can only boot into safe mode

[psykokid]

Earlier in the week the computer became infected with Windows Police Pro. I used Malwarebytes anti malware to remove that infection. Upon cleaning that antivirus and other programs such as spybot ceased to work. When attempting to run any virus or spyware programs i get an error regarding insufficient permissions. Hijack this will start if i rename the exe but will not complete a scan. When attempting to start windows regularly i get an Error at the login screen stating that windows system authority? will reboot the system in 30 seconds.

 

[Blade81]

Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

 

[psykokid]

Log file is located at: C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ClientApplicationFrameWork\ClientApplicationFrameWork

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EUSWUtil\EUSWUtil

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\NotifyAlert\NotifyAlert

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Protocol\Protocol

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\SysInfo\SysInfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\TSDiscovery\TSDiscovery

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DF.tmp\ZAP1DF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\EPSON PhotoStarter Essential\EPSON PhotoStarter Essential

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Modio\SLUSB2KV\SLExtBU\SLExtBU

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\MAIL\MAIL

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\NEWS\NEWS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SECURITY\SECURITY

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SYSTEM\SYSTEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\REPAIR\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM\_sv_CMD_\_sv_CMD_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-2216895356-1125666127-1608833299-1007\S-1-5-21-2216895356-1125666127-1608833299-1007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\Q73N6K53\Q73N6K53

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Real\RealOne Player\RealOne Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Cinemagic\Cinemagic

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\DVDBuilder\Projects\Projects

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Proxy\Proxy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Favorites\Media\Media

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Videos\My Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Audio\Audio

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\DVDBuilder\Images\Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Libraries\Libraries

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Productions\Productions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Video\Video

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 00:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe ()

[1] 2002-08-29 03:00:00 9216 C:\i386\DUMPREP.EXE (Microsoft Corporation)



Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll

[1] 2004-08-04 00:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 61952 C:\WINDOWS\SYSTEM32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation)

[1] 2002-08-29 03:00:00 49152 C:\i386\EVENTLOG.DLL (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\SYSTEM32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\SYSTEM32\MRT.exe ()



Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\x64\x64

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TWAIN_32\SilverFast\Camera\Camera

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\TWAIN_32\SilverFast\CameraRAW\CameraRAW

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\YesVideo\YesVideo

Mount point destination : \Device\__max++>\^



Finished!

 

[Blade81]

Hi again,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy C:\WINDOWS\SYSTEM32\logevent.dll c:\

Double-click on fixes.bat file to execute it.

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Files to move:
  c:\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll

• In the avenger window, click the Paste Script from Clipboard,
  
  button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
%userprofile%\desktop\win32kdiag.exe -f -r

 

[psykokid]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "c:\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[psykokid]

It couldnt execute the command string from the run line for win32kdiag.exe, so I made a .bat file on the desktop with the command string and it ran fine from there.

Log file is located at: C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\ADDINS\ADDINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ADDINS\ADDINS

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ClientApplicationFrameWork\ClientApplicationFrameWork

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ClientApplicationFrameWork\ClientApplicationFrameWork

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EUSWUtil\EUSWUtil

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EUSWUtil\EUSWUtil

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\NotifyAlert\NotifyAlert

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\NotifyAlert\NotifyAlert

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Protocol\Protocol

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\Protocol\Protocol

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\SysInfo\SysInfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\SysInfo\SysInfo

Found mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\TSDiscovery\TSDiscovery

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages1_v1.1.4322\TSDiscovery\TSDiscovery

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DF.tmp\ZAP1DF.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1DF.tmp\ZAP1DF.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2E8.tmp\ZAP2E8.tmp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d1\d1

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d2\d2

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d3\d3

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d4\d4

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d5\d5

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d6\d6

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d7\d7

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\CSC\d8\d8

Found mount point : C:\WINDOWS\EPSON PhotoStarter Essential\EPSON PhotoStarter Essential

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\EPSON PhotoStarter Essential\EPSON PhotoStarter Essential

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Found mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\IME\SHARED\RES\RES

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\68AB67CA330100007706000000000020\7.0.0\7.0.0

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Java\TrustLib\TrustLib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\Modio\SLUSB2KV\SLExtBU\SLExtBU

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Modio\SLUSB2KV\SLExtBU\SLExtBU

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\MAIL\MAIL

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\QFNONL\NSCAPE16\MAIL\MAIL

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\NEWS\NEWS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\QFNONL\NSCAPE16\NEWS\NEWS

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SECURITY\SECURITY

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\QFNONL\NSCAPE16\SECURITY\SECURITY

Found mount point : C:\WINDOWS\QFNONL\NSCAPE16\SYSTEM\SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\QFNONL\NSCAPE16\SYSTEM\SYSTEM

