steveg45

I removed Kaspersky trial when it bombed out from rootkit, from add remove programs. I guess it didn't uninstall properly. When I got the popup from combofix that kaspersky was active I checked all processes. I did not see anything Kaspersky related. Before the second run of combo fix, I manually deleted kaspersky folder from program files. Then a tried a couple of reg cleaners that didn't detect kaspersky. Do you know a good registry clean utility? I manually removed kaspersky folders in registry using find next. I guess I missed some C:\_registry C:\_new tech C:\_new downloads Yes I created those folders. Here are the logs. winstart did nothing except open a notepad winstart.txt. that was blank. Does it take a long time? ComboFix 09-09-08.04 - Steve 09/09/2009 1:01.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.188 [GMT -5:00] Running from: c:\documents and settings\Steve\Desktop\desk.exe Command switches used :: c:\documents and settings\Steve\Desktop\CFScript.txt AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FILE :: "c:\docume~1\Steve\LOCALS~1\Temp\TWJENGVV.exe" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TWJENGVV -------\Service_TWJENGVV ((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 ))))))))))))))))))))))))))))))) . 2009-09-09 00:43 . 2009-09-09 00:43 -------- d-----w- C:\combo fix 2009-09-08 23:47 . 2009-09-09 00:21 -------- d-----w- C:\ark 2009-09-08 02:27 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys 2009-09-08 02:19 . 2009-09-08 02:19 7680 ----a-w- c:\windows\system32\drivers\RKL11.tmp.sys 2009-09-08 00:15 . 2009-09-08 05:35 -------- d-----w- c:\windows\RestoreSafeDeleted 2009-09-07 23:52 . 2009-09-07 23:52 24416 ----a-w- c:\windows\system32\drivers\regguard.sys 2009-09-07 23:31 . 2009-09-07 23:31 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-09-07 23:15 . 2009-09-07 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-09-07 21:53 . 2009-09-07 21:53 2 --shatr- c:\windows\winstart.bat 2009-09-07 21:13 . 2009-09-07 21:21 -------- d-----w- c:\program files\RegCleaner 2009-09-07 20:58 . 2009-09-09 05:40 -------- d-----w- C:\_registry 2009-09-07 17:41 . 2009-09-07 20:42 -------- d-----w- C:\_new tech 2009-09-07 04:30 . 2009-09-07 04:30 -------- d-----w- c:\documents and settings\new1\Application Data\Malwarebytes 2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Symantec 2009-09-07 03:15 . 2009-09-07 03:15 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Google 2009-09-07 02:50 . 2009-09-09 05:53 -------- d-----w- C:\_new downloads 2009-09-07 02:34 . 2009-09-07 02:34 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat 2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2009-09-07 02:16 . 2009-09-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-09-07 01:20 . 2009-09-08 05:36 -------- dc----w- c:\windows\system32\DRVSTORE 2009-09-07 01:18 . 2009-09-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-06 23:25 . 2009-09-06 23:25 411368 ----a-w- c:\windows\system32\deploytk.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-09 06:13 . 2005-05-14 04:07 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-09 05:30 . 2005-05-13 20:17 -------- d-----w- c:\program files\microsoft frontpage 2009-09-08 14:06 . 2007-03-04 04:23 -------- d-----w- c:\program files\Replay AV 8 2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-07 21:27 . 2006-09-28 03:26 -------- d-----w- c:\program files\SpeedFan 2009-09-07 21:26 . 2005-05-14 03:36 -------- d-----w- c:\program files\Google 2009-09-07 05:08 . 2007-11-06 23:26 -------- d-----w- c:\program files\AWall 2009-09-07 03:38 . 2005-05-14 04:07 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-07 03:32 . 2005-05-14 04:08 -------- d-----w- c:\program files\Symantec 2009-09-07 03:32 . 2005-05-14 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-06 23:25 . 2005-06-30 22:54 -------- d-----w- c:\program files\Java 2009-09-06 21:55 . 2007-10-17 21:51 -------- d-----w- c:\program files\Look@LAN 2009-08-31 15:37 . 2006-08-22 04:09 -------- d-----w- c:\documents and settings\Steve\Application Data\UK's Kalender 2009-07-21 02:03 . 2009-07-21 02:03 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes 2009-07-18 16:17 . 2006-09-04 13:56 2 ---h--w- C:\time32.sys 2009-07-18 16:17 . 2006-09-04 13:57 442 ---h--w- C:\date.sys 2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll . ((((((((((((((((((((((((((((( SnapShot@2009-09-09_01.25.55 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-09 06:13 . 2009-09-09 06:13 16384 c:\windows\temp\Perflib_Perfdata_13c.dat + 2001-08-18 17:00 . 2009-09-09 05:37 62746 c:\windows\system32\perfc009.dat - 2001-08-18 17:00 . 2009-09-09 00:00 62746 c:\windows\system32\perfc009.dat + 2001-08-18 17:00 . 