frustratedibm

I already did and it works now. Thanks for all your help. Much appreciated.

Thanks! Secure Remote used to work but after Combofix showed an IP (which I use for it) as a possible problem it hasn't worked since.. I try to start it and nothing..

Hey Chris, Here we go - Both reports below. My systems is running much better and has been for a while but things like my secur client etc stopped working after I ran combofix. Scanning Report Sunday, August 30, 2009 23:03:59 - 23:52:45 Computer name: PSCSMITHPJ02 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 14 malware found TrackingCookie.Questionmarket (spyware) System (Disinfected) TrackingCookie.2o7 (spyware) System (Disinfected) TrackingCookie.Advertising (spyware) System (Disinfected) TrackingCookie.Atdmt (spyware) System (Disinfected) TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) TrackingCookie.Adrevolver (spyware) System (Disinfected) TrackingCookie.Adbrite (spyware) System (Disinfected) TrackingCookie.Mediaplex (spyware) System (Disinfected) TrackingCookie.Statcounter (spyware) System (Disinfected) TrackingCookie.Atwola (spyware) System (Disinfected) TrackingCookie.Yieldmanager (spyware) System (Disinfected) Trojan.Dropper.Kobcka.Gen.1 (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078005.DLL (Renamed & Submitted) Trojan.Generic.1901833 (virus) C:\DOCUMENTS AND SETTINGS\SMITHPJ\APPLICATION DATA\KINGSTON\SECURETRAVELER.EXE (Renamed & Submitted) -------------------------------------------------------------------------------- Statistics Scanned: Files: 51905 System: 3827 Not scanned: 10 Actions: Disinfected: 12 Renamed: 2 Deleted: 0 Not cleaned: 0 Submitted: 2 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\WINLOGON.EXE C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_SERVICE.EXE C:\DOCUMENTS AND SETTINGS\SMITHPJ\MY DOCUMENTS\ROOTREPEAL.EXE -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics -------------------------------------------------------------------------------- Copyright

Hey Chris, Here goes - A lot of info coming. This is the first MBAM run.. Malwarebytes' Anti-Malware 1.40 Database version: 2708 Windows 5.1.2600 Service Pack 2 8/28/2009 10:21:55 AM mbam-log-2009-08-28 (10-21-55).txt Scan type: Quick Scan Objects scanned: 102207 Time elapsed: 4 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 4 Folders Infected: 3 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{42bf5d80-4fe5-40f3-a360-88fcf562f8f7} (Adware.Deepdive) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Settings (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. Files Infected: C:\cuopy.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\dvrdiqbe.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\jybmkssu.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\sndanmiw.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\rs.dat (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log\2009 Aug 25 - 02_29_43 PM_281.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Log\2009 Aug 25 - 02_31_06 PM_484.log (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Application Data\MalwareRemovalBot\Settings\ScanResults.pie (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully. C:\WINDOWS\mark_32.dll (Adware.Deepdive) -> Quarantined and deleted successfully. C:\Program Files\Shared\lib.dll (Adware.Deepdive) -> Quarantined and deleted successfully. C:\Documents and Settings\SmithPJ\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. Here is the second.. :- Malwarebytes' Anti-Malware 1.40 Database version: 2708 Windows 5.1.2600 Service Pack 2 8/28/2009 11:02:49 AM mbam-log-2009-08-28 (11-02-49).txt Scan type: Full Scan (C:\|) Objects scanned: 166064 Time elapsed: 31 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 13 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\kvhwftjn.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\lcbckjms.exe.vir (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\yihw.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078007.exe (Trojan.Banker) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078163.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078164.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078173.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078174.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078371.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078372.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078373.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{23F955F8-5109-4096-A13D-2E53DB37E2B1}\RP365\A0078374.exe (Trojan.Dropper) -> Quarantined and deleted successfully. Here is the final I ran yesterday to make sure I was clean Malwarebytes' Anti-Malware 1.40 Database version: 2708 Windows 5.1.2600 Service Pack 2 8/28/2009 7:01:39 PM mbam-log-2009-08-28 (19-01-39).txt Scan type: Full Scan (C:\|) Objects scanned: 174281 Time elapsed: 33 minute(s), 25 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the last ComboFix log and below that the last MBAM run. ComboFix 09-08-29.01 - SmithPJ 08/29/2009 21:03.2.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.571 [GMT -4:00] Running from: c:\documents and settings\SmithPJ\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\SmithPJ\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\eventlog.dll --> c:\windows\system32\dllcache\eventlog.dll . ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 ))))))))))))))))))))))))))))))) . 2009-08-30 01:03 . 2004-08-04 12:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll 2009-08-28 14:15 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-28 14:15 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-26 22:55 . 2009-08-26 22:55 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown 2009-08-25 21:52 . 2009-08-25 21:52 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2009-08-25 21:35 . 2009-08-28 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-25 19:31 . 2009-08-25 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder 2009-08-25 19:31 . 2009-08-25 19:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-25 18:46 . 2009-08-25 18:46 -------- d-sh--w- c:\documents and settings\SmithPJ\IECompatCache 2009-08-20 14:48 . 2009-08-20 14:48 -------- d-sh--w- c:\documents and settings\SmithPJ\PrivacIE 2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\SmithPJ\IETldCache 2009-08-20 14:16 . 2009-08-20 14:19 -------- dc-h--w- c:\windows\ie8 2009-08-19 19:20 . 2009-08-28 14:21 -------- d-----w- c:\program files\Shared 2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Malwarebytes 2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-06 21:22 . 2009-08-06 21:22 19466 ----a-w- c:\documents and settings\SmithPJ\Local Settings\Application Data\uhidabexa.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-28 19:33 . 2007-10-03 17:52 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\.purple 2009-08-26 23:30 . 2007-10-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-25 21:19 . 2006-09-05 13:52 -------- d-----w- c:\program files\Symantec 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Symantec AntiVirus 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-06 21:22 . 2009-08-06 21:22 13954 ----a-w- c:\documents and settings\All Users\Application Data\qyfiwoqoc.dat 2009-08-06 20:48 . 2009-07-07 01:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HPAppData 2009-08-05 16:05 . 2009-07-09 19:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Meeting Center 2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\program files\iTunes 2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-23 12:49 . 2009-07-23 12:49 -------- d-----w- c:\program files\iPod 2009-07-23 12:49 . 2008-11-04 05:08 -------- d-----w- c:\program files\Common Files\Apple 2009-07-23 12:46 . 2009-07-23 12:46 -------- d-----w- c:\program files\QuickTime 2009-07-23 12:44 . 2008-11-04 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-07-23 12:41 . 2009-07-23 12:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\program files\NOS 2009-07-09 19:43 . 