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\REPAIR\Backup\BootableSystemState\BootableSystemState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\REPAIR\Backup\BootableSystemState\BootableSystemState

Found mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceState

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\SYSTEM\_sv_CMD_\_sv_CMD_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM\_sv_CMD_\_sv_CMD_

Found mount point : C:\WINDOWS\SYSTEM32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1025\1025

Found mount point : C:\WINDOWS\SYSTEM32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1028\1028

Found mount point : C:\WINDOWS\SYSTEM32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1031\1031

Found mount point : C:\WINDOWS\SYSTEM32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1037\1037

Found mount point : C:\WINDOWS\SYSTEM32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1041\1041

Found mount point : C:\WINDOWS\SYSTEM32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1042\1042

Found mount point : C:\WINDOWS\SYSTEM32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\1054\1054

Found mount point : C:\WINDOWS\SYSTEM32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\2052\2052

Found mount point : C:\WINDOWS\SYSTEM32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3076\3076

Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-2216895356-1125666127-1608833299-1007\S-1-5-21-2216895356-1125666127-1608833299-1007

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-2216895356-1125666127-1608833299-1007\S-1-5-21-2216895356-1125666127-1608833299-1007

Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\Q73N6K53\Q73N6K53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Adobe\Flash Player\AssetCache\Q73N6K53\Q73N6K53

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Real\RealOne Player\RealOne Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Real\RealOne Player\RealOne Player

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Cinemagic\Cinemagic

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Cinemagic\Cinemagic

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\DVDBuilder\Projects\Projects

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\DVDBuilder\Projects\Projects

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Proxy\Proxy

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Proxy\Proxy

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Roxio\VideoWaveMC\Templates\Templates

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Favorites\Media\Media

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Favorites\Media\Media

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Pictures\Dell Image Expert Images\Dell Image Expert Images

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Videos\My Videos

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\My Videos\My Videos

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Audio\Audio

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Audio\Audio

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\DVDBuilder\Images\Images

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\DVDBuilder\Images\Images

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Libraries\Libraries

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Libraries\Libraries

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Productions\Productions

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Productions\Productions

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Video\Video

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\My Documents\Roxio\VideoWaveMC\Video\Video

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\SYSTEM32\Data\Data

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Data\Data

Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP

Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN

Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\dumprep.exe

[1] 2004-08-04 00:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe (Microsoft Corporation)

[1] 2002-08-29 03:00:00 9216 C:\i386\DUMPREP.EXE (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT

Found mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\SYSTEM32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Cannot access: C:\WINDOWS\SYSTEM32\MRT.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\MRT.exe

[1] 2009-07-29 17:49:16 24281536 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG

Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE

Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\temp\temp

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\x64\x64

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\x64\x64

Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD

Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP

Cannot access: C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe

Attempting to restore permissions of : C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe

[1] 2009-02-06 03:15:13 227840 C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\wmiprvse.exe (Microsoft Corporation)

[1] 2004-08-04 00:56:57 218112 C:\WINDOWS\$NtServicePackUninstall$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:40 218112 C:\WINDOWS\$NtUninstallKB956572$\wmiprvse.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:40 218112 C:\WINDOWS\ServicePackFiles\i386\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 03:10:02 227840 C:\WINDOWS\SYSTEM32\DLLCACHE\wmiprvse.exe (Microsoft Corporation)

[1] 2009-02-06 03:10:02 227840 C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe (Microsoft Corporation)

[1] 2002-08-29 03:00:00 203776 C:\i386\WMIPRVSE.EXE (Microsoft Corporation)



Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\WINS\WINS

Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM

Found mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\_avast4_\_avast4_

Found mount point : C:\WINDOWS\TWAIN_32\SilverFast\Camera\Camera

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TWAIN_32\SilverFast\Camera\Camera

Found mount point : C:\WINDOWS\TWAIN_32\SilverFast\CameraRAW\CameraRAW

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\TWAIN_32\SilverFast\CameraRAW\CameraRAW

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\YesVideo\YesVideo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\YesVideo\YesVideo



Finished!

 

[Blade81]

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.



Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

 

[psykokid]

when going to run combofix it gives me an error that norton 360 is active and needs to be disabled. I had previously uninstalled norton 360 so i dont know where it is picking it up from. Should i continue or try to find out where it is picking up norton 360 from?

 

[Blade81]

If you have uninstalled Norton360 earlier then ignore the warning and let it run.

