2.com\www
Trusted Zone: care2.net\passport
Trusted Zone: ebay.com\signin
Trusted Zone: microsoft.com\update
Trusted Zone: pogo.com
Trusted Zone: terrapass.com\www
Trusted Zone: thepetitionsite.com
Trusted Zone: wikipedia.org\en
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy162\SDWinSec.exe [2009-2-13 1153368]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]

=============== Created Last 30 ================

2009-10-24 16:52 <DIR> --d----- c:\users\jeffan~1\appdata\roaming\Malwarebytes
2009-10-24 16:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-24 16:52 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-24 16:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:52 <DIR> --d----- c:\progra~2\Malwarebytes
2009-10-23 13:44 <DIR> --ds---- C:\ComboFix
2009-10-19 13:13 236,544 a------- c:\windows\PEV.exe
2009-10-19 13:13 161,792 a------- c:\windows\SWREG.exe
2009-10-19 13:13 98,816 a------- c:\windows\sed.exe
2009-10-14 23:59 <DIR> --d----- c:\program files\ESET
2009-10-13 23:33 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-13 23:33 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-13 23:33 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-13 23:30 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 14:35 <DIR> --d----- c:\users\jeffan~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-03 01:51 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-09-12 01:17 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-12 01:17 86,016 a------- c:\windows\inf\infstor.dat
2009-09-12 01:17 51,200 a------- c:\windows\inf\infpub.dat
2009-09-12 01:04 665,600 a------- c:\windows\inf\drvindex.dat
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 09:51 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 09:51 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 08:34 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 08:34 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2008-09-28 02:27 174 a--sh--- c:\program files\desktop.ini
2007-09-24 21:32 774,144 a------- c:\program files\RngInterstitial.dll
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:17:49.56 ===============

IndiGenus
2009-10-25, 01:38
Hi Dorothy,

I'm afraid I am going to need to send you to your friends again to make another download. AVG has a removal tool and I'd like to try that. Get it from the following link:

http://www.avg.com/us-en/download-tools

First one on the list should be for you.

AVG Remover(32bit)
(avgremover.exe)

Try that and see if we can't get AVG out of there.

There is also another tool called Revo uninstaller. You may want to go ahead and download that too while you're there. I would try that next.

http://www.revouninstaller.com/revo_uninstaller_free_download.html

Question.....are you using IE to download? Do you have Firefox? Or another browser you could try?

northernunicorn
2009-10-25, 05:56
Hi IndiGenus:)


Hi Dorothy,
I'm afraid I am going to need to send you to your friends again to make another download. AVG has a removal tool and I'd like to try that...
Try that and see if we can't get AVG out of there.

Since I had the Free version of AVG8.5 I went to that site to get the removal tool.
I followed the sticky instructions at the AVG Free Forums-a sticky titled AVG8x Uninstall/Re-Install Instructions.

http://www.avg.com/filedir/util/support/avgremover_en.exe

and saved it to my CD. Then I copied it to my desktop and ran it.

I had previously clicked on the link to download the latest installation file and saved it to my CD as well.
The latest version is for AVG Free 9.

The instructions advise to disable protection software.
In post#18 re ComboFix instructions, you had provided a link How to disable Security programs so that came in handy :bigthumb:
I hadn't been doing that before...never thought of it.
I also unchecked UAC-User Account Controlas well

Since AVG9 Free , went on so well, I got a brainstorm to try to reinstall Spybot-Search and Destroy 1.6.2 version that was giving me that "you dont have the correct permissions message".

I found in Program Files the Spybot app, copy/pasted it to my desktop and reinstalled Spybot.
I followed the install instruction wizard,and was able to do all the steps asked, including update & immunize:)

After reactivating protection and Security programs, including UAC, and several restarts as instructed, I tried the true test of downloading & saving to my desktop.
I went back thru our posts and chose link for TFC.

*****It worked:D: At last :bigthumb:
Hope it's ok I gave you a big long story :red: I feel so good I had to share it.
You were right...corrupted install of AVG.

