Jump to content

ckjah13

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral

Profile Information

  • Location
    Pittsburgh
  1. wow, you guys are amazing, its absolutely better now, should I run malwarebytes now to be certain? I'm extremely grateful for your kind service. Thanks again
  2. As soon as i started to run combofix with the script I realized i didnt uninstall viewpoint manager first. After combofix ran, i uninstalled viewpoint manager. For some reason before I ran the combofix, it seems internet explorer was trying to connect to something, it gave me the workoffline box, after the combofix run and the uninstall of the viewpoint manager, it doesnt seem to do it. combo fix log below: ComboFix 09-09-17.04 - chris 09/19/2009 15:29.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1517 [GMT -4:00] Running from: c:\documents and settings\chris\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\chris\Desktop\CFScript.txt FILE :: "c:\windows\system32\mukejowe.dll" "c:\windows\system32\taviretu.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\mukejowe.dll c:\windows\system32\taviretu.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_DVD_HMSFNH -------\Legacy_MMC_2KCNF -------\Service_Dvd_hmsfnh -------\Service_Mmc_2kcnf -------\Service_Rdp28vr ((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 ))))))))))))))))))))))))))))))) . 2009-09-18 19:38 . 2009-09-18 19:38 -------- d-----w- c:\windows\system32\0 2009-09-18 18:32 . 2009-09-18 18:32 -------- d-sh--w- c:\documents and settings\Administrator.SITESIGNATURES\PrivacIE 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\Help 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\ApplicationHistory 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\Apple Computer 2009-09-18 18:11 . 2009-09-18 18:34 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES 2009-09-04 20:45 . 2009-09-04 21:27 -------- d-----w- c:\program files\Common Files\PC Tools 2009-09-04 20:45 . 2009-09-04 21:27 -------- d-----w- c:\program files\Spyware Doctor 2009-09-04 20:28 . 2009-09-04 20:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-18 19:19 . 2004-05-05 06:22 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-10 23:24 . 2009-01-08 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-08 10:23 . 2008-07-01 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-04 21:26 . 2009-01-07 20:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-09-04 12:58 . 2004-05-25 16:48 -------- d---a-w- c:\documents and settings\chris\Application Data\AdobeUM 2009-09-04 12:57 . 2005-11-15 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2009-08-27 12:51 . 2009-08-27 12:54 10838016 ---ha-w- c:\documents and settings\chris\prf510.tmp 2009-08-24 20:22 . 2008-06-12 14:05 -------- d-----w- c:\program files\TagRename 2009-08-14 10:58 . 2009-09-04 20:45 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat 2009-08-11 12:54 . 2007-12-04 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-08-06 12:32 . 2008-05-06 15:56 -------- d-----w- c:\program files\AutoCAD 2008 2009-08-06 12:32 . 2009-03-19 12:51 -------- d-----w- c:\program files\Java 2009-08-06 12:30 . 2009-08-06 12:30 152576 ----a-w- c:\documents and settings\chris\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe 2009-08-03 17:36 . 2009-01-08 20:08 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 17:36 . 2009-01-08 20:08 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-30 20:28 . 2008-11-20 15:27 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-25 09:23 . 2009-03-19 12:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-02-06 22:05 915456 ------w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2004-03-30 01:48 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-03-30 01:48 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2002-08-29 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2002-08-29 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2002-08-29 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2002-08-29 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys . ((((((((((((((((((((((((((((( SnapShot@2009-09-18_20.35.58 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-19 19:39 . 2009-09-19 19:39 16384 c:\windows\Temp\Perflib_Perfdata_7e0.dat + 2009-09-19 19:39 . 2009-09-19 19:39 16384 c:\windows\Temp\Perflib_Perfdata_798.