 

[psykokid]

ComboFix 09-09-08.09 - Steve 09/09/2009 11:05.1.2 - NTFSx86 NETWORK
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Steve\My Documents\ZbThumbnail.info
C:\Images
c:\recycler\NPROTECT
c:\windows\Installer\13a0b.msi
c:\windows\Installer\151c7060.msp
c:\windows\Installer\151c75d8.msp
c:\windows\Installer\15f0ce75.msp
c:\windows\Installer\16e92dd9.msp
c:\windows\Installer\16e92dfa.msp
c:\windows\Installer\1707d448.msp
c:\windows\Installer\1707d469.msp
c:\windows\Installer\1707d488.msp
c:\windows\Installer\1b0bed3b.msp
c:\windows\Installer\22556f87.msp
c:\windows\Installer\2b20269.msi
c:\windows\Installer\2bf82427.msp
c:\windows\Installer\2bf8243b.msp
c:\windows\Installer\2bf8245b.msp
c:\windows\Installer\2bf82470.msp
c:\windows\Installer\2c83818a.msp
c:\windows\Installer\2c8381a9.msp
c:\windows\Installer\2c8381bd.msp
c:\windows\Installer\2c8381d1.msp
c:\windows\Installer\2c8381e5.msp
c:\windows\Installer\35c90f4.msp
c:\windows\Installer\4482838.msp
c:\windows\Installer\4e47875.msp
c:\windows\Installer\528c3a9c.msi
c:\windows\Installer\5358b.msp
c:\windows\Installer\6a386a4.msp
c:\windows\Installer\806d0.msp
c:\windows\Installer\806f7.msp
c:\windows\Installer\80740.msp
c:\windows\Installer\8077a.msp
c:\windows\Installer\8078e.msp
c:\windows\Installer\807ad.msp
c:\windows\Installer\807c1.msp
c:\windows\Installer\807e2.msp
c:\windows\Installer\80801.msp
c:\windows\Installer\80820.msp
c:\windows\Installer\80837.msp
c:\windows\Installer\8085d.msp
c:\windows\Installer\80872.msp
c:\windows\Installer\80891.msp
c:\windows\Installer\808b0.msp
c:\windows\Installer\808c4.msp
c:\windows\Installer\808d7.msp
c:\windows\Installer\9555d55.msp
c:\windows\Installer\977d4.msp
c:\windows\Installer\9a9db6.msi
c:\windows\Installer\d678fdd.msp
c:\windows\Installer\d678ffc.msp
c:\windows\Installer\dbadea.msp
c:\windows\Installer\dbadec.msp
c:\windows\Installer\f0ff.msp
c:\windows\Installer\f60a6c.msi
c:\windows\system\_sv_CMD_
c:\windows\system32\.register
c:\windows\system32\42KJE738.ocx
c:\windows\system32\bszip.dll
c:\windows\system32\Data
c:\windows\system32\drivers\kbiwkmxcppdnut.sys
c:\windows\system32\Drivers\mwhtllv.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\kbiwkmjuuwvsxp.dat
c:\windows\system32\kbiwkmsonkubqp.dll
c:\windows\system32\kbiwkmyeqqvkix.dll
c:\windows\system32\kbiwkmyscbnshq.dat
c:\windows\wpd99.drv
c:\windows\yucca bl .bmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmggplalep
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmggplalep


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-03 23:38 . 2009-09-03 23:38 -------- d-----w- c:\program files\ERUNT
2009-09-03 17:42 . 2009-09-03 17:42 -------- d-----w- c:\program files\Trend Micro
2009-09-03 01:46 . 2009-09-09 17:12 -------- d-----w- c:\program files\Spybot - SD
2009-09-03 01:29 . 2009-09-03 01:29 1 ----a-w- c:\windows\system32\xd.dat
2009-09-03 01:29 . 2009-09-03 01:29 1 ----a-w- c:\windows\system32\q1.dat
2009-09-03 01:29 . 2009-09-03 01:29 1 ----a-w- c:\windows\system32\jc.dat
2009-09-03 01:29 . 2009-09-03 01:29 1 ----a-w- c:\windows\system32\idm.dat
2009-09-03 01:29 . 2009-09-03 01:29 1 ----a-w- c:\windows\system32\c2d.dat
2009-09-03 00:02 . 2009-09-03 00:02 -------- d-----w- c:\program files\Alwil Software
2009-09-02 22:13 . 2009-09-02 22:18 -------- d-----w- C:\New Folder
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-02 16:33 . 2009-09-02 16:33 43008 ----a-w- c:\windows\system32\lupgh.dll
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2009-09-01 01:08 . 2009-09-01 01:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-31 23:56 . 2009-08-31 23:56 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-08-31 23:55 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 23:55 . 2009-08-31 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 23:55 . 2009-08-31 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 23:55 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 23:17 . 2009-08-31 23:17 163840 ----a-w- c:\windows\svchasts.exe
2009-08-28 16:50 . 2009-08-28 16:50 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Symantec
2009-08-28 12:00 . 2009-02-09 12:10 729088 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-28 12:00 . 2008-04-13 18:31 92288 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-27 21:00 . 2009-08-27 21:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 23:14 . 2009-08-25 23:14 -------- d-sh--w- c:\documents and settings\Steve\PrivacIE
2009-08-22 12:13 . 2009-08-22 12:13 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\program files\MSBuild
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 12:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 12:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 12:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 12:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 12:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 12:10 . 2009-08-22 12:11 -------- d-----w- C:\24a9688b03843a637992457531
2009-08-22 12:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 12:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 12:01 . 2009-08-22 12:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-21 17:55 . 2009-08-21 17:55 -------- d-sh--w- c:\documents and settings\Steve\IETldCache
2009-08-21 12:09 . 2009-08-21 12:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-21 01:28 . 2009-08-21 01:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations
2009-08-21 01:24 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-21 01:24 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-21 01:24 . 2009-08-21 01:25 -------- d-----w- c:\windows\ie8updates
2009-08-21 01:23 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-21 01:20 . 2009-08-21 01:23 -------- dc-h--w- c:\windows\ie8
2009-08-20 18:51 . 2009-08-21 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-20 18:50 . 2009-08-20 18:50 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Downloaded Installations
2009-08-20 18:16 . 2009-08-20 18:16 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-20 18:10 . 2009-08-20 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-08-20 18:10 . 2009-09-09 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-20 17:50 . 2009-08-20 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-20 17:46 . 2009-08-20 17:46 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-12 23:50 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 18:50 . 2009-08-11 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 17:04 . 2007-08-10 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-09 17:02 . 2004-01-08 18:20 -------- d-----w- c:\program files\Lavasoft
2009-09-09 17:02 . 2008-01-18 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-03 16:54 . 2007-08-10 19:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-02 22:44 . 2003-11-20 18:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 20:29 . 2003-11-20 18:08 -------- d-----w- c:\program files\Symantec
2009-08-28 17:46 . 2003-10-24 23:35 -------- d-----w- c:\program files\Iomega
2009-08-25 18:53 . 2003-10-13 16:41 110592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 18:43 . 2007-01-03 19:35 -------- d-----w- c:\documents and settings\Steve\Application Data\Lasersoft Imaging
2009-08-21 01:27 . 2008-01-29 20:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-08-21 01:27 . 2008-01-29 20:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-20 18:48 . 2004-02-03 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-20 17:29 . 2007-08-24 00:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Canon
2009-08-19 18:59 . 2003-10-13 16:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-19 18:51 . 2003-10-28 19:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 18:36 . 2003-10-13 16:34 -------- d-----w- c:\program files\Java
2009-08-11 18:51 . 2009-08-04 19:28 -------- d-----w- c:\documents and settings\Steve\Application Data\Sony Corporation
2009-08-05 22:34 . 2008-10-30 20:16 -------- d-----w- c:\documents and settings\Steve\Application Data\Stamps.com Internet Postage
2009-08-05 22:33 . 2008-10-30 20:14 36 ---ha-w- c:\windows\system32\f9t.dat
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:15 . 2009-08-04 19:15 -------- d-----w- c:\program files\Sony
2009-07-25 12:23 . 2009-05-15 19:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-12-08 00:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2002-08-29 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2002-08-29 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91C2978E-16A0-4133-8C5A-4BF837091848}]
2009-09-02 16:33 43008 ----a-w- c:\windows\SYSTEM32\lupgh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-16 1200128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-16 147456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto EPSON Stylus Photo R300 Series on STEVES-7F67358E"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2002-12-12 28160]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"WinFaxAppPortStarter"="wfxsnt40.exe" - c:\windows\SYSTEM32\WFXSNT40.EXE [2002-12-12 45568]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-07-28 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-1-15 225280]
Scheduler.lnk - c:\program files\UBS\ImExport\1.3\Schedulr.exe [2003-10-24 715264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-4-16 25214]
EPSON Status Monitor 3 Environment Check(2).lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2003-10-24 135680]
PhotoCAL Startup.lnk - c:\program files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe [2004-4-28 2265088]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]
TimeCard Manager.LNK - c:\program files\TimeCard Manager\TCM.exe [2003-10-24 1298944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R3 cvspydr;ColorVision Spyder;c:\windows\system32\DRIVERS\cvspydr.sys [2002-04-16 32896]
R3 i1;eye-one;c:\windows\system32\DRIVERS\i1.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
R3 Sspisd;Sspisd; [x]
R4 Fwlmbiio;Fwlmbiio; [x]
R4 Swocercser;Swocercser;c:\windows\system32\dmadmin.exe [2008-04-14 224768]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-04-13 11520]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {D1F6E7A7-B655-4F4B-97B8-3609CFE9E0A4} = 68.94.156.1,68.94.157.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\cdfbjaae.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Type Manager 4.1 - c:\windows\uninst.exe -fc:\program files\Adobe Type Manager\DeIsL1.isu
AddRemove-Spybot - Search & Destroy_is1 - c:\program files\Spybot - Search & Destroy\unins000.exe
AddRemove-WinFax - c:\windows\IsUninst.exe -fc:\program files\WinFax\WFXUNIST.ISU



