something clever and nasty on my laptop

hmk_32 · 10-04-2009, 01:12 AM

Hello

I would like some assistance with fixing my laptop

Toshiba Satellite intel centrino windows vista - not sure if you need anything else. everything was pre loaded when l brought the laptop and l dont have a disk

Firstly l am unable to complete a scan and post on here as requested in the how to post guide thing....maybe helping to do that is the first step?

The laptop has a message that appears when its logged on saying.....
Windows has encounted a critical problem and will restart automatically in one minute please save you work....

The laptop will then shut down and restart again and continue this cycle...reading up on the net (from the kids PC) it said to change the date and time...so through safe mode l did this and l can now log in in normal mode but can not do anything .....l can conect to the internet but a web page wont load..... l am unable to complete a scan as it will shut down half way through and then l am told acess is denied and wont load ... l have download a number of freeware scans (pcdocter,spybot) by using the pc and usb and loading onto the laptop but unable to run them...l am also blocked from acessing folders like users, my documents, temp folders says l dont have adminastrtor rights ???

OH a couple of names that have come up in the half scans are downloader win32Renos.JT..... ZBLOT..... hijacker something not looking good for me ??

Let me know what l need to do so you can help me please ?

Thanks
Hayley

Hi Again

Sorry not tring to jump the que just that l was able to complete one of the two scans you required and thought l would l would add it to my post but l cant edit the post so l need to reply to myself instead.... anyway its attached for you hopefully make things a little easier

Thank You

**chemist** · 10-07-2009, 05:58 PM

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please save this file to your desktop.

Go Start > Run and copy/paste the following command into the Run box and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with Notepad and post the contents here.

------------------------------------------------------

Will dds run now? If not...

See if RSIT will run:

Download RSIT by random/random and Save it to your Desktop.
Double-click RSIT.exe to run the tool.
Click Continue at the disclaimer screen.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Please copy/paste the contents of log.txt in your next reply.
Please attach info.txt to your reply.

To attach a file to a reply, simply

Click the Manage Attachments button under Additional Options > Attach Files on the post composition page, and
Copy and Paste the following into the Upload File from your Computer box:
C:\rsit\info.txt
Click Upload

------------------------------------------------------

hmk_32 · 10-07-2009, 06:35 PM

HI and THANK YOU

as requested

Win32kDiag.txt
Running from: C:\Users\HAYLEY\Desktop\Win32kDiag.exe

Log file at : C:\Users\HAYLEY\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE209.tmp\ZAPE209.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF65E.tmp\ZAPF65E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF83.tmp\ZAPFF83.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\OEM\OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\000021091A0090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.6425\12.0.6425

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RegisteredPackages\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}\{3695EB93-6443-448D-8E2E-1F6F4FC79BC1}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\RegisteredPackages\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}\{89FDAB62-6F46-4C7E-A559-E00B9A0BACB6}

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\_avast4_\_avast4_

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\LocalMLS

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\Keys\Keys

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\Toscomp\Del_HD_HDMIAudio\amd64\amd64

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\Toscomp\Del_HD_HDMIAudio\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHS\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHS\PSL\PSL

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHS\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSL\PSL

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSLB\PSLB

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSLC\PSLC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSLD\PSLD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSLE\PSLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\old\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSA_New\PSA_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSL_BC\PSL_BC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSL_BC_New\PSL_BC_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSL_DE\PSL_DE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSL_DE_New\PSL_DE_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\CHT\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\old\PSLB\PSLB

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\old\PSLC\PSLC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\old\PSLD\PSLD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\old\PSLE\PSLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSA_New\PSA_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSL_BC\PSL_BC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSL_BC_New\PSL_BC_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSL_DE\PSL_DE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSL_DE_New\PSL_DE_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\ENG\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSLB\PSLB

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSLC\PSLC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSLD\PSLD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSLE\PSLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\old\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSA_New\PSA_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSL_BC\PSL_BC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSL_BC_New\PSL_BC_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSL_DE\PSL_DE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSL_DE_New\PSL_DE_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\FRN\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSLB\PSLB

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSLC\PSLC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSLD\PSLD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSLE\PSLE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\OLD\UserGuide\UserGuide

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSA\PSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSA_New\PSA_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSL_BC\PSL_BC

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSL_BC_New\PSL_BC_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSL_DE\PSL_DE

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSL_DE_New\PSL_DE_New

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Setup\SCRIPTS\UserGuide\KOR\PSM\PSM

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

i was able to run DDS.... have attached both logs

Regards
Hayley

DDS (Ver_09-09-29.01) - NTFSx86
Run by HAYLEY at 9:24:53.37 on Fri 20/07/2007
Internet Explorer: 8.0.6001.18813
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.1915.648 [GMT 10:00]