2009-09-09 05:37 401632 c:\windows\system32\perfh009.dat - 2001-08-18 17:00 . 2009-09-09 00:00 401632 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-06 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 15:01 8704 ----a-w- c:\windows\system32\PCANotify.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk backup=c:\windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CiSvc"=3 (0x3) "ActiveWall"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\Look@LAN\\LookAtLan.exe"= "c:\\downloads\\network\\localportscan\\lps.exe"= "c:\\Program Files\\Look@LAN\\LookAtHost.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\Steve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x] R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-09-07 24416] R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2009-03-08 30136] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608] S2 Nadim;NAD Proto Driver;c:\windows\system32\DRIVERS\nadim.sys [2007-04-10 18560] S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys [2004-03-11 385536] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv10920 . Contents of the 'Scheduled Tasks' folder 2006-10-13 c:\windows\Tasks\Disk Cleanup.job - c:\windows\system32\cleanmgr.exe [2004-08-04 04:56] 2008-02-18 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2004-08-04 04:56] . . ------- Supplementary Scan ------- . uSearchURL,(Default) = hxxp://www.google.com/search?q=%s . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-09 01:14 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*] "oajahdcbbibodhldfjlggjdcagiihp"=hex:6a,61,6d,68,6e,66,66,6d,65,66,6f,62,69,6a, 6b,61,6d,62,68,63,00,00 "najanfebkpbgalpdibgcjocffoff"=hex:6a,61,6c,68,6e,63,68,61,68,63,6f,64,62,69, 6e,65,67,6f,66,6a,00,00 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\windows\system32\wdfmgr.exe c:\program files\Symantec AntiVirus\DoScan.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-09 1:25 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-09 06:25 ComboFix2.txt 2009-09-09 01:37 Pre-Run: 33,732,984,832 bytes free Post-Run: 33,699,762,176 bytes free 169 MBAM log Malwarebytes' Anti-Malware 1.40 Database version: 2763 Windows 5.1.2600 Service Pack 2 9/9/2009 1:45:07 AM mbam-log-2009-09-09 (01-44-57).txt Scan type: Quick Scan Objects scanned: 131783 Time elapsed: 5 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) processes.doc

Couldn'y read the attachment. Combofix ComboFix 09-09-08.04 - Steve 09/08/2009 20:15.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.157 [GMT -5:00] Running from: c:\combo fix\desk.exe AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Steve\Local Settings\Temporary Internet Files\_tmAB51.tmp c:\documents and settings\Steve\Local Settings\Temporary Internet Files\stb06759.tmp c:\windows\Installer\100785fc.msi c:\windows\Installer\3bf6d.msi c:\windows\Installer\d2764.msi c:\windows\run.log c:\windows\system32\geyekrckvicmdq.dat.old c:\windows\system32\geyekrdjptudyp.dat.old c:\windows\system32\geyekrsoanprjd.dll.old . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 ))))))))))))))))))))))))))))))) . 2009-09-09 00:43 . 2009-09-09 00:43 -------- d-----w- C:\combo fix 2009-09-08 23:47 . 2009-09-09 00:21 -------- d-----w- C:\ark 2009-09-08 02:27 . 2009-09-08 02:27 -------- d-----w- c:\program files\SanityCheck 2009-09-08 02:27 . 2009-03-08 02:23 30136 ----a-w- c:\windows\system32\drivers\rspSanity32.sys 2009-09-08 02:19 . 2009-09-08 02:19 7680 ----a-w- c:\windows\system32\drivers\RKL11.tmp.sys 2009-09-08 00:15 . 2009-09-08 05:35 -------- d-----w- c:\windows\RestoreSafeDeleted 2009-09-08 00:12 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-08 00:12 . 2009-09-08 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-08 00:12 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-07 23:52 . 2009-09-07 23:52 24416 ----a-w- c:\windows\system32\drivers\regguard.sys 2009-09-07 23:31 . 2009-09-07 23:31 153104 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-09-07 23:15 . 2009-09-07 23:15 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-09-07 22:01 . 2009-09-07 23:46 35040 ----a-w- c:\windows\system32\Partizan.exe 2009-09-07 22:01 . 2009-09-07 23:46 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys 2009-09-07 21:53 . 2009-09-07 21:53 2 --shatr- c:\windows\winstart.bat 2009-09-07 21:52 . 2009-07-28 00:51 12728 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys 2009-09-07 21:52 . 2009-09-08 01:21 -------- d-----w- c:\program files\UnHackMe 2009-09-07 21:13 . 2009-09-07 21:21 -------- d-----w- c:\program files\RegCleaner 2009-09-07 20:58 . 2009-09-08 23:40 -------- d-----w- C:\_registry 2009-09-07 17:41 . 2009-09-07 20:42 -------- d-----w- C:\_new tech 2009-09-07 04:30 . 