2009-07-09 19:43 -------- d-----w- c:\program files\Meeting Center 2009-07-09 16:16 . 2009-07-23 12:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 16:16 . 2008-11-04 05:09 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\ieSpell 2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\program files\ieSpell 2009-07-07 02:04 . 2009-07-07 00:55 186633 ----a-w- c:\windows\hpwins23.dat 2009-07-07 01:21 . 2007-12-11 16:13 394624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-07-07 01:20 . 2009-07-07 01:20 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HP 2009-07-07 01:18 . 2009-07-07 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG 2009-07-07 01:13 . 2009-07-07 01:00 -------- d-----w- c:\program files\HP 2009-07-07 01:13 . 2008-02-08 17:20 -------- d-----w- c:\program files\Hewlett-Packard 2009-07-07 01:13 . 2009-07-07 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2009-07-07 01:12 . 2009-07-07 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-07-07 01:02 . 2009-07-07 01:02 -------- d-----w- c:\program files\Common Files\HP 2004-08-04 12:00 . 2006-09-05 16:03 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856] "MeetingLauncher"="c:\program files\Meeting Center\Modules\Launcher\mcLauncher.exe" [2009-06-25 456000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "configmsi"="rmdir" [X] "supportdir"="rmdir" [X] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-06-19 07:06 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2004-12-16 23:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-34194\Scripts\Logon\0\0] "Script"=PerotLogon.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63435\Scripts\Logon\0\0] "Script"=PerotLogon.bat [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=c:\windows\pss\officejet 6100.lnkCommon Startup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\marimba\\tuner\\lib\\jre\\bin\\java.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8888:TCP"= 8888:TCP:CMS "7717:TCP"= 7717:TCP:MARIMBA (TCP 7717) "7717:UDP"= 7717:UDP:MARIMBA (UDP 7717) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "3389:UDP"= 3389:UDP:Remote Desktop (UDP) R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/5/2006 4:15 PM 85760] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/5/2006 4:15 PM 4736] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/7/2006 1:54 PM 4442] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/28/2009 10:15 AM 232720] R2 RemoteClientManagementServiceProvider;Remote Client Management Service Provider;c:\program files\marimba\tuner\Tuner.exe [3/31/2006 3:54 PM 36953] R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [11/13/2007 3:07 PM 17456] R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [11/13/2007 3:07 PM 670128] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [11/13/2007 3:07 PM 2041904] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/28/2009 10:15 AM 19096] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [11/13/2007 3:07 PM 14924] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2008-06-11 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-07 06:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = https://train.ps.net/ uInternet Settings,ProxyServer = internet.ps.net:80 uInternet Settings,ProxyOverride = *.ps.net;*.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM Trusted Zone: marimba.com\www Trusted Zone: perotsystems.com Trusted Zone: ps.net Trusted Zone: ps.net\*.crm Trusted Zone: ps.net\crm Trusted Zone: ps.net\fusion Trusted Zone: ps.net\inizio2 Trusted Zone: ps.net\projecttest Trusted Zone: ps.net\psctx1 Trusted Zone: ps.net\ptcprint Trusted Zone: ps.net\train DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-29 21:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\SmithPJ\LOCALS~1\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\agp440] "ImagePath"="system32\DRIVERS\agp440.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\agpCPQ] "ImagePath"="system32\DRIVERS\agpCPQ.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aha154x] "ImagePath"="system32\DRIVERS\aha154x.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78u2] "ImagePath"="system32\DRIVERS\aic78u2.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aic78xx] "ImagePath"="system32\DRIVERS\aic78xx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Alerter] "ServiceDll"="%SystemRoot%\system32\alrsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ALG] "ImagePath"="%SystemRoot%\System32\alg.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AliIde] "ImagePath"="system32\DRIVERS\aliide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\alim1541] "ImagePath"="system32\DRIVERS\alim1541.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amdagp] "ImagePath"="system32\DRIVERS\amdagp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\amsint] "ImagePath"="system32\DRIVERS\amsint.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Apple Mobile Device] "ImagePath"="\"c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AppMgmt] "ServiceDll"="%SystemRoot%\System32\appmgmts.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc] "ImagePath"="system32\DRIVERS\asc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3350p] "ImagePath"="system32\DRIVERS\asc3350p.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\asc3550] "ImagePath"="system32\DRIVERS\asc3550.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_1.1.4322] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ASP.NET_2.0.50727] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Aspi32] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aspnet_state] "ImagePath"="%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AsyncMac] "ImagePath"="system32\DRIVERS\asyncmac.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atapi] "ImagePath"="system32\DRIVERS\atapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atdisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ati HotKey Poller] "ImagePath"="%SystemRoot%\system32\Ati2evxx.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ati2mtag] "ImagePath"="system32\DRIVERS\ati2mtag.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atierecord] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Atmarpc] "ImagePath"="system32\DRIVERS\atmarpc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\atmeltpm] "ImagePath"="system32\DRIVERS\atmeltpm.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AudioSrv] "ServiceDll"="%SystemRoot%\System32\audiosrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\audstub] "ImagePath"="system32\DRIVERS\audstub.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BattC] "MofImagePath"="System32\Drivers\battc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Beep] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BITS] "ServiceDll"="%systemroot%\system32\qmgr.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Bonjour Service] "ImagePath"="\"c:\program files\Bonjour\mDNSResponder.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Browser] "ServiceDll"="%SystemRoot%\System32\browser.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\catchme] "ImagePath"="\??\c:\docume~1\SmithPJ\LOCALS~1\Temp\catchme.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf] "ImagePath"="system32\DRIVERS\cbidf2k.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cbidf2k] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CCDECODE] "ImagePath"="system32\DRIVERS\CCDECODE.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cd20xrnt] "ImagePath"="system32\DRIVERS\cd20xrnt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdaudio] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cdrom] "ImagePath"="system32\DRIVERS\cdrom.