AV: Windows Live OneCare *On-access scanning disabled* (Outdated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
SP: AntispywareBot *disabled* (Updated) {F4BBD724-6F67-4893-B303-9CFC9F0E159B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Live OneCare *disabled* (Outdated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
F:\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigpond.com/
uSearch Page = hxxp://www.telstra.com/
uSearch Bar = hxxp://www.google.com/ie
uWindow Title = Telstra BigPond Home Internet Explorer
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4426.1630\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: trueads search enhancer: {f7da5488-3232-3730-cd42-4bf631b35e55} - c:\windows\system32\ehtotlxhrelqzbv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Search panel: {961541d8-f38e-837a-5fc2-b38ba6f56622} - c:\windows\system32\ehtotlxhrelqzbv.dll
uRun: [Sidebar]
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BigPondWirelessBroadbandCM] "c:\program files\telstra\bigpond wireless broadband 2.0\BigPond_CM.exe" -tsr
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Advanced System Protector] "c:\program files\systweak\advanced system protector\ASP.exe" /autorun
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\hayley\appdata\roaming\micros~1\windows\startm~1\programs\startup\is-rapjp.lnk - c:\users\hayley\desktop\virus removal tool123\is-rapjp\startup.exe
StartupFolder: c:\users\hayley\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Dream%20Day%20Wedding%20-%20Viva%20Las%20Vegas/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Baby%20Luv/Images/armhelper.ocx
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 is-EQHF8drv;is-EQHF8drv;c:\windows\system32\drivers\43365401.sys [2009-8-28 148496]
R1 is-RAPJPdrv;is-RAPJPdrv;c:\windows\system32\drivers\84491961.sys [2009-8-28 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2007-7-19 108289]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-11-2 7168]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-7-25 7168]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\system32\drivers\HssDrv.sys [2009-7-2 33840]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\drivers\NETw5v32.sys [2008-7-12 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\toshiba\smartfacev\SmartFaceVWatchSrv.exe [2008-8-25 77824]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswMonFlt;aswMonFlt; [x]
RUnknown aswSP;aswSP; [x]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [2007-6-22 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [2006-12-13 87040]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-2 25472]

=============== Created Last 30 ================

2007-07-20 09:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2007-07-19 23:41 4,096 a--sh--- C:\VSNAP.IDX
2007-07-19 22:30 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2007-07-19 22:30 <DIR> --d----- c:\programdata\Avira
2007-07-19 22:30 <DIR> --d----- c:\program files\Avira
2007-07-19 22:30 <DIR> --d----- c:\progra~2\Avira
2007-07-19 20:36 <DIR> --d----- c:\users\hayley\appdata\roaming\Symantec
2007-07-17 21:44 <DIR> --d----- c:\program files\common files\PC Tools
2007-07-17 21:43 <DIR> --d----- c:\program files\Spyware Doctor
2007-07-17 20:37 <DIR> --d----- c:\users\hayley\Office Genuine Advantage
2007-06-22 09:54 87,424 a------- c:\windows\system32\drivers\cmusbnet.sys

==================== Find3M ====================

2009-09-28 20:29 143,360 a------- c:\windows\inf\infstrng.dat
2009-09-28 20:29 51,200 a------- c:\windows\inf\infpub.dat
2009-09-28 20:28 86,016 a------- c:\windows\inf\infstor.dat
2009-04-21 14:06 103,720 a------- c:\users\hayley\GoToAssistDownloadHelper.exe
2008-11-26 12:31 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 12:43 174 a--sh--- c:\program files\desktop.ini
2007-07-20 09:23 13,860,896 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-07-20 00:57 267,112 a------- c:\windows\system32\xactengine2_9.dll
2007-07-19 23:41 148,580 a--sh--- c:\windows\system32\drivers\fidbox.idx
2007-07-19 18:14 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2007-07-19 18:14 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2007-07-19 18:14 444,776 a------- c:\windows\system32\d3dx10_35.dll
2007-06-20 20:46 266,088 a------- c:\windows\system32\xactengine2_8.dll
2007-05-17 13:26 185,776 a------- c:\windows\system32\SRSTSHD.dll
2007-05-16 16:45 3,497,832 a------- c:\windows\system32\d3dx9_34.dll
2007-05-16 16:45 1,124,720 a------- c:\windows\system32\D3DCompiler_34.dll
2007-05-16 16:45 443,752 a------- c:\windows\system32\d3dx10_34.dll
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 22:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 22:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 19:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 19:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 9:25:24.72 ===============

**chemist** · 10-07-2009, 07:03 PM

Hello, hmk_32. Set your date/time back correctly.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Avira and Windows Live OneCare. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Programs and Features in your Control Panel. I suggest uninstalling Windows Live OneCare.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

hmk_32 · 10-07-2009, 07:22 PM

l have changed the time and date back but now the laptop gets the warning message on start up and just closes down again ?
msg reced
"Windows has encounted a critical problem and will restart automatically in one minute please save you work"

onecare has been disabled as requested

regards
hayley

**chemist** · 10-07-2009, 07:50 PM

Hello again, hmk_32. Change the date/time back so you are able to boot into Normal Mode.