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 11:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:1e,e2,64,99,f2,99,f3,24,44,e2,54,0a,aa,b5,9d,f2,33,78,e8,26,a2,
3f,df,38,84,35,82,e7,52,22,f6,9c,89,34,3e,94,38,75,7e,e7,28,e8,1f,5b,34,ba,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:1e,e2,64,99,f2,99,f3,24,44,e2,54,0a,aa,b5,9d,f2,33,78,e8,26,a2,
3f,df,38,84,35,82,e7,52,22,f6,9c,89,34,3e,94,38,75,7e,e7,28,e8,1f,5b,34,ba,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'explorer.exe'(1028)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-09-09 11:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 18:24

Pre-Run: 69,075,775,488 bytes free
Post-Run: 68,143,513,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

342 --- E O F --- 2009-09-02 12:00

 

[psykokid]

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Steve at 11:27:49.10 on Wed 09/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: MSN helper: {91c2978e-16a0-4133-8c5a-4bf837091848} - lupgh.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\mssysmgr.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [Auto EPSON Stylus Photo R300 Series on STEVES-7F67358E] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p54 "auto epson stylus photo r300 series on steves-7f67358e" /o27 "\\steves-7f67358e\EPSONR300" /M "Stylus Photo R300"
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\documents and settings\steve\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\schedu~1.lnk - c:\program files\ubs\imexport\1.3\Schedulr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photoc~1.lnk - c:\program files\pantone colorvision\photocal\PhotoCAL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timeca~1.lnk - c:\program files\timecard manager\TCM.exe
mPolicies-explorer: <NO NAME> =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3253344D-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sdmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.5854513889
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.photogize.com/bponet/PhotogizeImageUploader3.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
TCP: {D1F6E7A7-B655-4F4B-97B8-3609CFE9E0A4} = 68.94.156.1,68.94.157.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks pro\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\cdfbjaae.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-09 11:00 <DIR> a-dshr-- C:\cmdcons
2009-09-09 10:59 230,912 a------- c:\windows\PEV.exe
2009-09-09 10:59 161,792 a------- c:\windows\SWREG.exe
2009-09-09 10:59 98,816 a------- c:\windows\sed.exe
2009-09-03 10:42 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 18:46 <DIR> --d----- c:\program files\Spybot - SD
2009-09-02 18:29 1 a------- c:\windows\system32\xd.dat
2009-09-02 18:29 1 a------- c:\windows\system32\q1.dat
2009-09-02 18:29 1 a------- c:\windows\system32\jc.dat
2009-09-02 18:29 1 a------- c:\windows\system32\idm.dat
2009-09-02 18:29 1 a------- c:\windows\system32\c2d.dat
2009-09-02 15:13 <DIR> --d----- C:\New Folder
2009-09-02 14:12 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-02 09:33 43,008 a------- c:\windows\system32\lupgh.dll
2009-09-02 09:33 168 a------- c:\windows\system32\lkgf
2009-08-31 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-31 18:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-31 18:29 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-08-31 18:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-31 16:56 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-08-31 16:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 16:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 16:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 16:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-31 16:17 163,840 a------- c:\windows\svchasts.exe
2009-08-28 05:00 729,088 a------- c:\windows\system32\lsasrv.dll
2009-08-28 05:00 92,288 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-25 16:14 <DIR> --dsh--- c:\documents and settings\steve\PrivacIE
2009-08-22 13:30 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-22 05:12 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-22 05:10 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 05:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-22 05:10 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 05:10 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-22 05:10 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 05:10 <DIR> --d----- C:\24a9688b03843a637992457531
2009-08-22 05:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-22 05:10 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 10:55 <DIR> --dsh--- c:\documents and settings\steve\IETldCache
2009-08-20 18:24 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-20 18:24 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-20 18:24 <DIR> --d----- c:\windows\ie8updates
2009-08-20 18:23 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-08-20 18:20 <DIR> -cd-h--- c:\windows\ie8
2009-08-20 11:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-20 11:16 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-20 11:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-08-20 11:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-20 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-20 10:46 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-08-12 16:50 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 16:50 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-11 11:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Corporation

==================== Find3M ====================

2009-08-20 18:27 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-08-20 18:27 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 09:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2008-01-29 15:10 110,232 a------- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 11:28:02.23 ===============

 

[psykokid]

file attached zipped and attached

 