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Changer] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CiSvc] "ImagePath"="%SystemRoot%\system32\cisvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ClipSrv] "ImagePath"="%SystemRoot%\system32\clipsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\clr_optimization_v2.0.50727_32] "ImagePath"="c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmBatt] "ImagePath"="system32\DRIVERS\CmBatt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CmdIde] "ImagePath"="system32\DRIVERS\cmdide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Compbatt] "ImagePath"="system32\DRIVERS\compbatt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\COMSysApp] "ImagePath"="c:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentFilter] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ContentIndex] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cpqarray] "ImagePath"="system32\DRIVERS\cpqarray.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\CryptSvc] "ServiceDll"="%SystemRoot%\System32\cryptsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac2w2k] "ImagePath"="system32\DRIVERS\dac2w2k.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dac960nt] "ImagePath"="system32\DRIVERS\dac960nt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DCamUSBEMPIA] "ImagePath"="system32\DRIVERS\emDevice.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DcomLaunch] "ServiceDll"="%SystemRoot%\system32\rpcss.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dhcp] "ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Disk] "ImagePath"="system32\DRIVERS\disk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmadmin] "ImagePath"="%SystemRoot%\System32\dmadmin.exe /com" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmboot] "ImagePath"="System32\drivers\dmboot.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmio] "ImagePath"="System32\drivers\dmio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmload] "ImagePath"="System32\drivers\dmload.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dmserver] "ServiceDll"="%SystemRoot%\System32\dmserver.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DMusic] "ImagePath"="system32\drivers\DMusic.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Dnscache] "ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dpti2o] "ImagePath"="system32\DRIVERS\dpti2o.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\drmkaud] "ImagePath"="system32\drivers\drmkaud.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\e1express] "ImagePath"="system32\DRIVERS\e1e5132.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ERSvc] "ServiceDll"="%SystemRoot%\System32\ersvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Eventlog] "ImagePath"="%SystemRoot%\system32\services.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EventSystem] "ServiceDll"="c:\windows\system32\es.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng] "ImagePath"="c:\program files\Intel\Wireless\Bin\EvtEng.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fastfat] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FastUserSwitchingCompatibility] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FiltUSBEMPIA] "ImagePath"="system32\DRIVERS\emFilter.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fips] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FltMgr] "ImagePath"="system32\DRIVERS\fltMgr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FontCache3.0.0.0] "ImagePath"="c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fs_Rec] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ftdisk] "ImagePath"="system32\DRIVERS\ftdisk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FW1] "ImagePath"="system32\DRIVERS\fw.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GEARAspiWDM] "ImagePath"="system32\DRIVERS\GEARAspiWDM.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Gpc] "ImagePath"="system32\DRIVERS\msgpc.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gusvc] "ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HDAudBus] "ImagePath"="system32\DRIVERS\HDAudBus.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\helpsvc] "ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidServ] "ServiceDll"="%SystemRoot%\System32\hidserv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HidUsb] "ImagePath"="system32\DRIVERS\hidusb.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpn] "ImagePath"="system32\DRIVERS\hpn.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqcxs08] "ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hpqddsvc] "ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPSLPSVC] "ServiceDll"="c:\program files\Hewlett-Packard\Digital Imaging\bin\HPSLPSVC32.DLL" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZid412] "ImagePath"="system32\DRIVERS\HPZid412.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZipr12] "ImagePath"="system32\DRIVERS\HPZipr12.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HPZius12] "ImagePath"="system32\DRIVERS\HPZius12.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSF_DPV] "ImagePath"="system32\DRIVERS\hsx_dpv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HSXHWAZL] "ImagePath"="system32\DRIVERS\hsxhwazl.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTP] "ImagePath"="System32\Drivers\HTTP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\HTTPFilter] "ServiceDll"="%SystemRoot%\System32\w3ssl.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omgmt] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i2omp] "ImagePath"="system32\DRIVERS\i2omp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\i8042prt] "ImagePath"="system32\DRIVERS\i8042prt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IBMPMDRV] "ImagePath"="system32\DRIVERS\ibmpmdrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IBMPMSVC] "ImagePath"="%SystemRoot%\system32\ibmpmsvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IDriverT] "ImagePath"="\"c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\idsvc] "ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Imapi] "ImagePath"="system32\DRIVERS\imapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ImapiService] "ImagePath"="%systemroot%\system32\imapi.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\inetaccs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ini910u] "ImagePath"="system32\DRIVERS\ini910u.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Inport] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IntelIde] "ImagePath"="system32\DRIVERS\intelide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\intelppm] "ImagePath"="system32\DRIVERS\intelppm.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ip6Fw] "ImagePath"="system32\DRIVERS\Ip6Fw.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpFilterDriver] "ImagePath"="system32\DRIVERS\ipfltdrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpInIp] "ImagePath"="system32\DRIVERS\ipinip.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IpNat] "ImagePath"="system32\DRIVERS\ipnat.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iPod Service] "ImagePath"="\"c:\program files\iPod\bin\iPodService.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSec] "ImagePath"="system32\DRIVERS\ipsec.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IPSSVC] "ImagePath"="%SystemRoot%\system32\IPSSVC.EXE" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\irda] "ImagePath"="system32\DRIVERS\irda.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\IRENUM] "ImagePath"="system32\DRIVERS\irenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Irmon] "ServiceDll"="%SystemRoot%\System32\irmon.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ISAPISearch] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\isapnp] "ImagePath"="system32\DRIVERS\isapnp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Kbdclass] "ImagePath"="system32\DRIVERS\kbdclass.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kmixer] "ImagePath"="system32\drivers\kmixer.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KSecDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver] "ServiceDll"="%SystemRoot%\System32\srvsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanworkstation] "ServiceDll"="%SystemRoot%\System32\wkssvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lbrtfdc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ldap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LicenseService] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LmHosts] "ServiceDll"="%SystemRoot%\System32\lmhsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVcKap] "ImagePath"="system32\DRIVERS\LVcKap.