Quote:

onecare has been disabled as requested

You can't just disable one of them. You have to uninstall one of them.

------------------------------------------------------

Carry out the rest of the instructions.

------------------------------------------------------

hmk_32 · 10-07-2009, 08:42 PM

sorry l was ready the post on how to disable antiviris while uninstalling the onecare - just a typo it was uninstalled.

Combofix log below

ComboFix 09-10-06.04 - HAYLEY 08/10/2009 13:20.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.1915.964 [GMT 11:00]
Running from: c:\users\HAYLEY\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp25CA.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp29A.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp33E5.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp3C72.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4509.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4B3A.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4F44.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5099.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5EE.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5F13.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp7C6.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpA1EC.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpA2BA.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpAEF6.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB0FB.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB85B.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpC3F5.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpDC6C.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpDE13.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpE20D.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpEDD5.tmp
c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpF5BE.tmp
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\u_ehtotlxhrelqzbv.dll.exe

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-08 20:12 . 2008-02-29 07:11 988216 ----a-w- c:\windows\system32\winload.exe
2009-10-08 02:29 . 2009-10-08 02:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-30 12:08 . 2009-09-30 12:08 -------- d-----w- c:\windows\system32\EventProviders
2009-09-29 08:41 . 2009-05-12 06:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-29 06:18 . 2009-09-29 06:18 -------- d-----w- c:\programdata\Fugazo
2009-09-28 10:28 . 2009-09-28 10:28 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\SUPERAntiSpyware.com
2009-09-28 08:42 . 2007-07-19 23:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Sanna
2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\programdata\The Legend of Sanna - Rise of a Great Colony
2009-09-26 23:42 . 2009-09-26 23:42 -------- d-----w- c:\users\HAYLEY\AppData\Local\Astar Games
2009-09-26 23:41 . 2009-09-26 23:41 -------- d-----w- c:\windows\Paradise Beach
2009-09-19 04:11 . 2009-09-19 05:25 -------- d-----w- c:\programdata\FarmFrenzy3
2009-09-19 01:50 . 2009-09-19 01:50 -------- d-----w- c:\windows\Empire Builder - Ancient Egypt
2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Merscom
2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\programdata\Merscom
2009-09-11 09:32 . 2009-09-11 09:32 -------- d-----w- c:\windows\Be Richer
2009-09-10 06:40 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-10 06:40 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-10 06:40 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-10 06:40 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-10 06:40 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-10 06:40 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-10 06:40 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-10 06:40 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-10 06:40 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-10 06:40 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-10 06:39 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-10 06:39 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-10 06:39 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-10 06:39 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-10 06:38 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-09 11:47 . 2009-09-09 11:47 -------- d-----w- c:\programdata\DivoGames
2009-09-09 11:45 . 2009-09-09 11:45 -------- d-----w- c:\windows\Be Rich
2009-09-09 10:25 . 2009-09-09 10:25 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\DivoGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 02:30 . 2009-08-27 15:00 183260 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-08 02:30 . 2009-08-27 15:00 15548448 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-08 01:15 . 2009-08-28 09:14 -------- d-----w- c:\program files\Alwil Software
2009-09-27 00:03 . 2009-07-31 13:55 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Hide IP NG
2009-09-27 00:02 . 2009-08-24 11:17 -------- d-----w- c:\programdata\NCH Software
2009-09-26 23:56 . 2009-08-17 13:15 -------- d-----w- c:\programdata\Norton
2009-09-10 17:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-10 17:02 . 2009-04-05 08:12 -------- d-----w- c:\programdata\Microsoft Help
2009-09-03 09:35 . 2009-09-03 09:23 -------- d-----w- c:\programdata\game_fillup_v2_usa
2009-09-03 09:21 . 2009-08-30 00:16 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\MegaplexMadnessSummerBlockbuster
2009-08-28 12:39 . 2009-09-03 09:00 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 09:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 09:52 . 2009-08-28 09:52 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\fillup
2009-08-28 04:37 . 2009-04-05 07:48 1356 ----a-w- c:\users\HAYLEY\AppData\Local\d3d9caps.dat
2009-08-27 15:19 . 2009-08-27 15:19 -------- d-----w- c:\programdata\is-EQHF8
2009-08-27 14:45 . 2009-08-27 14:45 -------- d-----w- c:\programdata\is-RAPJP
2009-08-24 11:55 . 2009-08-24 11:55 -------- d-----w- c:\program files\Business Objects
2009-08-24 11:27 . 2009-04-05 08:18 -------- d-----w- c:\program files\Microsoft Small Business
2009-08-22 03:58 . 2009-08-22 03:58 -------- d-----w- c:\programdata\WinZip
2009-08-22 02:59 . 2009-08-22 02:59 -------- d-----w- c:\programdata\GoBit Games
2009-08-21 10:49 . 2009-08-21 10:49 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\PlayFirst
2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\programdata\PlayFirst
2009-08-19 09:08 . 2009-08-19 09:08 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\GraveyardShift
2009-08-17 13:15 . 2009-08-17 13:15 -------- d-----w- c:\programdata\NortonInstaller
2009-08-17 12:54 . 2009-08-17 12:54 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\EzySoft
2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\CasualForge
2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\programdata\CasualForge
2009-08-15 09:52 . 2009-08-15 09:52 -------- d-----w- c:\programdata\HipSoft
2009-08-15 08:39 . 2009-04-05 08:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\toshiba
2009-08-03 05:07 . 2009-08-03 05:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 05:07 . 2009-08-03 05:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 05:07 . 2009-08-03 05:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-28 06:33 . 2007-07-19 12:30 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 21:52 . 2009-07-29 10:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 10:56 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 10:56 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 10:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-13 09:13 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-13 09:12 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-13 09:12 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-13 09:12 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-13 09:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-07 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-05 29744]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-05-07 2162688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-20 1826816]

