35 replies to this topic

[JonX]

Recently, I made the dumb mistake of taking OFF IP protection and leaving my PC unattended to and woke up to a barage of pop-ups and the program "Advanced Anti Virus" and it giving me fake scan information.

I restarted the computer in safe mode and I come to realize I am NOT allowed to open Malwarebytes! The Icon on the desktop is CHANGED:



and whenever I click it it says this:



This has never happened and it's obvious there's a HUGE problem here.

I got the FREE version of Malwarebytes on a thumb drive and tried running it so I can scan my C: drive. It opened, then it started to scan, but after only 2 seconds, the program shut down! I also tried opening the freeware program, "Super Anti Spyware" and it found LOTS of stuff, but in the middle of the scan, the program shut down!

Can anyone help?

[negster22]

Hi and Welcome to the Malwarebytes' forum.

You have some sort of self-protecting infection so let's first see if the following helps -

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  
• Now, relaunch the ARK program (wait for the quick scan to complete), then click the Rootkit/Malware tab,and select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

Note: If the longer scan hangs, then just post back the ARK quick scan report only.

Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as firefox.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
  
  
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post back Ark.txt and C:\ComboFix.txt in your next reply.

[JonX]

Here is the "Quick" scan you were talking about.

GMER 1.0.15.15077 [fll22q8t.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-08 02:53:08
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 862AD828 ZwEnumerateKey
Code 86CB36D8 ZwFlushInstructionCache
Code 86CC16D6 ZwSaveKey
Code 86CB76D6 ZwSaveKeyEx
Code 86CCA6D6 IofCallDriver
Code 87129E7E IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8736A1F8
Device \FileSystem\Fastfat \Fat 85F731F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

[JonX]

I the Rootkit program without my IP protection on and the "quick" scan came up with this:

GMER 1.0.15.15077 [fll22q8t.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-08 07:03:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 87236210 ZwEnumerateKey
Code 864607E0 ZwFlushInstructionCache
Code 87148BAE ZwSaveKey
Code 8732315E ZwSaveKeyEx
Code 862B781E IofCallDriver
Code 86CB46D6 IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8736B1F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfoceumnthemd.sys (*** hidden *** ) [SYSTEM] vsfoceuxtoqxrx <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

the bottom line (vsfoc...) was in red text.

[JonX]

I was having MAJOR trouble doing the "full" scan of that first program in the ARK folder. I ended up scanning in Safe Mode and it ended with this scan.....

GMER 1.0.15.15077 [fll22q8t.exe] - http://www.gmer.net
Rootkit scan 2009-09-08 15:11:12
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x62 ? 873DCBF8
INT 0x73 ? 87227F00
INT 0x83 ? 8736BBF8
INT 0xB4 ? 87227F00

Code 871DA418 ZwEnumerateKey
Code 872470B8 ZwFlushInstructionCache
Code 871D109E ZwSaveKey
Code 872C00A6 ZwSaveKeyEx
Code 871D2D8E IofCallDriver
Code 87301E66 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