[Blade81]

Hi again,

Upload following file to http://www.virustotal.com and post back link to the results:
c:\windows\system32\dmadmin.exe

Open notepad and copy/paste the text in the quotebox below into it:

http://forums.spybot.info/showthread.php?p=335005#post335005
Driver::
Sspisd
Fwlmbiio
Collect::
c:\windows\system32\xd.dat
c:\windows\system32\q1.dat
c:\windows\system32\jc.dat
c:\windows\system32\idm.dat
c:\windows\system32\c2d.dat
c:\windows\system32\lupgh.dll
c:\windows\system32\lkgf
c:\windows\svchasts.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-
DDS::
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: MSN helper: {91c2978e-16a0-4133-8c5a-4bf837091848} - lupgh.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[psykokid]

http://www.virustotal.com/analisis/...e1c7f8a803f34c5628cb2bbfd008f9881b-1252374235

 

[psykokid]

ComboFix 09-09-09.09 - Steve 09/10/2009 10:00.2.2 - NTFSx86 NETWORK
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point

file zipped: c:\windows\svchasts.exe
file zipped: c:\windows\system32\c2d.dat
file zipped: c:\windows\system32\idm.dat
file zipped: c:\windows\system32\jc.dat
file zipped: c:\windows\system32\lkgf
file zipped: c:\windows\system32\lupgh.dll
file zipped: c:\windows\system32\q1.dat
file zipped: c:\windows\system32\xd.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\svchasts.exe
c:\windows\system32\c2d.dat
c:\windows\system32\idm.dat
c:\windows\system32\jc.dat
c:\windows\system32\lkgf
c:\windows\system32\lupgh.dll
c:\windows\system32\q1.dat
c:\windows\system32\xd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Fwlmbiio
-------\Service_Sspisd


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-03 23:38 . 2009-09-03 23:38 -------- d-----w- c:\program files\ERUNT
2009-09-03 17:42 . 2009-09-03 17:42 -------- d-----w- c:\program files\Trend Micro
2009-09-03 01:46 . 2009-09-09 17:12 -------- d-----w- c:\program files\Spybot - SD
2009-09-03 00:02 . 2009-09-03 00:02 -------- d-----w- c:\program files\Alwil Software
2009-09-02 22:13 . 2009-09-02 22:18 -------- d-----w- C:\New Folder
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-02 21:12 . 2009-09-02 21:12 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-01 01:29 . 2009-09-01 01:29 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2009-09-01 01:08 . 2009-09-01 01:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-31 23:56 . 2009-08-31 23:56 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2009-08-31 23:55 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 23:55 . 2009-08-31 23:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 23:55 . 2009-08-31 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 23:55 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 16:50 . 2009-08-28 16:50 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Symantec
2009-08-28 12:00 . 2009-02-09 12:10 729088 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-28 12:00 . 2008-04-13 18:31 92288 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-27 21:00 . 2009-08-27 21:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-25 23:14 . 2009-08-25 23:14 -------- d-sh--w- c:\documents and settings\Steve\PrivacIE
2009-08-22 12:13 . 2009-08-22 12:13 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\program files\MSBuild
2009-08-22 12:12 . 2009-08-22 12:12 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 12:10 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 12:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-22 12:10 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 12:10 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-22 12:10 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 12:10 . 2009-08-22 12:11 -------- d-----w- C:\24a9688b03843a637992457531
2009-08-22 12:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-22 12:10 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-22 12:01 . 2009-08-22 12:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-21 17:55 . 2009-08-21 17:55 -------- d-sh--w- c:\documents and settings\Steve\IETldCache
2009-08-21 12:09 . 2009-08-21 12:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-21 01:28 . 2009-08-21 01:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Downloaded Installations
2009-08-21 01:24 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-21 01:24 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-21 01:24 . 2009-08-21 01:25 -------- d-----w- c:\windows\ie8updates
2009-08-21 01:23 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-21 01:20 . 2009-08-21 01:23 -------- dc-h--w- c:\windows\ie8
2009-08-20 18:51 . 2009-08-21 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-20 18:50 . 2009-08-20 18:50 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Downloaded Installations
2009-08-20 18:16 . 2009-08-20 18:16 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-20 18:10 . 2009-08-20 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-08-20 18:10 . 2009-09-09 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-20 17:50 . 2009-08-20 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-20 17:46 . 2009-08-20 17:46 -------- d-----w- c:\documents and settings\All Users\Symantec Temporary Files
2009-08-12 23:50 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 18:50 . 2009-08-11 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 17:04 . 2007-08-10 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-09 17:02 . 2004-01-08 18:20 -------- d-----w- c:\program files\Lavasoft
2009-09-09 17:02 . 2008-01-18 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-03 16:54 . 2007-08-10 19:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-02 22:44 . 2003-11-20 18:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-02 20:29 . 2003-11-20 18:08 -------- d-----w- c:\program files\Symantec
2009-08-28 17:46 . 2003-10-24 23:35 -------- d-----w- c:\program files\Iomega
2009-08-25 18:53 . 2003-10-13 16:41 110592 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-21 18:43 . 2007-01-03 19:35 -------- d-----w- c:\documents and settings\Steve\Application Data\Lasersoft Imaging
2009-08-21 01:27 . 2008-01-29 20:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2009-08-21 01:27 . 2008-01-29 20:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-20 18:48 . 2004-02-03 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-20 17:29 . 2007-08-24 00:25 -------- d-----w- c:\documents and settings\Steve\Application Data\Canon
2009-08-19 18:59 . 2003-10-13 16:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-19 18:51 . 2003-10-28 19:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 18:36 . 2003-10-13 16:34 -------- d-----w- c:\program files\Java
2009-08-11 18:51 . 2009-08-04 19:28 -------- d-----w- c:\documents and settings\Steve\Application Data\Sony Corporation
2009-08-05 22:34 . 2008-10-30 20:16 -------- d-----w- c:\documents and settings\Steve\Application Data\Stamps.com Internet Postage
2009-08-05 22:33 . 2008-10-30 20:14 36 ---ha-w- c:\windows\system32\f9t.dat
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:15 . 2009-08-04 19:15 -------- d-----w- c:\program files\Sony
2009-07-25 12:23 . 2009-05-15 19:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2004-08-04 07:56 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-12-08 00:37 915456 ------w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2002-08-29 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2002-08-29 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-16 1200128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-16 147456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Auto EPSON Stylus Photo R300 Series on STEVES-7F67358E"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2002-12-12 28160]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"WinFaxAppPortStarter"="wfxsnt40.exe" - c:\windows\SYSTEM32\WFXSNT40.EXE [2002-12-12 45568]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-07-28 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2008-02-21 152952]