c:\users\HAYLEY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
is-RAPJP.lnk - c:\users\HAYLEY\Desktop\Virus Removal Tool123\is-RAPJP\startup12.exe [2009-8-28 65536]
Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2009-2-14 337264]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-9-28 6144]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BD41BE36-351F-47E0-B705-B13D01F85D36}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{478D379D-30FA-44AA-86F2-DC38D8837D91}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{E1E63877-89CA-45E8-B785-0E35B2EF16F3}"= UDP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0
"{8F6CABFB-9679-4E81-97F7-75CB04034974}"= TCP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0
"{2D862163-0A19-4D43-87AF-D7859E5473F1}"= UDP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility
"{C55CC87E-F5D5-4AF4-8765-F794365810BB}"= TCP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility
"{9EDACDFE-8CFA-4765-836C-4A5A70A4AB80}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{076E5AF5-43E7-43B5-B84D-76AD9C62C219}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EAAC7BAE-62B0-4007-8181-E1A4D69E1056}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B263895D-DB23-46E7-9D35-828E008196EC}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BEA0A74F-DD6D-4E9A-86B9-EFC395C592D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F23DEDC4-9449-44FA-BE1A-177C06D8563D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D48370A6-09E9-487E-BA3E-9FD877BAE504}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4474B371-DEED-4581-A167-35C9E0495EF7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D810C8F8-98B5-49FE-8210-DAAB63B6D39E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E3AD1E28-61BC-4823-94D8-332B8EDC5CAD}"= UDP:96:Express Invoice TCP/IP Port
"{41C6CA9C-89CC-4ACD-948E-CEAB8159A373}"= TCP:8000:Axon Virtual PBX RTP Incoming Audio (UDP)
"{70BB8CDD-B9C1-40AD-AD97-B0A7765B1507}"= TCP:8001:Axon Virtual PBX RTP Incoming Audio (UDP)
"{DE219340-C8D0-4DD3-819D-8008B3D44D66}"= TCP:8002:Axon Virtual PBX RTP Incoming Audio (UDP)
"{7994A1B5-C305-4C2A-B5B8-48C6530651A4}"= TCP:8003:Axon Virtual PBX RTP Incoming Audio (UDP)
"{889BAEF9-2E71-43CA-91C4-901A8E29AA16}"= TCP:8004:Axon Virtual PBX RTP Incoming Audio (UDP)
"{86222769-744C-450C-BAB5-2688119001DB}"= TCP:8005:Axon Virtual PBX RTP Incoming Audio (UDP)
"{537A200D-65D1-4EC0-8799-54ED93C222E9}"= TCP:8006:Axon Virtual PBX RTP Incoming Audio (UDP)
"{3D2129AB-9B30-4E06-9FA8-3843D3283293}"= TCP:8007:Axon Virtual PBX RTP Incoming Audio (UDP)
"{F8B4147D-55F3-4CF0-999E-861933A25FCE}"= TCP:8008:Axon Virtual PBX RTP Incoming Audio (UDP)
"{67BD11D7-29E7-4CC7-A173-4B2381D8BC42}"= TCP:8009:Axon Virtual PBX RTP Incoming Audio (UDP)
"{3CDF81A4-156B-49A8-A075-D355B225F092}"= UDP:81:Axon Virtual PBX TCP/IP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 is-EQHF8drv;is-EQHF8drv;c:\windows\System32\drivers\43365401.sys [28/08/2009 02:19 148496]
R1 is-RAPJPdrv;is-RAPJPdrv;c:\windows\System32\drivers\84491961.sys [28/08/2009 01:44 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/07/2007 23:30 108289]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [17/04/2008 18:19 40960]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\System32\dllhost.exe [2/11/2006 19:50 7168]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [3/12/2007 18:03 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [25/07/2008 12:28 7168]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\System32\drivers\HssDrv.sys [2/07/2009 13:34 33840]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [12/07/2008 06:32 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [25/08/2008 10:58 77824]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20/12/2007 18:13 1553896]
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe" --> c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\System32\drivers\cmusbnet.sys [22/06/2007 10:54 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\System32\drivers\cmusbser.sys [13/12/2006 19:31 87040]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\System32\drivers\tap0901.sys [2/07/2009 14:25 25472]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{F7DA5488-3232-3730-CD42-4BF631B35E55} - c:\windows\system32\ehtotlxhrelqzbv.dll
HKCU-Run-Sidebar - (no file)
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-Advanced System Protector - c:\program files\Systweak\Advanced System Protector\ASP.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
AddRemove-DABE FreeSales_is1 - c:\program files\DABE FreeSales\unins000.exe
AddRemove-{8CB57F46-E1CA-B134-9F7D-D38F37DBC549} - c:\windows\system32\u_ehtotlxhrelqzbv.dll.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 13:32
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\msdtc.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-10-08 13:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 02:37