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVMVDrv] "ImagePath"="system32\DRIVERS\LVMVDrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVPr2Mon] "ImagePath"="system32\drivers\LVPr2Mon.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVPrcSrv] "ImagePath"="c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVSrvLauncher] "ImagePath"="c:\program files\Common Files\Logitech\SrvLnch\SrvLnch.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\LVUSBSta] "ImagePath"="system32\DRIVERS\LVUSBSta.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MaxBackServiceInt] "ImagePath"="\"c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MBAMProtector] "ImagePath"="\??\c:\windows\system32\drivers\mbam.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MBAMService] "ImagePath"="\"c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\McAfeeFramework] "ImagePath"="\"c:\program files\McAfee\Common Framework\FrameworkService.exe\" /ServiceStart" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MDM] "ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mdmxsdk] "ImagePath"="system32\DRIVERS\mdmxsdk.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Messenger] "ServiceDll"="%SystemRoot%\System32\msgsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmdd] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mnmsrvc] "ImagePath"="c:\windows\system32\mnmsrvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Modem] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mouclass] "ImagePath"="system32\DRIVERS\mouclass.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mouhid] "ImagePath"="system32\DRIVERS\mouhid.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MountMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mraid35x] "ImagePath"="system32\DRIVERS\mraid35x.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxDAV] "ImagePath"="system32\DRIVERS\mrxdav.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MRxSmb] "ImagePath"="system32\DRIVERS\mrxsmb.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC] "ImagePath"="c:\windows\system32\msdtc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSDTC Bridge 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Msfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSIServer] "ImagePath"="%systemroot%\system32\msiexec.exe /V" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSKSSRV] "ImagePath"="system32\drivers\MSKSSRV.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPCLOCK] "ImagePath"="system32\drivers\MSPCLOCK.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSPQM] "ImagePath"="system32\drivers\MSPQM.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mssmbios] "ImagePath"="system32\DRIVERS\mssmbios.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MSTEE] "ImagePath"="system32\drivers\MSTEE.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Mup] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MXOPSWD] "ImagePath"="system32\DRIVERS\mxopswd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NABTSFEC] "ImagePath"="system32\DRIVERS\NABTSFEC.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDIS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisIP] "ImagePath"="system32\DRIVERS\NdisIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisTapi] "ImagePath"="system32\DRIVERS\ndistapi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ndisuio] "ImagePath"="system32\DRIVERS\ndisuio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NdisWan] "ImagePath"="system32\DRIVERS\ndiswan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NDProxy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Net Driver HPZ12] "ServiceDll"="c:\windows\system32\HPZinw12.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBIOS] "ImagePath"="system32\DRIVERS\netbios.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT] "ImagePath"="system32\DRIVERS\netbt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDE] "ImagePath"="%SystemRoot%\system32\netdde.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetDDEdsdm] "ImagePath"="%SystemRoot%\system32\netdde.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netlogon] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Netman] "ServiceDll"="%SystemRoot%\System32\netman.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetTcpPortSharing] "ImagePath"="\"c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NETw4x32] "ImagePath"="system32\DRIVERS\NETw4x32.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Nla] "ServiceDll"="%SystemRoot%\System32\mswsock.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Npfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSCIRDA] "ImagePath"="system32\DRIVERS\nscirda.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ntfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtLmSsp] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc] "ServiceDll"="%SystemRoot%\system32\ntmssvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Null] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFlt] "ImagePath"="system32\DRIVERS\nwlnkflt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NwlnkFwd] "ImagePath"="system32\DRIVERS\nwlnkfwd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OMVA] "ImagePath"="system32\DRIVERS\OMVA.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ose] "ImagePath"="\"c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Outlook] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Parport] "ImagePath"="system32\DRIVERS\parport.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PartMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ParVdm] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCI] "ImagePath"="system32\DRIVERS\pci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIDump] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCIIde] "ImagePath"="system32\DRIVERS\pciide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pcmcia] "ImagePath"="system32\DRIVERS\pcmcia.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDCOMP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRELI] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PDRFRAME] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2] "ImagePath"="system32\DRIVERS\perc2.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\perc2hib] "ImagePath"="system32\DRIVERS\perc2hib.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfDisk] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfNet] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfOS] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PerfProc] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PID_0928] "ImagePath"="system32\DRIVERS\LV561AV.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PlugPlay] "ImagePath"="%SystemRoot%\system32\services.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pmem] "ImagePath"="\??\c:\windows\System32\drivers\pmemnt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Pml Driver HPZ12] "ServiceDll"="c:\windows\system32\HPZipm12.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PolicyAgent] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PptpMiniport] "ImagePath"="system32\DRIVERS\raspptp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PROCDD] "ImagePath"="system32\DRIVERS\PROCDD.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ProtectedStorage] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\psadd] "ImagePath"="\??\c:\windows\system32\Drivers\psadd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsaSrv] "ImagePath"="c:\windows\system32\PsaSrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSched] "ImagePath"="system32\DRIVERS\psched.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ptilink] "ImagePath"="system32\DRIVERS\ptilink.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PxHelp20] "ImagePath"="System32\Drivers\PxHelp20.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1080] "ImagePath"="system32\DRIVERS\ql1080.