2009-09-07 04:30 -------- d-----w- c:\documents and settings\new1\Application Data\Malwarebytes 2009-09-07 03:33 . 2009-09-07 03:33 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Symantec 2009-09-07 03:15 . 2009-09-07 03:15 -------- d-----w- c:\documents and settings\new1\Local Settings\Application Data\Google 2009-09-07 02:50 . 2009-09-08 17:18 -------- d-----w- C:\_new downloads 2009-09-07 02:34 . 2009-09-07 02:34 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat 2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2009-09-07 02:31 . 2009-09-07 02:31 -------- d-----w- c:\program files\Kaspersky Lab 2009-09-07 02:16 . 2009-09-07 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2009-09-07 01:20 . 2009-09-08 05:36 -------- dc----w- c:\windows\system32\DRVSTORE 2009-09-07 01:18 . 2009-09-07 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-09-06 23:25 . 2009-09-06 23:25 411368 ----a-w- c:\windows\system32\deploytk.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-09 01:26 . 2005-05-14 04:07 -------- d-----w- c:\program files\Symantec AntiVirus 2009-09-08 14:06 . 2007-03-04 04:23 -------- d-----w- c:\program files\Replay AV 8 2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-08 00:07 . 2007-02-12 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-07 21:27 . 2006-09-28 03:26 -------- d-----w- c:\program files\SpeedFan 2009-09-07 21:26 . 2005-05-14 03:36 -------- d-----w- c:\program files\Google 2009-09-07 05:08 . 2007-11-06 23:26 -------- d-----w- c:\program files\AWall 2009-09-07 03:38 . 2005-05-14 04:07 -------- d-----w- c:\program files\Common Files\Symantec Shared 2009-09-07 03:32 . 2005-05-14 04:08 -------- d-----w- c:\program files\Symantec 2009-09-07 03:32 . 2005-05-14 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2009-09-07 02:26 . 2007-06-04 04:00 -------- d-----w- c:\program files\Lavasoft 2009-09-06 23:25 . 2005-06-30 22:54 -------- d-----w- c:\program files\Java 2009-09-06 21:55 . 2007-10-17 21:51 -------- d-----w- c:\program files\Look@LAN 2009-08-31 15:37 . 2006-08-22 04:09 -------- d-----w- c:\documents and settings\Steve\Application Data\UK's Kalender 2009-07-21 02:03 . 2009-07-21 02:03 -------- d-----w- c:\documents and settings\test\Application Data\Malwarebytes 2009-07-18 16:17 . 2006-09-04 13:56 2 ---h--w- C:\time32.sys 2009-07-18 16:17 . 2006-09-04 13:57 442 ---h--w- C:\date.sys 2005-07-14 19:31 . 2006-05-24 17:37 27648 --sha-w- c:\windows\system32\AVSredirect.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Steve\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-06 133104] "UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2009-07-28 236744] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-16 335872] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify] 2003-10-31 15:01 8704 ----a-w- c:\windows\system32\PCANotify.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless-G Notebook Adapter Utility.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless-G Notebook Adapter Utility.lnk backup=c:\windows\pss\Wireless-G Notebook Adapter Utility.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "CiSvc"=3 (0x3) "ActiveWall"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"= "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"= "c:\\Program Files\\Look@LAN\\LookAtLan.exe"= "c:\\downloads\\network\\localportscan\\lps.exe"= "c:\\Program Files\\Look@LAN\\LookAtHost.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009 R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;c:\docume~1\Steve\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [x] R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512] R3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-09-07 34760] R3 RegGuard;RegGuard;c:\windows\system32\Drivers\regguard.sys [2009-09-07 24416] R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2009-03-08 30136] R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608] R3 TWJENGVV;TWJENGVV;c:\docume~1\Steve\LOCALS~1\Temp\TWJENGVV.exe [x] S2 Nadim;NAD Proto Driver;c:\windows\system32\DRIVERS\nadim.sys [2007-04-10 18560] S3 TNET1130x;Wireless-G Notebook Adapter v.2.0;c:\windows\system32\DRIVERS\tnet1130x.sys [2004-03-11 385536] --- Other Services/Drivers In Memory --- *Deregistered* - EraserUtilDrv10920 *Deregistered* - EraserUtilRebootDrv . Contents of the 'Scheduled Tasks' folder 2006-10-13 c:\windows\Tasks\Disk Cleanup.job - c:\windows\system32\cleanmgr.exe [2004-08-04 04:56] 2008-02-18 c:\windows\Tasks\shutdown.job - c:\windows\system32\shutdown.exe [2004-08-04 04:56] . - - - - ORPHANS REMOVED - - - - HKLM-Run-RegistryMechanic - (no file) . ------- Supplementary Scan ------- . uSearchURL,(Default) = hxxp://www.google.com/search?q=%s . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-08 20:25 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32*] "oajahdcbbibodhldfjlggjdcagiihp"=hex:6a,61,6d,68,6e,66,66,6d,65,66,6f,62,69,6a, 6b,61,6d,62,68,63,00,00 "najanfebkpbgalpdibgcjocffoff"=hex:6a,61,6c,68,6e,63,68,61,68,63,6f,64,62,69, 6e,65,67,6f,66,6a,00,00 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Symantec AntiVirus\DoScan.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-09-09 20:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-09 01:36 Pre-Run: 33,773,805,568 bytes free Post-Run: 33,812,725,760 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 190