Pre-Run: 225,208,213,504 bytes free
Post-Run: 225,031,380,992 bytes free

305 --- E O F --- 2009-09-30 12:52

**chemist** · 10-07-2009, 09:02 PM

Hello again, hmk_32. Please tell us how your system is behaving.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete OcHealthMon

A DOS window will open and close again, this is normal.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\publicprofile]
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the Download button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
Click Continue The page will refresh.
Click on the link to download Windows Offline Installation and Save the file to your Desktop.
Close any programs you may have running - especially your web browser.
Go to Start(or My Computer) > Control Panel and double-click on Programs and Features and remove all older versions of Java.
Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop right-click on jre-6u16-windows-i586-p.exe and select Run as Administrator to install the newest version.

After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button.
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
  - Trace and Log Files
- Click OK on Delete Temporary Files Window.
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
- Click OK to leave the Temporary Files Window.
- Click OK to leave the Java Control Panel.
- Delete jre-6u16-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at any Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected.
It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

hmk_32 · 10-07-2009, 09:38 PM

HI
l have not made it passed it the first step yet....

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete OcHealthMon

l get an error message saying" illegal operation attempt on a registry key that has been maked for deletion"

- the overall system if moving forward - the laptop is now logging in with the correct date and time and not shutting down but l am still unable to open a webpage or acess alot of folders ie - documents and settings

regards
Hayley

**chemist** · 10-08-2009, 05:55 AM

Hello again, Hayley.

Go Start and type cmd in the Start Search box.

In the Results area, right-click cmd.exe and then click 'Run as Administrator'.

You will be prompted to type the password for an administrator account.

Click 'Continue' if you are the administrator or type the administrator password then click 'Continue'.

Type(or right-click Copy, then right-click Paste) the following bolded text into the command window and press 'Enter':

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

You should receive a 'Task is completed' message and a warning message that something could not be done. You can safely ignore this message.

If you are missing any user accounts when logging on, let me know.

------------------------------------------------------

Can you access your folders now? Can you open a webpage?

------------------------------------------------------

hmk_32 · 10-08-2009, 06:34 AM

hello,

user accounts are fine but still unable to load a web page and folders still telling me acess denied

l was able to run the below as requested earlier

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete OcHealthMon

would you like me to continue to follow those instructions ?

Thanks
Hayley

**chemist** · 10-08-2009, 07:19 AM

Did you receive the message 'Task is completed' when you entered the command in the command window?

Just to be sure, you cannot connect to the internet at all. Is that correct?

hmk_32 · 10-08-2009, 07:36 AM

the message l received is below

an extended error has occured
the task has completed with an error
see log %windir%\security\logs\scesru.log for detail info

yes correct l am unable to connect to the internet

**chemist** · 10-08-2009, 09:44 AM

Hello again, Hayley.

Please download Junction.zip and Save it to your Desktop.

Click on the Junction.zip folder and extract it to it's own folder on your Desktop.

Click on the Junction folder in the window that just opened.

Double-click peek.bat and allow it to run. It will take some time to complete, so please be patient and wait until it finishes.

A log will be produced at C:\log.txt. Please attach log.txt to your next reply.