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-01 8523776] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-01 81920] "SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe" [2007-01-15 403520] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-07-26 684032] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-02-01 1626112] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2004-5-19 209016] AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-5 24576] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\FileZilla\\FileZilla.exe"= "c:\\Program Files\\APC\\APC PowerChute Personal Edition\\apcsystray.exe"= R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 5:52 AM 114688] R2 AsfAlrt;AsfAlrt;c:\windows\SYSTEM32\DRIVERS\Asfalrt.sys [12/18/2002 5:31 AM 36064] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 11:05 AM 24652] S2 gupdate1c99686e9d3215f;Google Update Service (gupdate1c99686e9d3215f);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 9:50 AM 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?] S3 Faenoxy;Faenoxy;c:\windows\SYSTEM32\DRIVERS\i2omgmt.sys [8/17/2001 2:56 PM 8576] S3 I26fwqsaass;I26fwqsaass;c:\windows\SYSTEM32\DRIVERS\nmnt.sys [8/29/2002 6:00 AM 40320] S3 MA8012M;MA8012M;c:\windows\SYSTEM32\DRIVERS\MA8012M.sys [1/6/2006 11:37 AM 25300] S3 MA8012U;MA8012U;c:\windows\SYSTEM32\DRIVERS\MA8012U.sys [1/6/2006 11:37 AM 48734] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B1.tmp --> c:\windows\system32\B1.tmp [?] S3 Nwlservapr;Nwlservapr;c:\windows\SYSTEM32\DRIVERS\aeaudio.sys [1/1/1980 1:00 AM 4816] S3 OnePointDomainAdminService;Active Directory Migration Agent;c:\program files\OnePointDomainAgent\DCTAgentService.exe [4/16/2005 2:21 PM 34816] S3 Rdcomadrnmpp;Rdcomadrnmpp;c:\windows\SYSTEM32\DRIVERS\aec.sys [5/5/2004 1:59 AM 142592] S3 Sysaumsnam;Sysaumsnam;c:\windows\SYSTEM32\DRIVERS\atinttxx.sys [8/4/2004 1:29 AM 13824] S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [1/3/2001 12:53 AM 19677] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-09-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 13:50] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 13:50] 2008-04-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job - c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 16:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = hxxp://POWEREDGE:8080 uInternet Settings,ProxyOverride = <local>;*.local mSearchAssistant = hxxp://www.google.com/ie IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: totalvid.com\www . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-19 15:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\B1.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,32,7f,c7,dc,d5,62,46,88,f9,6f,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,32,7f,c7,dc,d5,62,46,88,f9,6f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(716) c:\windows\system32\WRLogonNtf.DLL - - - - - - - > 'explorer.exe'(5076) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\windows\SYSTEM32\nvsvc32.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\Webroot\Enterprise\Spy Sweeper\SPYSWEEPER.EXE c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\SYSTEM32\rundll32.exe c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe c:\program files\Microsoft IntelliPoint\dpupdchk.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-19 15:50 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-19 19:50 ComboFix2.txt 2009-09-18 20:44 Pre-Run: 54,024,888,320 bytes free Post-Run: 53,935,648,768 bytes free 223 --- E O F --- 2009-07-30 18:53
  3. Thank you so much... so far. I did use the exe fix prior to the first post. I ran combofix and a warning came up Parasite Found!! The following files were trying to attach to combo fix. They shall be disabled. Kindly note on paper, the name of each file. We may need it later. c:/windows/system32/zohenosu.dll after the run, I can use the task manager again. I will not do anything until further instructions. Combofix log below: ComboFix 09-09-17.04 - chris 09/18/2009 16:15.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1480 [GMT -4:00] Running from: c:\documents and settings\chris\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\chris\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\chris\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe c:\program files\Common Files\mantec~1 c:\program files\Common Files\mantec~1\msdtc.exe c:\recycler\S-1-5-21-1352563229-7679825197-600459175-5106 c:\recycler\S-1-5-21-1352563229-7679825197-600459175-5106\Desktop.ini c:\recycler\S-1-5-21-1352563229-7679825197-600459175-5106\msimfo32.exe c:\recycler\S-1-5-21-5432253647-4890304748-228517639-5464 c:\windows\Downloaded Program Files\popcaploader.dll c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\Installer\13d369f8.msp