? spsr.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F71268AC 5 Bytes JMP 872274E0
.text win32k.sys!EngFreeMem + 4134 BF85FA00 21 Bytes [20, C7, 01, 00, 00, 00, 00, ...]
.text win32k.sys!EngFreeMem + 414B BF85FA17 6 Bytes [8B, CB, E8, 69, C4, FF]
.text win32k.sys!EngFreeMem + 4152 BF85FA1E 57 Bytes [85, C0, 75, 32, 8B, 45, 28, ...]
.text win32k.sys!EngFreeMem + 418C BF85FA58 39 Bytes [C0, 74, C7, 8B, 7D, 28, 8B, ...]
.text win32k.sys!EngFreeMem + 41B4 BF85FA80 44 Bytes [FF, 8B, D3, 8B, CE, E8, 16, ...]
.text ...
.text win32k.sys!XFORMOBJ_iGetXform BF86A8BF 22 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...]
.text win32k.sys!XFORMOBJ_iGetXform + 17 BF86A8D6 32 Bytes CALL BF86A70F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_iGetXform + 38 BF86A8F7 11 Bytes [6A, 03, 58, EB, F6, 90, 90, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 2 BF86A903 21 Bytes [55, 8B, EC, 8B, 45, 08, 05, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 18 BF86A919 9 Bytes [55, 8B, EC, 51, 51, 8D, 45, ...] {PUSH EBP; MOV EBP, ESP; PUSH ECX; PUSH ECX; LEA EAX, [EBP-0x8]; PUSH EAX}
.text win32k.sys!FONTOBJ_pxoGetXform + 22 BF86A923 176 Bytes CALL BF80F2E5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_pxoGetXform + D3 BF86A9D4 5 Bytes [0F, B7, C0, 40, 8D]
.text win32k.sys!FONTOBJ_pxoGetXform + D9 BF86A9DA 33 Bytes [40, D1, E0, 39, 45, 0C, 1B, ...]
.text ...
.text win32k.sys!STROBJ_vEnumStart + 1B BF86FC53 69 Bytes [55, 8B, EC, 8B, C1, 8B, 4D, ...]
.text win32k.sys!STROBJ_vEnumStart + 61 BF86FC99 7 Bytes [57, 53, FF, 76, 08, 53, 53] {PUSH EDI; PUSH EBX; PUSH DWORD [ESI+0x8]; PUSH EBX; PUSH EBX}
.text win32k.sys!STROBJ_vEnumStart + 69 BF86FCA1 73 Bytes [75, FC, FF, 55, F8, 83, C7, ...]
.text win32k.sys!STROBJ_vEnumStart + B3 BF86FCEB 17 Bytes [5E, 04, 74, BC, FF, 4E, 10, ...] {POP ESI; ADD AL, 0x74; MOV ESP, 0x79104eff; ADD AL, 0x5e; POP EBX; LEAVE ; RET ; MOV EAX, [ESI+0xc]; PUSH EBX}
.text win32k.sys!STROBJ_vEnumStart + C5 BF86FCFD 4 Bytes [30, 8B, 46, 10]
.text ...
.text win32k.sys!EngTextOut + 1B BF87038A 35 Bytes [FF, 8B, 45, 18, 89, 85, 8C, ...]
.text win32k.sys!EngTextOut + 41 BF8703B0 14 Bytes [45, 28, 53, 8B, 5D, 0C, 56, ...]
.text win32k.sys!EngTextOut + 50 BF8703BF 37 Bytes [FF, 33, C0, 57, 8B, 7D, 10, ...]
.text win32k.sys!EngTextOut + 76 BF8703E5 5 Bytes [53, 89, B5, 74, FB]
.text win32k.sys!EngTextOut + 7C BF8703EB 17 Bytes [FF, 89, BD, CC, FB, FF, FF, ...]
.text ...
.text win32k.sys!XLATEOBJ_iXlate + 67 BF8717AC 90 Bytes [8B, 76, 28, 8B, 4E, 14, 33, ...]
.text win32k.sys!XLATEOBJ_iXlate + C2 BF871807 62 Bytes [60, 5F, 5E, 5B, C9, C2, 04, ...]
.text win32k.sys!XLATEOBJ_iXlate + 101 BF871846 6 Bytes [56, 14, C1, F8, 03, 03] {PUSH ESI; ADC AL, 0xc1; CLC ; ADD EAX, [EBX]}
.text win32k.sys!XLATEOBJ_iXlate + 108 BF87184D 16 Bytes [08, 89, 55, F0, 8B, 56, 2C, ...] {OR [ECX+0x568bf055], CL; SUB AL, 0x89; PUSH EBP; OR [EBX+0x458907e2], AL; HLT }
.text win32k.sys!XLATEOBJ_iXlate + 119 BF87185E 109 Bytes [4D, EC, 89, 45, FC, 89, 4D, ...]
.text ...
.text win32k.sys!EngStretchBltROP + 28 BF87406F 10 Bytes [CC, CC, 00, 00, 89, 4D, F0, ...] {INT 3 ; INT 3 ; ADD [EAX], AL; MOV [EBP-0x10], ECX; MOV [EBP-0xc], EAX}
.text win32k.sys!EngStretchBltROP + 33 BF87407A 11 Bytes [85, AF, 00, 00, 00, 8B, 71, ...] {TEST [EDI-0x75000000], EBP; JNO 0x24; MOV EDX, [EAX+0x1c]}
.text win32k.sys!EngStretchBltROP + 3F BF874086 49 Bytes [41, 38, 8B, 49, 48, 83, E1, ...]
.text win32k.sys!EngStretchBltROP + 71 BF8740B8 105 Bytes [75, 24, 1B, FF, FF, 75, 20, ...]
.text win32k.sys!EngStretchBltROP + DB BF874122 6 Bytes [C7, 45, 38, E1, 51, 87]
.text ...
.text win32k.sys!EngStretchBlt + A BF8751EB 74 Bytes [00, 83, 7D, 30, 00, 53, 56, ...]
.text win32k.sys!EngStretchBlt + 56 BF875237 4 Bytes [56, FD, FF, FF]
.text win32k.sys!EngStretchBlt + 5B BF87523C 148 Bytes [F9, 08, 0F, 84, 4D, FD, FF, ...]
.text win32k.sys!EngStretchBlt + F0 BF8752D1 17 Bytes [8B, 45, 18, 33, FF, 3B, C7, ...]
.text win32k.sys!EngStretchBlt + 102 BF8752E3 35 Bytes [FF, 89, 7D, D0, 83, 7D, 30, ...]
.text ...
.text win32k.sys!EngCreatePalette + 97 BF879511 55 Bytes [F6, 41, 1E, 40, 8B, 45, 0C, ...]
.text win32k.sys!EngCreatePalette + CF BF879549 18 Bytes CALL BF884A3E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePalette + E4 BF87955E 17 Bytes [6A, 01, 80, C9, 04, 56, 88, ...]
.text win32k.sys!EngCreatePalette + F6 BF879570 24 Bytes CALL BF8F502E \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreatePalette + 110 BF87958A 180 Bytes CALL BF92E05C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[552] USER32.dll!CallNextHookEx + 148 7E41EC2B 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
.text C:\WINDOWS\system32\svchost.exe[552] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
.text C:\WINDOWS\system32\svchost.exe[552] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
UPX1 C:\WINDOWS\system32\drivers\smss.exe[788] C:\WINDOWS\system32\drivers\smss.exe entry point in "UPX1" section [0x004186B0]
.text C:\WINDOWS\explorer.exe[1488] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
.text C:\WINDOWS\explorer.exe[1488] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
.text C:\WINDOWS\explorer.exe[1488] USER32.dll!CallNextHookEx + 148 7E41EC2B 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\35FAAE90.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8736E2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7398C4C] spsr.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7398CA0] spsr.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7368040] spsr.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F736813C] spsr.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73680BE] spsr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73687FC] spsr.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73686D2] spsr.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 872275E0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[552] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
IAT C:\WINDOWS\explorer.exe[1488] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
IAT C:\WINDOWS\explorer.exe[1488] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\35FAAE90.x86.dll
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\35FAAE90.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [552] 0x35670000
Library \\?\globalroot\systemroot\system32\vsfocexssvpwpa.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1488] 0x10000000
Library \\?\globalroot\Device\__max++>\35FAAE90.x86.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1488] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\vsfoceumnthemd.sys (*** hidden *** ) [SYSTEM] vsfoceuxtoqxrx <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