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Ql10wnt] "ImagePath"="system32\DRIVERS\ql10wnt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql12160] "ImagePath"="system32\DRIVERS\ql12160.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1240] "ImagePath"="system32\DRIVERS\ql1240.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ql1280] "ImagePath"="system32\DRIVERS\ql1280.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAcd] "ImagePath"="system32\DRIVERS\rasacd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasAuto] "ServiceDll"="%SystemRoot%\System32\rasauto.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasirda] "ImagePath"="system32\DRIVERS\rasirda.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rasl2tp] "ImagePath"="system32\DRIVERS\rasl2tp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasMan] "ServiceDll"="%SystemRoot%\System32\rasmans.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RasPppoe] "ImagePath"="system32\DRIVERS\raspppoe.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Raspti] "ImagePath"="system32\DRIVERS\raspti.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Rdbss] "ImagePath"="system32\DRIVERS\rdbss.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPCDD] "ImagePath"="System32\DRIVERS\RDPCDD.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rdpdr] "ImagePath"="system32\DRIVERS\rdpdr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPNP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDPWD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RDSessMgr] "ImagePath"="c:\windows\system32\sessmgr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\redbook] "ImagePath"="system32\DRIVERS\redbook.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RegSrvc] "ImagePath"="c:\program files\Intel\Wireless\Bin\RegSrvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteAccess] "ServiceDll"="%SystemRoot%\System32\mprdim.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteClientManagementServiceProvider] "ImagePath"="c:\program files\marimba\tuner\Tuner.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RemoteRegistry] "ServiceDll"="%SystemRoot%\system32\regsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimSerPort] "ImagePath"="system32\DRIVERS\RimSerial.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RimUsb] "ImagePath"="System32\Drivers\RimUsb.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ROOTMODEM] "ImagePath"="System32\Drivers\RootMdm.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcLocator] "ImagePath"="%SystemRoot%\system32\locator.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RpcSs] "ServiceDll"="%SystemRoot%\System32\rpcss.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\RSVP] "ImagePath"="%SystemRoot%\system32\rsvp.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S24EventMonitor] "ImagePath"="c:\program files\Intel\Wireless\Bin\S24EvMon.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\s24trans] "ImagePath"="system32\DRIVERS\s24trans.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SamSs] "ImagePath"="%SystemRoot%\system32\lsass.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ScanUSBEMPIA] "ImagePath"="system32\DRIVERS\emScan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Scap] "ImagePath"="System32\DRIVERS\Scap.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SCardSvr] "ImagePath"="%SystemRoot%\System32\SCardSvr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Schedule] "ServiceDll"="%SystemRoot%\system32\schedsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Secdrv] "ImagePath"="system32\DRIVERS\secdrv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seclogon] "ServiceDll"="%SystemRoot%\System32\seclogon.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SENS] "ServiceDll"="%SystemRoot%\system32\sens.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serenum] "ImagePath"="system32\DRIVERS\serenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Serial] "ImagePath"="system32\DRIVERS\serial.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelOperation 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ServiceModelService 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sfloppy] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess] "ServiceDll"="%SystemRoot%\System32\ipnathlp.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShellHWDetection] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ShockMgr] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Shockprf] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Simbad] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sisagp] "ImagePath"="system32\DRIVERS\sisagp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SLIP] "ImagePath"="system32\DRIVERS\SLIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Smapint] "ImagePath"="System32\drivers\Smapint.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SMSvcHost 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sparrow] "ImagePath"="system32\DRIVERS\sparrow.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\splitter] "ImagePath"="system32\drivers\splitter.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Spooler] "ImagePath"="%SystemRoot%\system32\spoolsv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sr] "ImagePath"="system32\DRIVERS\sr.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservice] "ServiceDll"="%SystemRoot%\system32\srsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Srv] "ImagePath"="system32\DRIVERS\srv.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SR_Service] "ImagePath"="\"c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SR_WatchDog] "ImagePath"="\"c:\program files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SSDPSRV] "ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\StillCam] "ImagePath"="system32\DRIVERS\serscan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\stisvc] "ServiceDll"="%SystemRoot%\system32\wiaservc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\streamip] "ImagePath"="system32\DRIVERS\StreamIP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SUService] "ImagePath"="c:\program files\lenovo\system update\suservice.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swenum] "ImagePath"="system32\DRIVERS\swenum.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\swmidi] "ImagePath"="system32\drivers\swmidi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SwPrv] "ImagePath"="c:\windows\system32\dllhost.exe /Processid:{1FE22711-C519-4C0B-B736-644201A8A239}" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc810] "ImagePath"="system32\DRIVERS\symc810.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\symc8xx] "ImagePath"="system32\DRIVERS\symc8xx.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_hi] "ImagePath"="system32\DRIVERS\sym_hi.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sym_u3] "ImagePath"="system32\DRIVERS\sym_u3.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SynTP] "ImagePath"="system32\DRIVERS\SynTP.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\sysaudio] "ImagePath"="system32\drivers\sysaudio.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SysmonLog] "ImagePath"="%SystemRoot%\system32\smlogsvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TapiSrv] "ServiceDll"="%SystemRoot%\System32\tapisrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip] "ImagePath"="system32\DRIVERS\tcpip.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDPIPE] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDSMAPI] "ImagePath"="System32\drivers\TDSMAPI.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDTCP] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermDD] "ImagePath"="system32\DRIVERS\termdd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TermService] "ServiceDll"="%SystemRoot%\System32\termsrv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Themes] "ServiceDll"="%SystemRoot%\System32\shsvcs.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TlntSvr] "ImagePath"="c:\windows\system32\tlntsvr.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TosIde] "ImagePath"="system32\DRIVERS\toside.