c:\documents and settings\Steve\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-1-15 225280]
Scheduler.lnk - c:\program files\UBS\ImExport\1.3\Schedulr.exe [2003-10-24 715264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2005-4-16 25214]
EPSON Status Monitor 3 Environment Check(2).lnk - c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE [2003-10-24 135680]
PhotoCAL Startup.lnk - c:\program files\PANTONE COLORVISION\PhotoCAL\PhotoCAL.exe [2004-4-28 2265088]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-2-27 972064]
TimeCard Manager.LNK - c:\program files\TimeCard Manager\TCM.exe [2003-10-24 1298944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R3 cvspydr;ColorVision Spyder;c:\windows\system32\DRIVERS\cvspydr.sys [2002-04-16 32896]
R3 i1;eye-one;c:\windows\system32\DRIVERS\i1.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-08-05 7408]
R4 Swocercser;Swocercser;c:\windows\system32\dmadmin.exe [2008-04-14 224768]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-08-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-08-05 74480]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\DRIVERS\scsiscan.sys [2008-04-13 11520]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: aol.com\free
TCP: {D1F6E7A7-B655-4F4B-97B8-3609CFE9E0A4} = 68.94.156.1,68.94.157.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\cdfbjaae.default\
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 10:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:1e,e2,64,99,f2,99,f3,24,44,e2,54,0a,aa,b5,9d,f2,33,78,e8,26,a2,
3f,df,38,84,35,82,e7,52,22,f6,9c,89,34,3e,94,38,75,7e,e7,28,e8,1f,5b,34,ba,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:1e,e2,64,99,f2,99,f3,24,44,e2,54,0a,aa,b5,9d,f2,33,78,e8,26,a2,
3f,df,38,84,35,82,e7,52,22,f6,9c,89,34,3e,94,38,75,7e,e7,28,e8,1f,5b,34,ba,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\MI3AA1~1\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-09-10 10:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 17:21
ComboFix2.txt 2009-09-09 18:24

Pre-Run: 68,164,169,728 bytes free
Post-Run: 68,112,486,400 bytes free

257 --- E O F --- 2009-09-02 12:00

 

[psykokid]

Prevous steps have been completed up to the kaspersky online scan which is running at the moment. Since the first run of combofix a new popup keeps coming up and disappearing. It is a message from Outlook Express stating " To free up disk space Outlook Express can compact messages. This may take a few minutes." With the standard Ok and Cancel buttons. It pops up about once every 15 seconds and goes away after about 5 seconds with no input. We do not use outlook express on this computer so i find that odd..

 

[Blade81]

Hi,

There's discussion of same problem here. It was mentioned that for example Nero Scout may trigger that. Do you have it installed? It comes with Nero Suite and at least that seems to be installed.