[negster22]

That scan report was helpful.

Before proceeding with Combofix - please do the following, and post back the logs. After I inspect the logs, and give you additional instructions in my next reply, we can run Combofix as I instructed:

Please save this file to your desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.

Open a command prompt by doing the following:

• Click Start -> run
  
• type cmd
  
• Hit Enter

• Copy and paste the following onto the command line:
  REG QUERY HKLM\SYSTEM\select > C:\CCS.txt && notepad C:\CCS.txt
  
• Then hit Enter
  
• Post back the log that opens C:\CCS.txt

I need to see these logs please:

• Win32kDiag.txt
  
• CCS.txt

[JonX]

Here is the "Win32kDiag.txt"

Log file is located at: C:\Documents and Settings\user\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932823-v3\KB932823-v3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932823-v3\KB932823-v3

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Found mount point : C:\WINDOWS\$hf_mig$\KB936021\KB936021

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB936021\KB936021

Found mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828

Found mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202

Found mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941693\KB941693

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943485\KB943485

Found mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB945553\KB945553

Found mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB948590\KB948590

Found mount point : C:\WINDOWS\$hf_mig$\KB950759-IE7\KB950759-IE7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB950759-IE7\KB950759-IE7

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\addins\addins

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ftpcache\ftpcache

Found mount point : C:\WINDOWS\Help\tours\mmtour\mmtour

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Help\tours\mmtour\mmtour

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\Mіcrosoft\Mіcrosoft

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Mіcrosoft\Mіcrosoft

Found mount point : C:\WINDOWS\PCHealth\uploadlb\binaries\binaries

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PCHealth\uploadlb\binaries\binaries

Found mount point : C:\WINDOWS\PeerNet\PeerNet

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PeerNet\PeerNet

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Found mount point : C:\WINDOWS\srchasst\srchasst

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\srchasst\srchasst

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1025\1025

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1028\1028

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1031\1031

Found mount point : C:\WINDOWS\system32\1033\1033

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1033\1033

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1037\1037

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1041\1041

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1042\1042

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\1054\1054

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\2052\2052

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3076\3076

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1123561945-1715567821-1801674531-1001\S-1-5-21-1123561945-1715567821-1801674531-1001

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1123561945-1715567821-1801674531-1001\S-1-5-21-1123561945-1715567821-1801674531-1001

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\SSWQ3H24\SSWQ3H24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\SSWQ3H24\SSWQ3H24

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DSVGMTB3\ak.c.ooyala.com\ak.c.ooyala.com

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DSVGMTB3\ak.c.ooyala.com\ak.c.ooyala.com

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DSVGMTB3\as1.suitesmart.com\_f5e.swf\_f5e.swf

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DSVGMTB3\as1.suitesmart.com\_f5e.swf\_f5e.swf

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\0\0

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\1\1

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\10\10

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\11\11

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\12\12

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\13\13

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\14\14

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\15

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\16\16

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\17\17

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\18\18

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\19\19

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\2\2

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\20\20

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\21\21

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\22\22

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\23\23

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\24\24

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\25\25

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\26\26

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\27\27

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\28\28

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\29\29

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\3\3

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\30\30

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\31\31

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\32\32

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\33

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\34\34

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\35\35

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\36\36

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\37\37

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\38\38

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\39\39

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\4\4

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\40\40

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\41\41

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\42\42

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\43\43

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\44\44

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\45

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\46\46

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\47\47

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\48\48

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\49\49

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\5\5

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\50

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\51\51

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\52\52

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\53\53

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\54\54

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\55\55

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\56\56

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\57\57

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\58\58

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\59\59

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\6\6

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\60\60

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\61\61

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\62

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\63\63

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\7\7

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\8\8

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\9\9

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\muffin\muffin

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\tmp\tmp

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\log\log

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Found mount point : C:\WINDOWS\system32\config\systemprofile\Templates\Templates