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPHDEXLGSVC] "ImagePath"="System32\TPHDEXLG.EXE" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPHKDRV] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TPPWRIF] "ImagePath"="System32\drivers\Tppwrif.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TrkWks] "ServiceDll"="%SystemRoot%\system32\trkwks.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSDDD] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TSMAPIP] "ImagePath"="System32\drivers\TSMAPIP.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TVT Scheduler] "ImagePath"="\"c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Udfs] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ultra] "ImagePath"="system32\DRIVERS\ultra.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update] "ImagePath"="system32\DRIVERS\update.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\upnphost] "ServiceDll"="%SystemRoot%\System32\upnphost.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UPS] "ImagePath"="%SystemRoot%\System32\ups.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBAAPL] "ImagePath"="System32\Drivers\usbaapl.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbccgp] "ImagePath"="system32\DRIVERS\usbccgp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbehci] "ImagePath"="system32\DRIVERS\usbehci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbhub] "ImagePath"="system32\DRIVERS\usbhub.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbprint] "ImagePath"="system32\DRIVERS\usbprint.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbscan] "ImagePath"="system32\DRIVERS\usbscan.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\USBSTOR] "ImagePath"="system32\DRIVERS\USBSTOR.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usbuhci] "ImagePath"="system32\DRIVERS\usbuhci.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\usb_rndisx] "ImagePath"="system32\DRIVERS\usb8023x.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VgaSave] "ImagePath"="\SystemRoot\System32\drivers\vga.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\viaagp] "ImagePath"="system32\DRIVERS\viaagp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ViaIde] "ImagePath"="system32\DRIVERS\viaide.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VolSnap] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VPN-1] "ImagePath"="\SystemRoot\System32\drivers\vpn.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\VSS] "ImagePath"="%SystemRoot%\System32\vssvc.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W32Time] "ServiceDll"="%systemroot%\system32\w32time.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\w39n51] "ImagePath"="system32\DRIVERS\w39n51.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\W3SVC] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wanarp] "ImagePath"="system32\DRIVERS\wanarp.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WDICA] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wdmaud] "ImagePath"="system32\drivers\wdmaud.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WebClient] "ServiceDll"="%SystemRoot%\System32\webclnt.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winachsf] "ImagePath"="system32\DRIVERS\hsx_cnxt.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\winmgmt] "ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Winsock] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinSock2] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinTrust] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmdmPmSN] "ServiceDll"="c:\windows\system32\MsPMSNSv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Wmi] "ServiceDll"="%SystemRoot%\System32\advapi32.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApRpl] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WmiApSrv] "ImagePath"="c:\windows\system32\wbem\wmiapsrv.exe" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WMPNetworkSvc] "ImagePath"="\"c:\program files\Windows Media Player\WMPNetwk.exe\"" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WS2IFSL] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wscsvc] "ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WSTCODEC] "ImagePath"="system32\DRIVERS\WSTCODEC.SYS" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wuauserv] "ServiceDll"="c:\windows\system32\wuauserv.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfPf] "ImagePath"="system32\DRIVERS\WudfPf.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfRd] "ImagePath"="system32\DRIVERS\wudfrd.sys" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WudfSvc] "ServiceDll"="%SystemRoot%\System32\WUDFSvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WZCSVC] "ServiceDll"="%SystemRoot%\System32\wzcsvc.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xmlprov] "ServiceDll"="%SystemRoot%\System32\xmlprov.dll" [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1AA7D35E-4BB4-4512-AC76-986264985BF9}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B9009E6F-811D-45AC-B33A-CB8D0E8A2E4E}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{D7888C3B-175F-4952-9FA8-3F14B459892C}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{E2B1D01B-52B8-4BDA-AAEB-FF89FCA2161D}] [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{EEDACB50-F432-4F56-9A69-E9886FD41B7D}] . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(808) c:\windows\system32\Ati2evxx.dll c:\windows\system32\tphklock.dll c:\program files\Lenovo\AwayTask\AwayNotify.dll c:\windows\system32\notifyf2.dll - - - - - - - > 'explorer.exe'(1700) c:\windows\system32\PROCHLP.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-08-30 21:10 ComboFix-quarantined-files.txt 2009-08-30 01:10 ComboFix2.txt 2009-08-28 01:43 Pre-Run: 53,543,481,344 bytes free Post-Run: 53,701,079,040 bytes free 898 --- E O F --- 2009-01-09 14:16 MBAM Malwarebytes' Anti-Malware 1.40 Database version: 2714 Windows 5.1.2600 Service Pack 2 8/29/2009 9:22:51 PM mbam-log-2009-08-29 (21-22-51).txt Scan type: Quick Scan Objects scanned: 102685 Time elapsed: 4 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Thanks again for all your help Pete

Ok here's the latest. I downloaded MBAM again and ran it in quick scan.. It found a bunch of crap and I removed it.. then I ran a full scan and again it found some and removed it. Looks like the pc is better now - What's next.. do I need to do something with Combofix..? Thanks

Right after I posted combofix updated and ran.. here is the log. ComboFix 09-08-27.02 - SmithPJ 08/27/2009 21:32.1.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.609 [GMT -4:00] Running from: c:\documents and settings\SmithPJ\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\djos.exe c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\All Users\Application Data\tynevur._sy c:\documents and settings\All Users\Documents\duqysojepy.bat c:\documents and settings\All Users\Documents\tadame.dll c:\documents and settings\SmithPJ\Cookies\rijurikeqo.bat c:\documents and settings\SmithPJ\Local Settings\Application Data\ojyceni.vbs c:\documents and settings\SmithPJ\Local Settings\Application Data\rylokov.exe c:\documents and settings\SmithPJ\Local Settings\Application Data\ysyfa.exe C:\kvhwftjn.exe C:\lcbckjms.exe c:\program files\Common Files\faheqafi.sys c:\program files\Common Files\isoh.reg c:\recycler\S-1-5-21-1409082233-2052111302-725345543-500 C:\sdlb.exe c:\windows\Installer\WMEncoder.msi c:\windows\jyrigi.pif c:\windows\rerenili.dl c:\windows\system32\~.exe c:\windows\system32\braviax.exe c:\windows\system32\runog.sys c:\windows\system32\wisdstr.exe C:\yihw.exe ----- BITS: Possible infected sites ----- hxxp://155.16.59.74 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 ))))))))))))))))))))))))))))))) . 2009-08-26 22:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-26 22:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-26 22:55 . 2009-08-26 22:55 -------- d-sh--we c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown 2009-08-25 21:52 . 2009-08-25 21:52 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache 2009-08-25 21:35 . 