c:\windows\Installer\13d36a69.msp c:\windows\Installer\14c874cd.msp c:\windows\Installer\151864.msp c:\windows\Installer\25f7cdd.msi c:\windows\Installer\8877.msi c:\windows\Installer\888a.msi c:\windows\Installer\f2597a2.msp c:\windows\jestertb.dll c:\windows\ppp3.dat c:\windows\ppp4.dat c:\windows\system32\AVR09.exe c:\windows\system32\bennuar.old c:\windows\system32\bincd32.dat c:\windows\system32\comrepl.exe c:\windows\system32\drivers\SKYNETlojkweyx.sys c:\windows\system32\gujoyame.exe c:\windows\system32\logonui.dll c:\windows\system32\nebiwofo.exe c:\windows\system32\rugakeju.exe c:\windows\system32\SKYNETcumnnkfv.dat c:\windows\system32\SKYNETjaplwidg.dat c:\windows\system32\smbols~1 c:\windows\system32\smbols~1\mshta.exe c:\windows\system32\sonhelp.htm c:\windows\system32\sysnet.dat c:\windows\system32\tapi.nfo c:\windows\system32\winhelper.dll c:\windows\system32\winupdate.exe c:\windows\system32\wtstr.exe c:\windows\wpd99.drv Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll -- Previous Run -- Infected copy of c:\windows\system32\eventlog.dll was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll -------- . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ANTIPPRO2009_100 -------\Legacy_seneka -------\Legacy_SKYNETkaemrhnk -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Service_AntipPro2009_100 -------\Service_seneka -------\Service_SKYNETkaemrhnk ((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 ))))))))))))))))))))))))))))))) . 2009-09-18 19:38 . 2009-09-18 19:38 -------- d-----w- c:\windows\system32\0 2009-09-18 18:32 . 2009-09-18 18:32 -------- d-sh--w- c:\documents and settings\Administrator.SITESIGNATURES\PrivacIE 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\Help 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\ApplicationHistory 2009-09-18 18:14 . 2009-09-18 18:14 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES\Local Settings\Application Data\Apple Computer 2009-09-18 18:11 . 2009-09-18 18:34 -------- d-----w- c:\documents and settings\Administrator.SITESIGNATURES 2009-09-04 20:45 . 2009-09-04 21:27 -------- d-----w- c:\program files\Common Files\PC Tools 2009-09-04 20:45 . 2009-09-04 21:27 -------- d-----w- c:\program files\Spyware Doctor 2009-09-04 20:28 . 2009-09-04 20:28 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-18 19:19 . 2004-05-05 06:22 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-10 23:24 . 2009-01-08 20:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-08 10:23 . 2008-07-01 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-04 21:26 . 2009-01-07 20:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-09-04 12:58 . 2004-05-25 16:48 -------- d---a-w- c:\documents and settings\chris\Application Data\AdobeUM 2009-09-04 12:57 . 2005-11-15 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995 2009-08-27 12:51 . 2009-08-27 12:54 10838016 ---ha-w- c:\documents and settings\chris\prf510.tmp 2009-08-24 20:22 . 2008-06-12 14:05 -------- d-----w- c:\program files\TagRename 2009-08-14 10:58 . 2009-09-04 20:45 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat 2009-08-11 12:54 . 2007-12-04 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-08-06 12:32 . 2008-05-06 15:56 -------- d-----w- c:\program files\AutoCAD 2008 2009-08-06 12:32 . 2009-03-19 12:51 -------- d-----w- c:\program files\Java 2009-08-06 12:30 . 2009-08-06 12:30 152576 ----a-w- c:\documents and settings\chris\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe 2009-08-03 17:36 . 2009-01-08 20:08 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 17:36 . 2009-01-08 20:08 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-30 20:28 . 2008-11-20 15:27 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-25 09:23 . 2009-03-19 12:52 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-17 19:01 . 2002-08-29 10:00 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-14 03:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-03 17:09 . 2004-02-06 22:05 915456 ----a-w- c:\windows\system32\wininet.dll 2009-06-25 08:25 . 2004-03-30 01:48 730112 ----a-w- c:\windows\system32\lsasrv.dll 2009-06-25 08:25 . 2004-03-30 01:48 147456 ----a-w- c:\windows\system32\schannel.dll 2009-06-25 08:25 . 2002-08-29 10:00 56832 ----a-w- c:\windows\system32\secur32.dll 2009-06-25 08:25 . 2002-08-29 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll 2009-06-25 08:25 . 2002-08-29 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll 2009-06-25 08:25 . 2002-08-29 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-06-24 11:18 . 