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\config\systemprofile\Templates\Templates

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\dhcp\dhcp

Found mount point : C:\WINDOWS\system32\DirectX\DirectX

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\DirectX\DirectX

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 21:56:44 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-03 21:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\ime\cintlgnt\cintlgnt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ime\cintlgnt\cintlgnt

Found mount point : C:\WINDOWS\system32\ime\pintlgnt\pintlgnt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ime\pintlgnt\pintlgnt

Found mount point : C:\WINDOWS\system32\ime\tintlgnt\tintlgnt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ime\tintlgnt\tintlgnt

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Lang\Lang

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Lang\Lang

Found mount point : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\Macromed\update\update

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM

Found mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

[JonX]

And here is the VERY SHORT "CCS.txt"


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\select
Current REG_DWORD 0x3
Default REG_DWORD 0x3
Failed REG_DWORD 0x2
LastKnownGood REG_DWORD 0x4

[negster22]

OK now you can run Combofix as directed in my first reply.

Be sure to download it to desktop and rename it as you are doing so.

Please refer to the directions webpage I gave you for other important instructions.

Make sure active protection of your AV and other security programs is disabled.

[JonX]

Here is the contents of Combofix.txt. There seems to be an issue because when it restarted, the windows start menu bar doesn't show up. Here's the log:

ComboFix 09-09-08.09 - user 09/09/2009 12:23.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.615 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\firefox1.exe
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\user\LOCALS~1\Temp\csrss.exe
c:\docume~1\user\LOCALS~1\Temp\lsass.exe
c:\docume~1\user\LOCALS~1\Temp\services.exe
c:\docume~1\user\LOCALS~1\Temp\svchost.exe
c:\docume~1\user\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\user\Application Data\inst.exe
c:\documents and settings\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\program files\Common Files\stem32~1
c:\program files\dobe~1
c:\program files\Internet Explorer\2.exe
c:\windows\Installer\5aea6.msp
c:\windows\Installer\8b546.msp
c:\windows\mcroso~1
c:\windows\msliveupdate.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\cdpasiwy.ini
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\vsfoceekywxnst.sys
c:\windows\system32\drivers\vsfoceumnthemd.sys
c:\windows\system32\erywovul.ini
c:\windows\system32\gykajdte.ini
c:\windows\system32\jfuhxxvy.ini
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lyufdqfg.ini
c:\windows\system32\mrdwyfxa.ini
c:\windows\system32\msconfig.exe
c:\windows\system32\mtmbfccl.ini
c:\windows\system32\nnnmp.bak1
c:\windows\system32\nnnmp.bak2
c:\windows\system32\nnnmp.tmp
c:\windows\system32\pdcpfdcd.ini
c:\windows\system32\peesfrfe.ini
c:\windows\system32\pjiecwph.ini
c:\windows\system32\pwitvone.ini
c:\windows\system32\qnnnoark.ini
c:\windows\system32\rocemppn.ini
c:\windows\system32\sdra64.exe
c:\windows\system32\smfkgpko.ini
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\vsfocejwxnrjec.dat
c:\windows\system32\vsfoceqxyymsbp.dll
c:\windows\system32\vsfocergiltpuw.dat
c:\windows\system32\vsfoceugpxsxpa.dll
c:\windows\system32\vsfocexssvpwpa.dll
c:\windows\system32\wcosfmav.ini
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\ykndfdow.ini