I still have to do full AVG and Spybot scans but I've set them to do over night.:)

Please let me know what clean-up things I have to do and what app's I need to keep and what ones I can dispose.


****For all your patience & help:thanks: from Dorothy :)

northernunicorn
2009-10-25, 06:07
Hi IndiGenus:)

Sorry...forgot to answer your question re: Browser

I'm using Internet Explorer8.

My son & I occasionally use Yahoo when checking e-mail. Mostly, though, we use Internet Explorer
We dont have ICQ. Firefox was removed I think

Thanks again:thanks: from Dorothy :)

IndiGenus
2009-10-27, 22:56
Hi Dorothy,

Sorry for the delay. I'm glad things are running better. I think one more scan is in order to make sure we're all clean.

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log
New DDS log taken after the above scan has run

northernunicorn
2009-10-29, 01:16
Hi IndiGenus: :)


Hi Dorothy,
Sorry for the delay. I'm glad things are running better. I think one more scan is in order to make sure we're all clean.
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

I was unable to do this scan.
A message came up saying the scan version was being updated & improved.

At the other link, data seemed to down load, but then an error message came up telling me to go to the Kaspersky Lab site and I saw the above message again. :(

What's your suggestion?

I did a scan with Spybot and with AVG9 Free

Spybotreported no spyware.Congratulations
Love that cute message:bigthumb:

AVG reported a virus re: exeHelper.com

That was a tool you had asked me to use & it's still on my desktop.
I was waiting for you to tell me when to delete it.

Here is the report file

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Virus found Downloader.Banload;"C:\Users\JeffandMom\Desktop\exeHelper stuff\exeHelper.com";"Infected";"27/10/2009, 1:27:32 PM";"file";"C:\Windows\System32\svchost.exe"
Virus found Downloader.Banload;"C:\Users\JeffandMom\Desktop\exeHelper stuff\exeHelper.com";"Infected";"25/10/2009, 2:32:27 AM";"file";"C:\Windows\System32\svchost.exe"

The item was moved to AVG Virus vault Sept.27/09
path to file:

C:\Users\JeffandMom\Desktop\exeHelper stuff\exeHelper.com

My Computer is running fine. :)
Please let me know what you'd like me to do next.

:thanks: from Dorothy

IndiGenus
2009-10-29, 01:35
It's normal for many of the AntiVirus scanners to detect our tools as bad, just by their nature. Let's see if we can get another online scanner to work.

Eset Online Scanner (http://www.eset.com/onlinescan/)
Run with Internet Explorer

Place a check mark in the box YES, I accept the Terms Of Use
Click the Start button.
Now click the Install button, or click the notification bar at the top of the window and choose to install.
Click Start. The scanner engine will initialize and update.
Do Not place a check mark in the box beside Remove found threats.
Click the Scan button. The scan will now run, please be patient.
When the scan finishes click the Details tab.
Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

northernunicorn
2009-10-29, 01:41
Hi IndiGenus :)

Wasnt sure if you still wanted to see a DDS log but here is.

:thanks: from Dorothy :)

DDS Log


DDS (Ver_09-10-13.01) - NTFSx86
Run by JeffandMom at 19:27:36.96 on 28/10/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.446.113 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\JeffandMom\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.wikipedia.org/wiki/Main_Page
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1.2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1.2\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
Trusted Zone: avon.ca\avon
Trusted Zone: avon.com\ca2
Trusted Zone: avon.com\www.ca
Trusted Zone: care2.com
Trusted Zone: care2.com\mail
Trusted Zone: care2.com\stopglobalwarming
Trusted Zone: care2.com\www
Trusted Zone: care2.net\passport
Trusted Zone: ebay.com\signin
Trusted Zone: microsoft.com\update
Trusted Zone: pogo.com
Trusted Zone: terrapass.com\www
Trusted Zone: thepetitionsite.com
Trusted Zone: wikipedia.org\en
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\ievony\Skype4COM.dll
AppInit_DLLs: c:\windows\system32\avgrsstx.dll,avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-24 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-24 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-24 285392]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy162\SDWinSec.exe [2009-2-13 1153368]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-27 21504]