2009-08-26 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-25 19:31 . 2009-08-25 19:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder 2009-08-25 19:31 . 2009-08-25 19:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2009-08-25 18:46 . 2009-08-25 18:46 -------- d-sh--w- c:\documents and settings\SmithPJ\IECompatCache 2009-08-25 18:29 . 2009-08-25 18:31 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\MalwareRemovalBot 2009-08-25 18:11 . 2009-08-25 18:11 45056 -c--a-w- C:\dvrdiqbe.exe 2009-08-25 18:11 . 2009-08-25 18:11 705 -c--a-w- C:\cuopy.exe 2009-08-25 18:11 . 2009-08-25 18:11 26112 -c--a-w- C:\sndanmiw.exe 2009-08-25 18:11 . 2009-08-25 18:11 198150 -c--a-w- C:\jybmkssu.exe 2009-08-20 14:48 . 2009-08-20 14:48 -------- d-sh--w- c:\documents and settings\SmithPJ\PrivacIE 2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-08-20 14:35 . 2009-08-20 14:35 -------- d-sh--w- c:\documents and settings\SmithPJ\IETldCache 2009-08-20 14:16 . 2009-08-20 14:19 -------- dc-h--w- c:\windows\ie8 2009-08-19 19:20 . 2009-08-19 20:36 -------- d-----w- c:\program files\Shared 2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Malwarebytes 2009-08-06 22:06 . 2009-08-06 22:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-06 21:22 . 2009-08-06 21:22 19466 ----a-w- c:\documents and settings\SmithPJ\Local Settings\Application Data\uhidabexa.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-26 23:30 . 2007-10-23 20:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-25 21:19 . 2006-09-05 13:52 -------- d-----w- c:\program files\Symantec 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\program files\Symantec AntiVirus 2009-08-25 21:19 . 2006-09-05 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-08-24 18:29 . 2007-10-03 17:52 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\.purple 2009-08-06 21:22 . 2009-08-06 21:22 13954 ----a-w- c:\documents and settings\All Users\Application Data\qyfiwoqoc.dat 2009-08-06 20:48 . 2009-07-07 01:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HPAppData 2009-08-05 16:05 . 2009-07-09 19:43 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\Meeting Center 2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\program files\iTunes 2009-07-23 12:50 . 2009-07-23 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-07-23 12:49 . 2009-07-23 12:49 -------- d-----w- c:\program files\iPod 2009-07-23 12:49 . 2008-11-04 05:08 -------- d-----w- c:\program files\Common Files\Apple 2009-07-23 12:46 . 2009-07-23 12:46 -------- d-----w- c:\program files\QuickTime 2009-07-23 12:44 . 2008-11-04 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2009-07-23 12:41 . 2009-07-23 12:41 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe 2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-16 12:30 . 2009-07-15 12:49 -------- d-----w- c:\program files\NOS 2009-07-09 19:43 . 2009-07-09 19:43 -------- d-----w- c:\program files\Meeting Center 2009-07-09 16:16 . 2009-07-23 12:43 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-07-09 16:16 . 2008-11-04 05:09 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\ieSpell 2009-07-08 01:18 . 2009-07-08 01:18 -------- d-----w- c:\program files\ieSpell 2009-07-07 02:04 . 2009-07-07 00:55 186633 ----a-w- c:\windows\hpwins23.dat 2009-07-07 01:21 . 2007-12-11 16:13 394624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-07-07 01:20 . 2009-07-07 01:20 -------- d-----w- c:\documents and settings\SmithPJ\Application Data\HP 2009-07-07 01:18 . 2009-07-07 01:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG 2009-07-07 01:13 . 2009-07-07 01:00 -------- d-----w- c:\program files\HP 2009-07-07 01:13 . 2008-02-08 17:20 -------- d-----w- c:\program files\Hewlett-Packard 2009-07-07 01:13 . 2009-07-07 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2009-07-07 01:12 . 2009-07-07 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2009-07-07 01:02 . 2009-07-07 01:02 -------- d-----w- c:\program files\Common Files\HP 2004-08-04 12:00 . 2006-09-05 16:03 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-20 68856] "MeetingLauncher"="c:\program files\Meeting Center\Modules\Launcher\mcLauncher.exe" [2009-06-25 456000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-03-27 136768] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "configmsi"="rmdir" [X] "supportdir"="rmdir" [X] "TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify] 2006-06-19 07:06 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify] 2004-12-16 23:33 24672 ----a-w- c:\windows\system32\ckpNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2] 2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey] 2005-12-01 01:16 24576 ----a-w- c:\windows\system32\tphklock.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-34194\Scripts\Logon\0\0] "Script"=PerotLogon.bat [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2373621041-469255773-220526481-63435\Scripts\Logon\0\0] "Script"=PerotLogon.bat [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk backup=c:\windows\pss\officejet 6100.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\marimba\\tuner\\lib\\jre\\bin\\java.exe"= "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SERVICE.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"= "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"= "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8888:TCP"= 8888:TCP:CMS "7717:TCP"= 7717:TCP:MARIMBA (TCP 7717) "7717:UDP"= 7717:UDP:MARIMBA (UDP 7717) "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "3389:UDP"= 3389:UDP:Remote Desktop (UDP) R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [9/5/2006 4:15 PM 85760] R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [9/5/2006 4:15 PM 4736] R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [9/7/2006 1:54 PM 4442] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/26/2009 6:59 PM 232720] R2 RemoteClientManagementServiceProvider;Remote Client Management Service Provider;c:\program files\marimba\tuner\Tuner.exe [3/31/2006 3:54 PM 36953] R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [11/13/2007 3:07 PM 17456] R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [11/13/2007 3:07 PM 670128] R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [11/13/2007 3:07 PM 2041904] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/26/2009 6:59 PM 19096] S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [11/13/2007 3:07 PM 14924] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34] 2008-06-11 c:\windows\Tasks\PMTask.job - c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-09-07 06:13] . - - - - ORPHANS REMOVED - - - - WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file) HKCU-Run-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = https://train.ps.net/ uInternet Settings,ProxyServer = internet.ps.net:80 uInternet Settings,ProxyOverride = *.ps.net;*.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM Trusted Zone: marimba.com\www Trusted Zone: perotsystems.com Trusted Zone: ps.net Trusted Zone: ps.net\*.crm Trusted Zone: ps.net\crm Trusted Zone: ps.net\fusion Trusted Zone: ps.net\inizio2 Trusted Zone: ps.net\projecttest Trusted Zone: ps.net\psctx1 Trusted Zone: ps.net\ptcprint Trusted Zone: ps.net\train DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-27 21:39 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(804) c:\windows\system32\Ati2evxx.dll c:\windows\system32\tphklock.dll c:\program files\Lenovo\AwayTask\AwayNotify.dll - - - - - - - > 'explorer.exe'(3264) c:\windows\system32\PROCHLP.DLL c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ibmpmsvc.exe c:\windows\system32\ati2evxx.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\windows\system32\IPSSVC.EXE c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\McAfee\Common Framework\FrameworkService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe c:\program files\Lenovo\System Update\SUService.exe c:\windows\system32\TPHDEXLG.exe c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe c:\program files\McAfee\Common Framework\naPrdMgr.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\windows\system32\ati2evxx.exe c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe c:\program files\McAfee\Common Framework\Mctray.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe c:\program files\marimba\tuner\lib\minituner.exe . ************************************************************************** . Completion time: 2009-08-28 21:43 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-28 01:43 Pre-Run: 53,846,712,320 bytes free Post-Run: 53,761,376,256 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 289 --- E O F --- 2009-01-09 14:16