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_vsfoceuxtoqxrx
-------\Legacy_vsfoceuxtoqxrx
-------\Legacy_MSCONTROLSERVICE
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-08 07:38 . 2009-09-08 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-08 06:48 . 2009-09-08 06:49 -------- d-----w- C:\ARK
2009-09-08 00:53 . 2009-09-08 00:53 -------- d-----w- c:\program files\Trend Micro
2009-09-07 22:49 . 2009-09-07 22:49 -------- d-----w- c:\program files\Enigma Software Group
2009-09-07 22:08 . 2009-09-07 22:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-09-03 21:36 . 2005-04-25 02:43 13225 ----a-w- c:\windows\system32\drivers\Razerlow.sys
2009-09-03 21:33 . 2009-09-03 21:47 -------- d-----w- c:\documents and settings\user\Application Data\Uniblue
2009-09-03 21:33 . 2009-09-03 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-21 08:49 . 2009-08-21 08:49 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-21 08:46 . 2009-08-21 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-19 10:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-19 10:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\program files\iPod
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\program files\iTunes
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-19 10:43 . 2009-08-19 10:44 -------- d-----w- c:\program files\QuickTime
2009-08-19 10:42 . 2009-08-19 10:42 -------- d-----w- c:\program files\Apple Software Update
2009-08-19 10:42 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-17 07:55 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkAUSD.dll
2009-08-17 07:08 . 2009-08-17 23:12 -------- d-----w- c:\program files\abgx360
2009-08-14 00:29 . 2009-08-14 00:29 -------- d-----w- c:\program files\ImgBurn
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-08-13 21:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 21:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 21:10 . 2009-08-12 04:46 -------- d-----w- c:\program files\FlashGet
2009-08-11 20:46 . 2009-08-11 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 16:29 . 2008-12-25 23:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-09 16:19 . 2007-11-13 06:40 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-09-09 16:12 . 2004-08-04 01:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-09 09:48 . 2007-11-14 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-08 19:37 . 2009-04-04 03:27 -------- d-----w- c:\program files\PurgeIE
2009-09-08 03:56 . 2007-11-27 05:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-08 03:22 . 2008-01-02 05:16 -------- d-----w- c:\documents and settings\user\Application Data\U3
2009-09-05 11:18 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6a43.tmp
2009-09-03 23:03 . 2007-11-22 08:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 22:52 . 2008-02-13 18:50 -------- d-----w- c:\program files\Magic Video Converter
2009-09-03 20:45 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6ca4.tmp
2009-09-03 20:11 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP3633.tmp
2009-08-28 20:54 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP32f6.tmp
2009-08-23 21:51 . 2007-12-07 00:43 -------- d-----w- c:\program files\Google
2009-08-23 01:44 . 2008-11-15 20:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 01:44 . 2007-11-17 09:33 -------- d-----w- c:\program files\Java
2009-08-22 01:19 . 2007-12-20 13:43 -------- d-----w- c:\documents and settings\user\Application Data\dvdcss
2009-08-21 08:51 . 2007-11-13 07:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 11:05 . 2007-11-21 20:03 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2009-08-19 10:44 . 2007-11-16 21:23 -------- d-----w- c:\program files\Bonjour
2009-08-19 10:43 . 2007-12-09 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-18 02:43 . 2008-07-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-08-18 02:42 . 2007-12-07 02:24 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2009-08-17 08:16 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP65cf.tmp
2009-08-17 07:29 . 2007-11-12 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 07:14 . 2007-12-13 14:15 -------- d-----w- c:\documents and settings\user\Application Data\Vso
2009-08-17 07:14 . 2009-08-17 07:14 81920 ----a-w- c:\documents and settings\user\Application Data\ezpinst.exe
2009-08-17 07:14 . 2007-12-13 14:15 47360 ----a-w- c:\documents and settings\user\Application Data\pcouffin.sys
2009-08-16 11:25 . 2007-11-20 20:50 -------- d-----w- c:\program files\HiDownload
2009-08-14 00:25 . 2007-12-13 14:15 -------- d-----w- c:\program files\VSO
2009-08-12 05:52 . 2007-12-10 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 04:43 . 2007-12-10 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 20:46 . 2008-09-14 17:30 -------- d-----w- c:\program files\TVUPlayer
2009-08-10 20:48 . 2009-04-02 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 14:12 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6476.tmp
2009-08-07 01:51 . 2007-11-22 08:11 -------- d-----w- c:\documents and settings\user\Application Data\Sony
2009-08-07 01:51 . 2008-09-20 04:31 -------- d-----w- c:\program files\Sony Setup
2009-08-04 00:54 . 2009-08-04 00:54 -------- d-----w- c:\documents and settings\user\Application Data\acccore
2009-08-04 00:54 . 2009-08-04 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-04 00:53 . 2009-08-04 00:52 -------- d-----w- c:\program files\AIM6
2009-08-03 23:54 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP72b0.tmp
2009-08-03 23:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP730d.tmp
2009-08-03 22:45 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP735b.tmp
2009-08-03 22:13 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP709c.tmp
2009-08-03 21:40 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706f.tmp
2009-08-03 21:09 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP70da.tmp
2009-08-03 20:36 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP738b.tmp
2009-08-03 20:04 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP70ea.tmp
2009-08-03 19:31 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP702e.tmp
2009-08-03 18:58 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706e.tmp
2009-08-03 18:27 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706d.tmp
2009-08-03 18:26 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP733c.tmp
2009-08-03 17:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6fd1.tmp
2009-08-03 17:21 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6cf2.tmp
2009-08-03 16:48 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6aa0.tmp
2009-08-03 16:16 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6e88.tmp
2009-08-03 15:43 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP318f.tmp
2009-07-31 03:10 . 2009-01-03 05:34 -------- d-----w- c:\program files\mkv2vob
2009-07-31 02:38 . 2008-10-01 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-07-31 02:30 . 2009-07-31 02:30 -------- d-----w- c:\program files\AVG
2009-07-29 22:27 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP953b.tmp
2009-07-29 02:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7f32.tmp
2009-07-29 02:21 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7c06.tmp
2009-07-29 01:48 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7724.tmp
2009-07-29 01:17 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7474.tmp
2009-07-29 00:44 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6dfc.tmp
2009-07-29 00:12 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP63da.tmp
2009-07-25 21:04 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP8a7d.tmp
2009-07-23 09:44 . 2009-07-23 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\GoBit Games
2009-07-23 09:43 . 2009-07-23 09:43 -------- d-----w- c:\program files\Burger Shop 2
2009-07-09 16:16 . 2007-12-09 03:19 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 10:52 . 2007-11-22 08:08 531160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-11-15 04:00 . 2007-11-15 03:58 48 --sh--w- c:\windows\S821ED78A.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-25 2272192]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-05 1994480]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2009-04-02 868352]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-23 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe [2004-5-28 421888]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleaner.exe"=
"c:\\Program Files\\River Past\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49990:TCP"= 49990:TCP:utorrent