=============== Created Last 30 ================

2009-10-27 23:36 <DIR> --d----- c:\program files\Windows Portable Devices
2009-10-27 23:36 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-27 21:57 92,672 a------- c:\windows\system32\UIAnimation.dll
2009-10-27 21:57 3,023,360 a------- c:\windows\system32\UIRibbon.dll
2009-10-27 21:57 1,164,800 a------- c:\windows\system32\UIRibbonRes.dll
2009-10-27 21:55 81,920 a------- c:\windows\system32\wpdbusenum.dll
2009-10-27 21:53 4,096 a------- c:\windows\system32\oleaccrc.dll
2009-10-27 21:53 555,520 a------- c:\windows\system32\UIAutomationCore.dll
2009-10-27 21:53 234,496 a------- c:\windows\system32\oleacc.dll
2009-10-27 21:46 310,784 a------- c:\windows\system32\unregmp2.exe
2009-10-27 21:46 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-10-24 22:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy1.6.2
2009-10-24 19:11 <DIR> --d-h--- C:\$AVG
2009-10-24 19:11 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-10-24 19:11 360,584 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-24 19:10 333,192 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-24 19:10 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-24 19:09 <DIR> --d----- c:\program files\AVG
2009-10-24 19:09 <DIR> --d----- c:\programdata\avg9
2009-10-24 19:09 <DIR> --d----- c:\progra~2\avg9
2009-10-24 17:55 <DIR> --d----- C:\AVGTemp
2009-10-24 16:52 <DIR> --d----- c:\users\jeffan~1\appdata\roaming\Malwarebytes
2009-10-24 16:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 16:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-24 16:52 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-24 16:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 16:52 <DIR> --d----- c:\progra~2\Malwarebytes
2009-10-23 13:44 <DIR> --ds---- C:\ComboFix
2009-10-19 13:13 236,544 a------- c:\windows\PEV.exe
2009-10-19 13:13 161,792 a------- c:\windows\SWREG.exe
2009-10-19 13:13 98,816 a------- c:\windows\sed.exe
2009-10-14 23:59 <DIR> --d----- c:\program files\ESET
2009-10-13 23:33 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-13 23:33 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-13 23:33 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-13 23:30 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 14:35 <DIR> --d----- c:\users\jeffan~1\appdata\roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-10-03 01:51 195,440 -------- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2009-10-27 23:36 665,600 a------- c:\windows\inf\drvindex.dat
2009-10-27 23:36 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-27 23:36 86,016 a------- c:\windows\inf\infstor.dat
2009-10-27 23:36 51,200 a------- c:\windows\inf\infpub.dat
2009-09-30 21:02 2,537,472 a------- c:\windows\system32\wpdshext.dll
2009-09-30 21:02 30,208 a------- c:\windows\system32\WPDShextAutoplay.exe
2009-09-30 21:02 334,848 a------- c:\windows\system32\PortableDeviceApi.dll
2009-09-30 21:02 87,552 a------- c:\windows\system32\WPDShServiceObj.dll
2009-09-30 21:02 31,232 a------- c:\windows\system32\BthMtpContextHandler.dll
2009-09-30 21:01 546,816 a------- c:\windows\system32\wpd_ci.dll
2009-09-30 21:01 160,256 a------- c:\windows\system32\PortableDeviceTypes.dll
2009-09-30 21:01 350,208 a------- c:\windows\system32\WPDSp.dll
2009-09-30 21:01 196,608 a------- c:\windows\system32\PortableDeviceWMDRM.dll
2009-09-30 21:01 100,864 a------- c:\windows\system32\PortableDeviceClassExtension.dll
2009-09-30 21:01 60,928 a------- c:\windows\system32\PortableDeviceConnectApi.dll
2009-09-24 22:10 974,848 a------- c:\windows\system32\WindowsCodecs.dll
2009-09-24 22:07 189,440 a------- c:\windows\system32\WindowsCodecsExt.dll
2009-09-24 22:04 321,024 a------- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-24 21:49 1,554,432 a------- c:\windows\system32\xpsservices.dll
2009-09-24 21:48 351,232 a------- c:\windows\system32\XpsPrint.dll
2009-09-24 21:38 847,360 a------- c:\windows\system32\OpcServices.dll