2002-08-29 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4cef417-2234-4f01-9288-273f557d11a6}] 2009-06-04 13:20 49152 ----a-w- c:\windows\SYSTEM32\mukejowe.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-01 8523776] "DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-01 81920] "SpySweeperEnterprise"="c:\program files\Webroot\Enterprise\Spy Sweeper\\SpySweeperUI.exe" [2007-01-15 403520] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-07-26 684032] "tuzesewahe"="c:\windows\system32\taviretu.dll" [2009-06-04 49152] "nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2008-02-01 1626112] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194] APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2004-5-19 209016] AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-5 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\FileZilla\\FileZilla.exe"= "c:\\WINDOWS\\explorer.exe"= R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [2/10/2003 5:52 AM 114688] R2 AsfAlrt;AsfAlrt;c:\windows\SYSTEM32\DRIVERS\Asfalrt.sys [12/18/2002 5:31 AM 36064] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 11:05 AM 24652] S2 gupdate1c99686e9d3215f;Google Update Service (gupdate1c99686e9d3215f);c:\program files\Google\Update\GoogleUpdate.exe [2/24/2009 9:50 AM 133104] S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?] S3 Dvd_hmsfnh;Dvd_hmsfnh; [x] S3 Faenoxy;Faenoxy;c:\windows\SYSTEM32\DRIVERS\i2omgmt.sys [8/17/2001 2:56 PM 8576] S3 I26fwqsaass;I26fwqsaass;c:\windows\SYSTEM32\DRIVERS\nmnt.sys [8/29/2002 6:00 AM 40320] S3 MA8012M;MA8012M;c:\windows\SYSTEM32\DRIVERS\MA8012M.sys [1/6/2006 11:37 AM 25300] S3 MA8012U;MA8012U;c:\windows\SYSTEM32\DRIVERS\MA8012U.sys [1/6/2006 11:37 AM 48734] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B1.tmp --> c:\windows\system32\B1.tmp [?] S3 Mmc_2kcnf;Mmc_2kcnf; [x] S3 Nwlservapr;Nwlservapr;c:\windows\SYSTEM32\DRIVERS\aeaudio.sys [1/1/1980 1:00 AM 4816] S3 OnePointDomainAdminService;Active Directory Migration Agent;c:\program files\OnePointDomainAgent\DCTAgentService.exe [4/16/2005 2:21 PM 34816] S3 Rdcomadrnmpp;Rdcomadrnmpp;c:\windows\SYSTEM32\DRIVERS\aec.sys [5/5/2004 1:59 AM 142592] S3 Sysaumsnam;Sysaumsnam;c:\windows\SYSTEM32\DRIVERS\atinttxx.sys [8/4/2004 1:29 AM 13824] S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\SYSTEM32\DRIVERS\xbreader.sys [1/3/2001 12:53 AM 19677] S4 Rdp28vr;Rdp28vr; [x] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 13:50] 2009-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-24 13:50] 2008-04-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job - c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 16:01] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mStart Page = hxxp://www.google.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyServer = hxxp://POWEREDGE:8080 uInternet Settings,ProxyOverride = <local>;*.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: totalvid.com\www . - - - - ORPHANS REMOVED - - - - Notify-tuvVMeBu - tuvVMeBu.dll AddRemove-HijackThis - C:\HijackThis.exe AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-18 16:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\B1.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (LocalSystem) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,32,7f,c7,dc,d5,62,46,88,f9,6f,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,32,7f,c7,dc,d5,62,46,88,f9,6f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(716) c:\windows\system32\WRLogonNtf.DLL - - - - - - - > 'explorer.exe'(5692) c:\windows\system32\WININET.dll c:\windows\system32\mukejowe.dll c:\windows\system32\taviretu.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe c:\windows\SYSTEM32\nvsvc32.exe c:\program files\RealVNC\VNC4\winvnc4.exe c:\program files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\program files\Webroot\Enterprise\Spy Sweeper\SPYSWEEPER.EXE c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\windows\SYSTEM32\wscntfy.exe c:\windows\SYSTEM32\rundll32.exe c:\program files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe c:\program files\Microsoft IntelliPoint\dpupdchk.exe c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-09-18 16:44 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-18 20:43 Pre-Run: 53,704,794,112 bytes free Post-Run: 54,025,621,504 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn 285 --- E O F --- 2009-07-30 18:53 Thanks again I did remove corporate antivirus as I could not disable the automatic protection. Since my first problems, the machine has been isolated from the network/internet.