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2/2/2009 3:23 AM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/13/2009 5:08 PM 19096]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [9/3/2009 5:36 PM 13225]
S1 aswSP;avast! Self Protection; [x]
S2 acmlfwmmzdvruc;acmlfwmmzdvruc;\??\c:\windows\system32\drivers\yqbaxx.sys --> c:\windows\system32\drivers\yqbaxx.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/13/2009 5:08 PM 232720]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S2 Windowhelp;Windowhelp; [x]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]

NETSVCS REQUIRES REPAIRS - current entries shown
6to4
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
DHCP
EventSystem
FastUserSwitchingCompatibility
HidServ
Ias
Iprip
Irmon
LanmanServer
LanmanWorkstation
Netman
Nla
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
Schedule
Seclogon
SENS
Sharedaccess
SRService
Tapisrv
Themes
WZCSVC
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
WmdmPmSN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7d2vl89o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1690724&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://wfigs.proboards48.com/
FF - plugin: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7d2vl89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLC\npvlc.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
Notify-xvexqrmi - xvexqrmi.dll
AddRemove-KeyHoleTV - c:\program files\KeyHoleTV\uninstall.exe
AddRemove-Veetle TV Player - c:\windows\UninstVeetleTVPlayer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 12:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\StkASv2K.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-09 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 16:38

Pre-Run: 123,384,991,744 bytes free
Post-Run: 123,687,645,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
387 --- E O F --- 2008-07-23 04:36

[JonX]

Not sure how impportant this is, but before the first restart, the program prompted me to write these down for "Rootkit" activity:

C:/windows/system32/drivers/vsfoceumnthemd.sys
C:/windows/system32/vsfoceqxyymsbp.dll
C:/windows/system32/vsfocejwxnrjec.dat
C:/windows/system32/vsfocexssvpwpa.dll
C:/windows/system32/vsfocergiltpuw.dat
C:/windows/system32/vsfoceugpxsxpa.dll

[JonX]

When I restarted again, the start bar came back up. Hopefully it'll stay this time.

[negster22]

Glad to hear your start menu is back. Usually CTRL+ESC keys will restore it unless Explorer policies have been reset by malware.

Those files you posted are rootkit files but Combofix managed to locate and delete them automatically
------
Let's try to repair the netsvcs registry key:

Open a notepad window by Clicking start -> run -> type notepad.exe

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Hit Enter

Paste the following text in bold into the Notepad window:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\
76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\
65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\
00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\
62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\
49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\
57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\
6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\
61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\
52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\
75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\
63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\
68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\
56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\
73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,42,49,54,53,00,77,75,61,75,73,65,\
72,76,00,53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,\
76,63,00,57,6d,64,6d,50,6d,53,4e,00,00


Save the file to your desktop by setting the "Save as Type" to "all files", and save it as netsvcs.reg

Double-click the netsvcs.reg aqua blocks icon on your desktop to launch it

Answer Yes to prompts

You should get a message that the information was successfully added to the registry

----------------

Download FixPolicies, a self-extracting ZIP file, and save it to your desktop:
http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

• Double-click FixPolicies.exe
  
  
• Click the "Install" button on the bottom toolbar of the box that opens.
  
  
• The program will create a new Folder called FixPolicies.
  
  
• Double-click to open the new Folder, and then double-click the file Fix_Policies.cmd located within this folder.
  
  
• A black box (command Window) will briefly appear and then close.

---------------
CFSCRIPT

We have a couple more items Combofix identified to remove that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
acmlfwmmzdvruc
Windowhelp

File::
c:\windows\system32\drivers\yqbaxx.sys

Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdskor any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

-------
Scan with MBAM and remove all threats found, - then post the log:

• Launch MBAM.
  
• Select the Update tab -> Check for Updates
  
• After MBAM updates, select the Scanner tab.
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
__________

I see you had Avast antivirus but according to Combofix you no longer have an active antivirus installed.

If that is the case then you need to install an antivirus.
Please download, install and run this highly rated antivirus called Antivir by Avira:[/b]
http://www.free-av.com/en/trialpay_downloa..._antivirus.html

Update it,and then run a complete system scan.

Please post back the new Combofix log, the MBAM log, and your antivirus scan log.

[JonX]

I tried dragging the txt file into the cat Icon (I renamed the ComboFix to Firefox) and it scanned and shut down everything and was scanning for a VERY long time so I just restarted. I will attempt again.

[JonX]

Sorry for the double post, but it seems that all of my Hidden files/folders are now viewable. But the Icon on MalwareBytes is still:



and this still comes up when I click it.

[negster22]

The rootkit infection you had can reset permissions on programs to prevent them from running. Should you find that any of your programs are not functioning properly, then do the following to reset the permissions for the affected executables:

• Download Inherit and save it to your desk top:
  
• Drag each of the executable files (EXE files) that you are unable to run into Inherit.exe - (this must be the EXE file - not the shortcut)
  
• Then wait for it to say "OK"

This will restore normal permissions, so the affected program(s) should react properly.