------------------------------------------------------

hmk_32 · 10-08-2009, 02:57 PM

Hi Again,

It didnt work log that was created below

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com

No matching files were found.

Hayley

**chemist** · 10-08-2009, 03:58 PM

Hello again, Hayley. Delete Win32kdiag.exe from your desktop. We're going to download a fresh copy.

Please save this file to your desktop.

Go Start > Run and copy/paste the following command into the Run box and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with Notepad and post the contents here.

------------------------------------------------------

hmk_32 · 10-08-2009, 04:55 PM

Ok as requested the log is below:

Running from: C:\Users\HAYLEY\Desktop\win32kdiag.exe

Log file at : C:\Users\HAYLEY\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...

Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\AppPatch\Custom\Custom

Found mount point : C:\Windows\ehome\CreateDisc\style\style

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\ehome\CreateDisc\style\style

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Globalization\Globalization

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\Microsoft.NET\authman\authman

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-10-08 23:19:52 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-10-08 13:31:26 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-10-08 23:19:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-10-08 23:19:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

[1] 2009-10-08 23:20:51 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl ()

Cannot access: C:\Windows\System32\WerFault.exe

Attempting to restore permissions of : C:\Windows\System32\WerFault.exe

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\tracing\tracing

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Mount point destination : \Device\__max++>\^

Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames

Finished!

**chemist** · 10-08-2009, 06:39 PM

Hello again, Hayley. I'm assuming there's no change in behavior? Are you able to access System Restore?

Please reboot your computer, disable Avira, and double-click ComboFix.exe to run it again. Post the log in your next reply.

------------------------------------------------------

hmk_32 · 10-08-2009, 07:19 PM

Hi

no change in behavior, l have acess to System Restore but it will not run?

New Combo log below :

ComboFix 09-10-06.04 - HAYLEY 09/10/2009 12:06.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.1915.915 [GMT 11:00]
Running from: c:\users\HAYLEY\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 01:13 . 2009-10-09 01:13 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-09 01:13 . 2009-10-09 01:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-08 20:12 . 2008-02-29 07:11 988216 ----a-w- c:\windows\system32\winload.exe
2009-10-08 02:37 . 2009-10-09 01:13 -------- d-----w- c:\users\HAYLEY\AppData\Local\temp
2009-09-30 12:08 . 2009-09-30 12:08 -------- d-----w- c:\windows\system32\EventProviders
2009-09-29 08:41 . 2009-05-12 06:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-29 06:18 . 2009-09-29 06:18 -------- d-----w- c:\programdata\Fugazo
2009-09-28 10:28 . 2009-09-28 10:28 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\SUPERAntiSpyware.com
2009-09-28 08:42 . 2007-07-19 23:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Sanna
2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\programdata\The Legend of Sanna - Rise of a Great Colony
2009-09-26 23:42 . 2009-09-26 23:42 -------- d-----w- c:\users\HAYLEY\AppData\Local\Astar Games
2009-09-26 23:41 . 2009-09-26 23:41 -------- d-----w- c:\windows\Paradise Beach
2009-09-19 04:11 . 2009-09-19 05:25 -------- d-----w- c:\programdata\FarmFrenzy3
2009-09-19 01:50 . 2009-09-19 01:50 -------- d-----w- c:\windows\Empire Builder - Ancient Egypt
2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Merscom
2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\programdata\Merscom
2009-09-11 09:32 . 2009-09-11 09:32 -------- d-----w- c:\windows\Be Richer
2009-09-10 06:40 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-10 06:40 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-10 06:40 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-10 06:40 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-10 06:40 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-10 06:40 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-10 06:40 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-10 06:40 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-10 06:40 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-10 06:40 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-10 06:39 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-10 06:39 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-10 06:39 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-10 06:39 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-10 06:38 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-09 11:47 . 2009-09-09 11:47 -------- d-----w- c:\programdata\DivoGames
2009-09-09 11:45 . 2009-09-09 11:45 -------- d-----w- c:\windows\Be Rich
2009-09-09 10:25 . 2009-09-09 10:25 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\DivoGames