2009-09-24 21:36 280,064 a------- c:\windows\system32\XpsGdiConverter.dll
2009-09-24 21:35 135,680 a------- c:\windows\system32\XpsRasterService.dll
2009-09-24 21:33 195,584 a------- c:\windows\system32\dxdiagn.dll
2009-09-24 21:33 829,440 a------- c:\windows\system32\d3d10warp.dll
2009-09-24 21:33 369,664 a------- c:\windows\system32\WMPhoto.dll
2009-09-24 21:32 252,928 a------- c:\windows\system32\dxdiag.exe
2009-09-24 21:31 519,680 a------- c:\windows\system32\d3d11.dll
2009-09-24 21:31 486,912 a------- c:\windows\system32\d3d10level9.dll
2009-09-24 21:31 161,280 a------- c:\windows\system32\d3d10_1.dll
2009-09-24 21:31 218,112 a------- c:\windows\system32\d3d10_1core.dll
2009-09-24 21:31 1,030,144 a------- c:\windows\system32\d3d10.dll
2009-09-24 21:31 828,928 a------- c:\windows\system32\d2d1.dll
2009-09-24 21:30 481,792 a------- c:\windows\system32\dxgi.dll
2009-09-24 21:30 190,464 a------- c:\windows\system32\d3d10core.dll
2009-09-24 21:27 634,880 a------- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-24 21:27 1,064,448 a------- c:\windows\system32\DWrite.dll
2009-09-24 21:27 793,088 a------- c:\windows\system32\FntCache.dll
2009-09-24 21:27 37,888 a------- c:\windows\system32\cdd.dll
2009-09-24 18:54 258,048 a------- c:\windows\system32\winspool.drv
2009-09-24 18:54 667,648 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 18:54 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-27 01:22 916,480 a------- c:\windows\system32\wininet.dll
2009-08-27 01:17 109,056 a------- c:\windows\system32\iesysprep.dll
2009-08-27 01:17 71,680 a------- c:\windows\system32\iesetup.dll
2009-08-26 23:42 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 9,728 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 17,920 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 11,264 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 27,136 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 19,968 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 8,704 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 10,240 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 08:34 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 08:34 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2008-09-28 02:27 174 a--sh--- c:\program files\desktop.ini
2007-09-24 21:32 774,144 a------- c:\program files\RngInterstitial.dll
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:28:16.64 ===============

IndiGenus
2009-10-29, 01:43
DDS looks okay. See if you can get the ESET scanner to work and post that log.

northernunicorn
2009-10-29, 03:17
Hi IndiGenus :)

The ESET Scan found no threats. :bigthumb:
Here is the log:

Thanks from Dorothy :)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=f2c3d8d207ce1f488380feae0d436d8a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-29 12:47:31
# local_time=2009-10-28 08:47:31 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5889 61 66 100 560489327118192
# scanned=116062
# found=0
# cleaned=0
# scan_time=3068

IndiGenus
2009-10-29, 08:00
Hi Dorothy,

I think we're all done. Just need to clean up and advise some updates and protection.

You can remove the following programs we used:

Win32Diag.exe
RootRepeal
DDS
exeHelper

Uninstall Combofix

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

The above procedure will:

Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

~~~~~~~~~~~~~~~~~~~~~~~~~~

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 16 (http://java.sun.com/javase/downloads/index.jsp).
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u16-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u16-windows-i586-p.exe and select "Run as an Administrator.")

~~~~~~~~~~~~~~~~~~~~~~~~

In addition to updating and using what you currently have you may want to consider the following:

Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)

Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)

Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,
Dave