So what you need to do in this specific case is drag:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe -> into Inherit.exe

If that doesn't correct it, drag:
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe -> into Inherit.exe

[JonX]

Wow, Inherit worked nicely! I will do scans and make sure everything is okay and let you know how it went. Thanks!

[JonX]

I'm running a full scan on MBAM, and it's already taking a very long time to finish. It's already gone past the 1hour 30minute mark, which is over triple the amount of time a full scan used to take me.

[JonX]

Here's a log from ComboFix.

ComboFix 09-09-09.07 - user 09/10/2009 4:54.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.192 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-08 07:38 . 2009-09-08 07:38 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-09-08 06:48 . 2009-09-08 06:49 -------- d-----w- C:\ARK
2009-09-08 00:53 . 2009-09-08 00:53 -------- d-----w- c:\program files\Trend Micro
2009-09-07 22:08 . 2009-09-07 22:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2009-09-03 21:36 . 2005-04-25 02:43 13225 ----a-w- c:\windows\system32\drivers\Razerlow.sys
2009-09-03 21:33 . 2009-09-03 21:47 -------- d-----w- c:\documents and settings\user\Application Data\Uniblue
2009-09-03 21:33 . 2009-09-03 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-21 08:49 . 2009-08-21 08:49 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-08-21 08:46 . 2009-08-21 11:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-19 10:44 . 2009-03-19 20:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-19 10:44 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\program files\iPod
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\program files\iTunes
2009-08-19 10:44 . 2009-08-19 10:44 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-19 10:43 . 2009-08-19 10:44 -------- d-----w- c:\program files\QuickTime
2009-08-19 10:42 . 2009-08-19 10:42 -------- d-----w- c:\program files\Apple Software Update
2009-08-19 10:42 . 2009-07-09 16:16 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-17 07:55 . 2006-05-24 03:48 24576 ----a-w- c:\windows\system32\StkAUSD.dll
2009-08-17 07:08 . 2009-08-17 23:12 -------- d-----w- c:\program files\abgx360
2009-08-14 00:29 . 2009-08-14 00:29 -------- d-----w- c:\program files\ImgBurn
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-08-13 21:08 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-13 21:08 . 2009-08-13 21:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 21:08 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-11 21:10 . 2009-08-12 04:46 -------- d-----w- c:\program files\FlashGet
2009-08-11 20:46 . 2009-08-11 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 04:30 . 2008-12-25 23:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-10 04:29 . 2007-11-27 05:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-09 19:52 . 2007-11-13 06:40 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2009-09-09 16:12 . 2004-08-04 01:56 55808 ------w- c:\windows\system32\eventlog.dll
2009-09-09 09:48 . 2007-11-14 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-09-08 19:37 . 2009-04-04 03:27 -------- d-----w- c:\program files\PurgeIE
2009-09-08 03:22 . 2008-01-02 05:16 -------- d-----w- c:\documents and settings\user\Application Data\U3
2009-09-05 11:18 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6a43.tmp
2009-09-03 23:03 . 2007-11-22 08:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-03 22:52 . 2008-02-13 18:50 -------- d-----w- c:\program files\Magic Video Converter
2009-09-03 20:45 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6ca4.tmp
2009-09-03 20:11 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP3633.tmp
2009-08-28 20:54 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP32f6.tmp
2009-08-23 21:51 . 2007-12-07 00:43 -------- d-----w- c:\program files\Google
2009-08-23 01:44 . 2008-11-15 20:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-23 01:44 . 2007-11-17 09:33 -------- d-----w- c:\program files\Java
2009-08-22 01:19 . 2007-12-20 13:43 -------- d-----w- c:\documents and settings\user\Application Data\dvdcss
2009-08-21 08:51 . 2007-11-13 07:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 11:05 . 2007-11-21 20:03 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2009-08-19 10:44 . 2007-11-16 21:23 -------- d-----w- c:\program files\Bonjour
2009-08-19 10:43 . 2007-12-09 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-18 02:43 . 2008-07-12 19:04 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-08-18 02:42 . 2007-12-07 02:24 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2009-08-17 08:16 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP65cf.tmp
2009-08-17 07:29 . 2007-11-12 22:43 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 07:14 . 2007-12-13 14:15 -------- d-----w- c:\documents and settings\user\Application Data\Vso
2009-08-17 07:14 . 2009-08-17 07:14 81920 ----a-w- c:\documents and settings\user\Application Data\ezpinst.exe
2009-08-17 07:14 . 2007-12-13 14:15 47360 ----a-w- c:\documents and settings\user\Application Data\pcouffin.sys
2009-08-16 11:25 . 2007-11-20 20:50 -------- d-----w- c:\program files\HiDownload
2009-08-14 00:25 . 2007-12-13 14:15 -------- d-----w- c:\program files\VSO
2009-08-12 05:52 . 2007-12-10 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 04:43 . 2007-12-10 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-11 20:46 . 2008-09-14 17:30 -------- d-----w- c:\program files\TVUPlayer
2009-08-10 20:48 . 2009-04-02 19:11 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-10 17:36 . 2009-08-10 17:36 -------- d-----w- c:\program files\uTorrent
2009-08-07 14:12 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6476.tmp
2009-08-07 01:51 . 2007-11-22 08:11 -------- d-----w- c:\documents and settings\user\Application Data\Sony
2009-08-07 01:51 . 2008-09-20 04:31 -------- d-----w- c:\program files\Sony Setup
2009-08-04 00:54 . 2009-08-04 00:54 -------- d-----w- c:\documents and settings\user\Application Data\acccore
2009-08-04 00:54 . 2009-08-04 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-04 00:53 . 2009-08-04 00:52 -------- d-----w- c:\program files\AIM6
2009-08-03 23:54 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP72b0.tmp
2009-08-03 23:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP730d.tmp
2009-08-03 22:45 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP735b.tmp
2009-08-03 22:13 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP709c.tmp
2009-08-03 21:40 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706f.tmp
2009-08-03 21:09 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP70da.tmp
2009-08-03 20:36 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP738b.tmp
2009-08-03 20:04 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP70ea.tmp
2009-08-03 19:31 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP702e.tmp
2009-08-03 18:58 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706e.tmp
2009-08-03 18:27 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP706d.tmp
2009-08-03 18:26 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP733c.tmp
2009-08-03 17:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6fd1.tmp
2009-08-03 17:21 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6cf2.tmp
2009-08-03 16:48 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6aa0.tmp
2009-08-03 16:16 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6e88.tmp
2009-08-03 15:43 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP318f.tmp
2009-07-31 03:10 . 2009-01-03 05:34 -------- d-----w- c:\program files\mkv2vob
2009-07-31 02:38 . 2008-10-01 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-07-31 02:30 . 2009-07-31 02:30 -------- d-----w- c:\program files\AVG
2009-07-29 22:27 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP953b.tmp
2009-07-29 02:53 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7f32.tmp
2009-07-29 02:21 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7c06.tmp
2009-07-29 01:48 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7724.tmp
2009-07-29 01:17 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP7474.tmp
2009-07-29 00:44 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP6dfc.tmp
2009-07-29 00:12 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP63da.tmp
2009-07-25 21:04 . 2008-06-15 17:44 98304 ----a-w- c:\windows\DUMP8a7d.tmp
2009-07-23 09:44 . 2009-07-23 09:44 -------- d-----w- c:\documents and settings\All Users\Application Data\GoBit Games
2009-07-23 09:43 . 2009-07-23 09:43 -------- d-----w- c:\program files\Burger Shop 2
2009-07-09 16:16 . 2007-12-09 03:19 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-29 10:52 . 2007-11-22 08:08 531160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2007-11-15 04:00 . 2007-11-15 03:58 48 --sh--w- c:\windows\S821ED78A.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-09-09_16.34.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-10 04:30 . 2009-09-10 04:30 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2009-09-08 03:56 . 2009-09-08 03:56 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-09-10 04:30 . 2009-09-10 04:30 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2009-09-08 03:56 . 2009-09-08 03:56 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-09-10 04:30 . 2009-09-10 04:30 1578496 c:\windows\Installer\18080b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-11-25 2272192]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-05 1994480]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-07-09 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 213936]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-02-26 16125440]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-04-23 124928]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MA111 Configuration Utility.lnk - c:\program files\NETGEAR\MA111v2 USB Adapter\MA111v2.exe [2004-5-28 421888]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\River Past\\Video Cleaner Pro\\VideoCleaner.exe"=
"c:\\Program Files\\River Past\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49990:TCP"= 49990:TCP:utorrent