I haven't heard of any case in which ComboFix would had triggered Outlook Express to show that kind of messages.

 

[psykokid]

ok, thanks for the link, i'll check that out. Kaspersky is still running the scan, as soon as its completed i will post the log and a fresh DDS log as well. Thanks for all of your help.

 

[psykokid]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 10, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 10, 2009 19:22:48
Records in database: 2771005
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Z:\

Scan statistics:
Objects scanned: 293297
Threats found: 4
Infected objects found: 9
Suspicious objects found: 0
Scan duration: 04:13:54


File name / Threat / Threats count
C:\Documents and Settings\Steve\Desktop\requested-files[2009-09-03_10_39].cab Infected: Packed.Win32.TDSS.z 3
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\kbiwkmxcppdnut.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbiwkmsonkubqp.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kbiwkmyeqqvkix.dll.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-10_09.59.27.zip Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.jy 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-10_09.59.27.zip Infected: Trojan-Downloader.Win32.BHlw 1
Z:\RECYCLER\INFO.exe Infected: Virus.Win32.Small.r 1

Selected area has been scanned.

 

[psykokid]

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Steve at 15:04:37.73 on Thu 09/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://smbusiness.dellnet.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\neroph~2\data\xtras\mssysmgr.exe
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [Auto EPSON Stylus Photo R300 Series on STEVES-7F67358E] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2f1.exe /p54 "auto epson stylus photo r300 series on steves-7f67358e" /o27 "\\steves-7f67358e\EPSONR300" /M "Stylus Photo R300"
mRun: [WinFaxAppPortStarter] wfxsnt40.exe
mRun: [WFXSwtch] c:\progra~1\winfax\WFXSWTCH.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\documents and settings\steve\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\schedu~1.lnk - c:\program files\ubs\imexport\1.3\Schedulr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photoc~1.lnk - c:\program files\pantone colorvision\photocal\PhotoCAL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timeca~1.lnk - c:\program files\timecard manager\TCM.exe
mPolicies-explorer: <NO NAME> =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
Trusted Zone: aol.com\free
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {3253344D-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/mpg4sdmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37919.5854513889
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.photogize.com/bponet/PhotogizeImageUploader3.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxps://www-secure.symantec.com/techsupp/activedata/SymAData.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
TCP: {D1F6E7A7-B655-4F4B-97B8-3609CFE9E0A4} = 68.94.156.1,68.94.157.1
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks pro\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: WinFax PRO IShellExecuteHook: {a213b520-c6c2-11d0-af9d-008029e1027e} - c:\program files\winfax\WfxSeh32.Dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\cdfbjaae.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-09-09 11:00 <DIR> a-dshr-- C:\cmdcons
2009-09-09 10:59 230,912 a------- c:\windows\PEV.exe
2009-09-09 10:59 161,792 a------- c:\windows\SWREG.exe
2009-09-09 10:59 98,816 a------- c:\windows\sed.exe
2009-09-03 10:42 <DIR> --d----- c:\program files\Trend Micro
2009-09-02 18:46 <DIR> --d----- c:\program files\Spybot - SD
2009-09-02 15:13 <DIR> --d----- C:\New Folder
2009-09-02 14:12 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-09-02 14:12 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-31 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-31 18:29 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-31 18:29 <DIR> --d----- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2009-08-31 18:08 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-08-31 16:56 <DIR> --d----- c:\docume~1\steve\applic~1\Malwarebytes
2009-08-31 16:55 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 16:55 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 16:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 16:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-28 05:00 729,088 a------- c:\windows\system32\lsasrv.dll
2009-08-28 05:00 92,288 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-25 16:14 <DIR> --dsh--- c:\documents and settings\steve\PrivacIE
2009-08-22 13:30 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-22 05:12 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-22 05:10 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-22 05:10 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-22 05:10 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-22 05:10 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-22 05:10 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-22 05:10 <DIR> --d----- C:\24a9688b03843a637992457531
2009-08-22 05:10 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-22 05:10 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 10:55 <DIR> --dsh--- c:\documents and settings\steve\IETldCache
2009-08-20 18:24 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-08-20 18:24 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-08-20 18:24 <DIR> --d----- c:\windows\ie8updates
2009-08-20 18:23 101,376 -------- c:\windows\system32\dllcache\iecompat.dll
2009-08-20 18:20 <DIR> -cd-h--- c:\windows\ie8
2009-08-20 11:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-08-20 11:16 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-08-20 11:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-08-20 11:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-08-20 10:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-08-20 10:46 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-08-12 16:50 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 16:50 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-20 18:27 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-08-20 18:27 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 10:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-29 09:12 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-06-29 04:07 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2008-01-29 15:10 110,232 a------- c:\docume~1\steve\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 15:05:46.45 ===============