negster, thanks for your help. I have all the logs. Just to let you know, I tried several antispyware and rootkit removal tools that were all closed and rendered useless. I don't know why I expected a different result, for one of them to work. You will see these in the combofix log. I tried, adaware, spybot, unhackme (which has regrun and partizan), sanity, rootkitbuster, rootkit revealer, fsecure easyclean. I guess that is the definition of stupidity, doing the same thing over and over again and expecting different results. and normally I'm not that stupid. OK enough BS. Here are the logs: ////////////////////////////////////////// Avenger Pre-Processor log ////////////////////////////////////////// Platform: Windows XP (build 2600, Service Pack 2) Tue Sep 08 18:51:47 2009 18:51:47: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! ////////////////////////////////////////// Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File move operation "C:\WINDOWS\system32\dllcache\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully. Completed script processing. ******************* Finished! Terminate. ARK: GMER 1.0.15.15077 [ywxf4q19.exe] - http://www.gmer.net Rootkit scan 2009-09-08 19:21:45 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- SSDT 82EAD038 ZwConnectPort ---- Kernel code sections - GMER 1.0.15 ---- ? lnpelb.sys The system cannot find the file specified. ! ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32@oajahdcbbibodhldfjlggjdcagiihp 0x6A 0x61 0x6D 0x68 ... Reg HKLM\SOFTWARE\Classes\CLSID\{6F8F3B69-3D1A-C6D7-DBE1-0CF8B6E314DA}\InProcServer32@najanfebkpbgalpdibgcjocffoff 0x6A 0x61 0x6C 0x68 ... ---- EOF - GMER 1.0.15 ---- Combofix attached combofix.txt

Here it is. Log file is located at: C:\Documents and Settings\Steve\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Found mount point : C:\WINDOWS\addins\addins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\addins\addins Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85.tmp\ZAP85.tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP85.tmp\ZAP85.tmp Found mount point : C:\WINDOWS\assembly\temp\temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\temp\temp Found mount point : C:\WINDOWS\assembly\tmp\tmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\assembly\tmp\tmp Found mount point : C:\WINDOWS\Config\Config Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Config\Config Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard Found mount point : C:\WINDOWS\CSC\d1\d1 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d1\d1 Found mount point : C:\WINDOWS\CSC\d2\d2 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d2\d2 Found mount point : C:\WINDOWS\CSC\d3\d3 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d3\d3 Found mount point : C:\WINDOWS\CSC\d4\d4 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d4\d4 Found mount point : C:\WINDOWS\CSC\d5\d5 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d5\d5 Found mount point : C:\WINDOWS\CSC\d6\d6 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d6\d6 Found mount point : C:\WINDOWS\CSC\d7\d7 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d7\d7 Found mount point : C:\WINDOWS\CSC\d8\d8 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\CSC\d8\d8 Found mount point : C:\WINDOWS\ime\chsime\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\chsime\applets\applets Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets Found mount point : C:\WINDOWS\ime\imejp\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp\applets\applets Found mount point : C:\WINDOWS\ime\imejp98\imejp98 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imejp98\imejp98 Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts Found mount point : C:\WINDOWS\ime\shared\res\res Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\ime\shared\res\res Found mount point : C:\WINDOWS\java\classes\classes Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\classes\classes Found mount point : C:\WINDOWS\java\trustlib\trustlib Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\java\trustlib\trustlib Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files Found mount point : C:\WINDOWS\msapps\msinfo\msinfo Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo Found mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\ERRORREP\ERRORREP Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp Found mount point : C:\WINDOWS\Prefetch\Prefetch Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Prefetch\Prefetch Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog Found mount point : C:\WINDOWS\RestoreSafeDeleted\RestoreSafeDeleted Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\RestoreSafeDeleted\RestoreSafeDeleted Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment Found mount point : C:\WINDOWS\system32\1025\1025 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1025\1025 Found mount point : C:\WINDOWS\system32\1028\1028 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1028\1028 Found mount point : C:\WINDOWS\system32\1031\1031 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1031\1031 Found mount point : C:\WINDOWS\system32\1037\1037 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1037\1037 Found mount point : C:\WINDOWS\system32\1041\1041 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1041\1041 Found mount point : C:\WINDOWS\system32\1042\1042 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1042\1042 Found mount point : C:\WINDOWS\system32\1054\1054 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\1054\1054 Found mount point : C:\WINDOWS\system32\2052\2052 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\2052\2052 Found mount point : C:\WINDOWS\system32\3076\3076 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3076\3076 Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1547161642-1580818891-1343024091-1004\S-1-5-21-1547161642-1580818891-1343024091-1004 Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-1547161642-1580818891-1343024091-1004\S-1-5-21-1547161642-1580818891-1343024091-1004 Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealMediaSDK\RealMediaSDK Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\RealMediaSDK\RealMediaSDK Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Links\Links Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Custom Buttons\Enterprise\Enterprise Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\dictionaries Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\dictionaries\dictionaries Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\FastSearch\exceptions\exceptions Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent Found mount point : C:\WINDOWS\system32\dhcp\dhcp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\dhcp\dhcp Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdn Found mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\DRVSTORE\DRVSTORE Cannot access: C:\WINDOWS\system32\eventlog.dll Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll [1] 2004-08-03 23:56:44 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation) [1] 2004-08-03 23:56:44 61952 C:\WINDOWS\system32\eventlog.dll () [2] 2004-08-03 23:56:44 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\export\export Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup\Startup Found mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\MICROSOFT\IEAK\IEAK Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logoff\Logoff Found mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\GroupPolicy\User\Scripts\Logon\Logon Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrv Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\oobe\sample\sample Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExt Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmp Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\wins\wins Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\system32\xircom\xircom Found mount point : C:\WINDOWS\Temp\KAV6Upgrade\KAV6Upgrade Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\Temp\KAV6Upgrade\KAV6Upgrade Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Finished!

I have a rootkit I cannot remove. It closes all antispyware, antivirus and removal tools. (except Symantec AV) I am running windows xp, IE and google chrome. I had symantec av corp 9.0 Ran kaspersky online scan. Tried installing kaspersky trial version, it closed down after a few seconds. Had to remove SAV 9 to install kaspersky Installed SAV 10. it is running now. SAV found: downloader trojan horse backdoor.tidserv kaspersky found: svchost.exe\CC9A46E0.x86.dll/svchost.exe\CC9A46E0.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 4 globalroot\Device\__max++>\CC9A46E0.x86.dll/globalroot\Device\__max++>\CC9A46E0.x86.dll Infected: Trojan-Spy.Win32.Agent.azpj 14 I was able to delete a.exe, b.exe and geyek* files that were threats but they came back. 090609.html savscreenshot.doc