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/13/2009 5:08 PM 232720]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2/2/2009 3:23 AM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/13/2009 5:08 PM 19096]
R3 Razerlow;Razerlow USB Filter Driver;c:\windows\system32\drivers\Razerlow.sys [9/3/2009 5:36 PM 13225]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]
S1 aswSP;avast! Self Protection; [x]
S2 acmlfwmmzdvruc;acmlfwmmzdvruc;\??\c:\windows\system32\drivers\yqbaxx.sys --> c:\windows\system32\drivers\yqbaxx.sys [?]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S2 Windowhelp;Windowhelp; [x]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7d2vl89o.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1690724&SearchSource=3&q=
FF - prefs.js: browser.startup.homepage - hxxp://wfigs.proboards48.com/
FF - plugin: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7d2vl89o.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 05:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2232)
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\windows\system32\msi.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
Completion time: 2009-09-10 5:05
ComboFix-quarantined-files.txt 2009-09-10 09:04
ComboFix2.txt 2009-09-09 16:38

Pre-Run: 119,323,394,048 bytes free
Post-Run: 119,283,269,632 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
264 --- E O F --- 2008-07-23 04:36

[negster22]

Quote

I'm running a full scan on MBAM, and it's already taking a very long time to finish. It's already gone past the 1hour 30minute mark, which is over triple the amount of time a full scan used to take me.

Try to do a quick scan and see if that works properly. A quick scan is enough to detect and remove all active malware that MBAM has definitions and heuristics for.