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 00:57 . 2009-08-27 15:00 188276 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-09 00:57 . 2009-08-27 15:00 16236576 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-08 20:51 . 2009-08-22 03:58 -------- d-----w- c:\programdata\WinZip
2009-10-08 01:15 . 2009-08-28 09:14 -------- d-----w- c:\program files\Alwil Software
2009-09-27 00:03 . 2009-07-31 13:55 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Hide IP NG
2009-09-27 00:02 . 2009-08-24 11:17 -------- d-----w- c:\programdata\NCH Software
2009-09-26 23:56 . 2009-08-17 13:15 -------- d-----w- c:\programdata\Norton
2009-09-10 17:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-10 17:02 . 2009-04-05 08:12 -------- d-----w- c:\programdata\Microsoft Help
2009-09-03 09:35 . 2009-09-03 09:23 -------- d-----w- c:\programdata\game_fillup_v2_usa
2009-09-03 09:21 . 2009-08-30 00:16 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\MegaplexMadnessSummerBlockbuster
2009-08-28 12:39 . 2009-09-03 09:00 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 09:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 09:52 . 2009-08-28 09:52 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\fillup
2009-08-28 04:37 . 2009-04-05 07:48 1356 ----a-w- c:\users\HAYLEY\AppData\Local\d3d9caps.dat
2009-08-27 15:19 . 2009-08-27 15:19 -------- d-----w- c:\programdata\is-EQHF8
2009-08-27 14:45 . 2009-08-27 14:45 -------- d-----w- c:\programdata\is-RAPJP
2009-08-24 11:55 . 2009-08-24 11:55 -------- d-----w- c:\program files\Business Objects
2009-08-24 11:27 . 2009-04-05 08:18 -------- d-----w- c:\program files\Microsoft Small Business
2009-08-22 02:59 . 2009-08-22 02:59 -------- d-----w- c:\programdata\GoBit Games
2009-08-21 10:49 . 2009-08-21 10:49 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\PlayFirst
2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\programdata\PlayFirst
2009-08-19 09:08 . 2009-08-19 09:08 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\GraveyardShift
2009-08-17 13:15 . 2009-08-17 13:15 -------- d-----w- c:\programdata\NortonInstaller
2009-08-17 12:54 . 2009-08-17 12:54 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\EzySoft
2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\CasualForge
2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\programdata\CasualForge
2009-08-15 09:52 . 2009-08-15 09:52 -------- d-----w- c:\programdata\HipSoft
2009-08-15 08:39 . 2009-04-05 08:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\toshiba
2009-08-03 05:07 . 2009-08-03 05:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 05:07 . 2009-08-03 05:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 05:07 . 2009-08-03 05:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-28 06:33 . 2007-07-19 12:30 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-21 21:52 . 2009-07-29 10:56 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 10:56 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 10:56 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 10:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-13 09:13 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-13 09:12 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-13 09:12 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-13 09:12 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-13 09:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_02.32.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-10-09 01:02 48896 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-09 01:02 99812 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-11-26 01:57 . 2009-10-09 01:05 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-26 01:57 . 2009-10-08 02:32 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-26 01:57 . 2009-10-09 01:05 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-11-26 01:57 . 2009-10-08 02:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-06 03:35 . 2009-10-08 13:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-06 03:35 . 2009-09-29 03:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-06 03:35 . 2009-10-08 13:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-06 03:35 . 2009-09-29 03:38 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-06 03:35 . 2009-10-08 13:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-06 03:35 . 2009-09-29 03:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-06 03:16 . 2009-10-09 00:57 3350 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-04-05 07:49 . 2009-10-09 01:02 8828 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-416987787-933118678-1137448585-1000_UserData.bin
+ 2009-10-09 00:58 . 2009-10-09 00:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-09 00:58 . 2009-10-09 00:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-04-05 11:13 . 2009-10-09 00:55 637376 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-10-09 01:06 692996 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-09 01:06 140218 c:\windows\System32\perfc009.dat
+ 2008-11-26 01:57 . 2009-10-09 01:05 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-26 01:57 . 2009-10-08 02:32 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-06 03:16 . 2009-10-08 02:30 1082328 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-04-06 03:16 . 2009-10-09 00:57 1082328 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-07 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-05 29744]
"BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-05-07 2162688]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"NDSTray.exe"="NDSTray.exe" [BU]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-20 1826816]