  4. I ran into a site 9/4 and got hit with a virus/other stuff. Imediatly pulled network cable. lost task manager, cant run Mbam, hijackthis, adaware, or windows malicious software removal tool. I have to use Mbam file assasin to get rid of the 'locked' exe's after the program is terminated. I actually lost file associations with exe's too. if i tried to open a text file, it asked me what to open notepad.exe with. I found a registry fix (hope this was a good thing) I was kinda trying to wait it out to find a simple fix, but not yet. I have been reading your forum, and from what I read, you guys are the best. I will definitely buy some licenses of MBAM to protect my home computers next payday. Anyways. cant do anything. Also, it infects any flash drive inserted (an Autorun.inf and exe's with a trashcan logo). I could run win32kdiag.exe here is the log, please advise, and i will be forever in your debt By the way, i accidentaly did this on a work computer so i have been keeping it off the network, and hope too not cause a huge mess with this. ____________________________________________________________________ Running from: C:\Documents and Settings\chris\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\chris\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E6.tmp\ZAP20E6.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP20E8.tmp\ZAP20E8.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB83.tmp\ZAPB83.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC51.tmp\ZAPC51.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\B00433057790BA5449ECCC31A5E8B1BB\9.3.1850\9.3.1850 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Minidump\Minidump Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe [1] 2004-08-04 03:56:50 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation) [1] 2008-04-13 20:12:21 744448 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe () [1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation) Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\News Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\PIF\PIF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Prefetch\Prefetch Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Profiles\chris\Application Data\111\111 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Profiles\chris\Application Data\Corel\CorelDRAW9\CorelDRAW9\CorelDRAW9 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Profiles\chris\Application Data\Corel\CorelDRAW9\Trace9\Trace9 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SECURITY\LOGS\LOGS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1031\1031 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\3COM_DMI\3COM_DMI Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\appmgmt\S-1-5-21-3096875330-1029902711-320981581-1140\S-1-5-21-3096875330-1029902711-320981581-1140 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Identities\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52}\{2C7A8CD0-78FA-427F-BF86-AE333A20DC52} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\DHCP\DHCP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\DirectX\websetup\websetup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\DRIVERS\DISDN\DISDN Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\SYSTEM32\dumprep.exe [1] 2004-08-04 03:56:48 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 20:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation) [1] 2008-04-13 20:12:18 10752 C:\WINDOWS\SYSTEM32\dumprep.exe () Cannot access: C:\WINDOWS\SYSTEM32\eventlog.dll [1] 2004-08-04 03:56:42 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 20:11:53 62464 C:\WINDOWS\SYSTEM32\eventlog.dll () [2] 2008-04-13 20:11:53 56320 C:\WINDOWS\SYSTEM32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\SYSTEM32\EXPORT\EXPORT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\FxsTmp\FxsTmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\ADM\ADM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\Machine\Scripts\Startup\Startup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\User\Scripts\Logoff\Logoff Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\GroupPolicy\User\Scripts\Logon\Logon Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\Macromed\AUTHORWA\AUTHORWA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\Macromed\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\MUI\DISPSPEC\DISPSPEC Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS2 [1] 2004-05-06 16:44:13 3948 C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS2 () [1] 2004-05-06 15:27:27 3948 C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 () Cannot access: C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS3 [1] 2004-07-06 08:40:38 268 C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS3 () [1] 2005-04-15 17:36:05 268 C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 () Cannot access: C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 [1] 2004-05-06 16:44:13 3948 C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS2 () [1] 2004-05-06 15:27:27 3948 C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 () Cannot access: C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 [1] 2004-07-06 08:40:38 268 C:\WINDOWS\SYSTEM32\novell\nici\Administrator.SITESIG\XMGRCFG.KS3 () [1] 2005-04-15 17:36:05 268 C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 () Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\ISPSGNUP\ISPSGNUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMCUST\OEMCUST Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMHW\OEMHW Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\HTML\OEMREG\OEMREG Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\OOBE\SAMPLE\SAMPLE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\SPOOL\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\BAD\BAD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\MOF\GOOD\GOOD Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WBEM\SNMP\SNMP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\WINS\WINS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SYSTEM32\XIRCOM\XIRCOM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\U2l0ZSBTaWduYXR1cmVz\U2l0ZSBTaWduYXR1cmVz Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2 Mount point destination : \Device\__max++>\^ Finished! thanks again
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.