Hey there! ok - here goes.. Avenger log is below and combofix didn't run - message "Windows cannot open program because it's been prevented by software restriction policy. blah blah" I'm no longer in safe mode. ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Thu Aug 27 21:03:11 2009 21:03:11: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\system32\dllcache\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate.

Sorry bout that! I need my laptop for work and I'm getting killed. Anyway - ComboFix didn't work - it ran for second and then nothing.

bump

Hey thanks for the quick response. Here is the output Log file is located at: C:\Documents and Settings\SmithPJ\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\addins\addins Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\temp\temp Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\tmp\tmp Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Config\Config Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d1\d1 Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d2\d2 Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d3\d3 Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d4\d4 Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d5\d5 Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d6\d6 Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d7\d7 Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d8\d8 Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ftpcache\ftpcache Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\chsime\applets\applets Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp\applets\applets Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp98\imejp98 Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\shared\res\res Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022 Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022 Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920 Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\classes\classes Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\trustlib\trustlib Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\security\logs\logs Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1025\1025 Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1028\1028 Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1037\1037 Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1041\1041 Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1042\1042 Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1054\1054 Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\2052\2052 Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3076\3076 Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500 Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194 Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693} Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693} Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\dhcp\dhcp Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn Cannot access: C:\WINDOWS\system32\eventlog.dll Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation) [1] 2004-08-04 08:00:00 63488 C:\WINDOWS\system32\eventlog.dll () [2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\export\export Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\User Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs Found mount point : C:\WINDOWS\system32\Macromed\update\update Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\Macromed\update\update Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\sample\sample Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\mof\good\good Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp Found mount point : C:\WINDOWS\system32\WinFox\WinFox Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\WinFox\WinFox Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wins\wins Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\xircom\xircom Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Finished!

Hi all, We'll - I'm in safe mode.. This fake virus program has me at my end. I've tried everything on the stickies, posts of similar issues and nothing is working. Attached is my Win32KDiag.txt - I must have downloaded and tried to run combofix, MBAM etc 5 times to no avail. I'm running XP professional. Any help would be appreciated. Log file is located at: C:\Documents and Settings\SmithPJ\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP474.tmp\ZAP474.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9D.tmp\ZAP9D.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9F.tmp\ZAP9F.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ftpcache\ftpcache Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\I386\WIN9XMIG\MSNEXPLR\MSNEXPLR Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\17400AB28230347339DBAF1833357A38\3.1.21022\3.1.21022 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\1F3B805BA42A0C233B0158879691FE82\2.1.21022\2.1.21022 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0407\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Professional_32_0413\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\security\logs\logs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1409082233-2052111302-725345543-500\S-1-5-21-1409082233-2052111302-725345543-500 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-2373621041-469255773-220526481-34194\S-1-5-21-2373621041-469255773-220526481-34194 Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Apple Computer\iTunes\iTunes Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{96D91804-E578-4594-B2BA-7ED0D9B99693}\{96D91804-E578-4594-B2BA-7ED0D9B99693} Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intel\Wireless\Wireless Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\DPEPVQVE\DPEPVQVE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\AddIns\AddIns Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Word\STARTUP\STARTUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ext Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\file Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\tmp\tmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\ext\ext Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\security\security Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\tmp\si\si Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\ThinkVantage\Client Security\Client Security Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\Access Connections\Received Files\Received Files Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\4NS54DUP\4NS54DUP Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\OVCDEDKN\OVCDEDKN Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\config\systemprofile\UserData\SBSXURGH\SBSXURGH Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Cannot access: C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation) [1] 2004-08-04 08:00:00 63488 C:\WINDOWS\system32\eventlog.dll () [2] 2004-08-04 08:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\DswMedia\DswMedia Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\Shockwave 8\Prefs\Prefs Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\Macromed\update\update Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\drivers\w32x86\3\temp\temp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\WinFox\WinFox Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\Temp\hsperfdata_SYSTEM\hsperfdata_SYSTEM Mount point destination : \Device\__max++>\^ Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Finished!