c:\users\HAYLEY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
is-RAPJP.lnk - c:\users\HAYLEY\Desktop\Virus Removal Tool123\is-RAPJP\startup12.exe [2009-8-28 65536]
Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2009-2-14 337264]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-9-28 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BD41BE36-351F-47E0-B705-B13D01F85D36}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{478D379D-30FA-44AA-86F2-DC38D8837D91}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{E1E63877-89CA-45E8-B785-0E35B2EF16F3}"= UDP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0
"{8F6CABFB-9679-4E81-97F7-75CB04034974}"= TCP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0
"{2D862163-0A19-4D43-87AF-D7859E5473F1}"= UDP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility
"{C55CC87E-F5D5-4AF4-8765-F794365810BB}"= TCP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility
"{9EDACDFE-8CFA-4765-836C-4A5A70A4AB80}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{076E5AF5-43E7-43B5-B84D-76AD9C62C219}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EAAC7BAE-62B0-4007-8181-E1A4D69E1056}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{B263895D-DB23-46E7-9D35-828E008196EC}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BEA0A74F-DD6D-4E9A-86B9-EFC395C592D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F23DEDC4-9449-44FA-BE1A-177C06D8563D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D48370A6-09E9-487E-BA3E-9FD877BAE504}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4474B371-DEED-4581-A167-35C9E0495EF7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{D810C8F8-98B5-49FE-8210-DAAB63B6D39E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E3AD1E28-61BC-4823-94D8-332B8EDC5CAD}"= UDP:96:Express Invoice TCP/IP Port
"{41C6CA9C-89CC-4ACD-948E-CEAB8159A373}"= TCP:8000:Axon Virtual PBX RTP Incoming Audio (UDP)
"{70BB8CDD-B9C1-40AD-AD97-B0A7765B1507}"= TCP:8001:Axon Virtual PBX RTP Incoming Audio (UDP)
"{DE219340-C8D0-4DD3-819D-8008B3D44D66}"= TCP:8002:Axon Virtual PBX RTP Incoming Audio (UDP)
"{7994A1B5-C305-4C2A-B5B8-48C6530651A4}"= TCP:8003:Axon Virtual PBX RTP Incoming Audio (UDP)
"{889BAEF9-2E71-43CA-91C4-901A8E29AA16}"= TCP:8004:Axon Virtual PBX RTP Incoming Audio (UDP)
"{86222769-744C-450C-BAB5-2688119001DB}"= TCP:8005:Axon Virtual PBX RTP Incoming Audio (UDP)
"{537A200D-65D1-4EC0-8799-54ED93C222E9}"= TCP:8006:Axon Virtual PBX RTP Incoming Audio (UDP)
"{3D2129AB-9B30-4E06-9FA8-3843D3283293}"= TCP:8007:Axon Virtual PBX RTP Incoming Audio (UDP)
"{F8B4147D-55F3-4CF0-999E-861933A25FCE}"= TCP:8008:Axon Virtual PBX RTP Incoming Audio (UDP)
"{67BD11D7-29E7-4CC7-A173-4B2381D8BC42}"= TCP:8009:Axon Virtual PBX RTP Incoming Audio (UDP)
"{3CDF81A4-156B-49A8-A075-D355B225F092}"= UDP:81:Axon Virtual PBX TCP/IP Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 is-EQHF8drv;is-EQHF8drv;c:\windows\System32\drivers\43365401.sys [28/08/2009 02:19 148496]
R1 is-RAPJPdrv;is-RAPJPdrv;c:\windows\System32\drivers\84491961.sys [28/08/2009 01:44 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/07/2007 23:30 108289]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [17/04/2008 18:19 40960]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\System32\dllhost.exe [2/11/2006 19:50 7168]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [3/12/2007 18:03 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [25/07/2008 12:28 7168]
R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\System32\drivers\HssDrv.sys [2/07/2009 13:34 33840]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [12/07/2008 06:32 3658752]
R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [25/08/2008 10:58 77824]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20/12/2007 18:13 1553896]
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe" --> c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\System32\drivers\cmusbnet.sys [22/06/2007 10:54 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\System32\drivers\cmusbser.sys [13/12/2006 19:31 87040]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\System32\drivers\tap0901.sys [2/07/2009 14:25 25472]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bigpond.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-09 12:13
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP00000060EEE7A9A9E0498B1B 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-09 12:15
ComboFix-quarantined-files.txt 2009-10-09 01:15
ComboFix2.txt 2009-10-08 02:37

Pre-Run: 226,784,874,496 bytes free
Post-Run: 226,766,954,496 bytes free

270 --- E O F --- 2009-09-30 12:52

**chemist** · 10-09-2009, 09:45 AM

Hello again, Hayley. Please describe what happens when you try to open a webpage. Any error messages? What does IE do or say?

Click on the Junction folder again.

Double-click peek.bat and allow it to run.

A log will be produced at C:\log.txt. Please attach log.txt to your next reply.

------------------------------------------------------

10-07-2009, 05:58 PM	#2 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello and Welcome to TSF. Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. ------------------------------------------------------ Please save this file to your desktop. Go Start > Run and copy/paste the following command into the Run box and click OK: "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here. ------------------------------------------------------ Will dds run now? If not... See if RSIT will run: Download RSIT by random/random and Save it to your Desktop. Double-click RSIT.exe to run the tool. Click Continue at the disclaimer screen. When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized. Please copy/paste the contents of log.txt in your next reply. Please attach info.txt to your reply. To attach a file to a reply, simply Click the Manage Attachments button under Additional Options > Attach Files on the post composition page, and Copy and Paste the following into the Upload File from your Computer box: C:\rsit\info.txt Click Upload ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-07-2009, 07:03 PM	#4 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello, hmk_32. Set your date/time back correctly. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------ It appears that you have two antivirus programs installed and running, Avira and Windows Live OneCare. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Programs and Features in your Control Panel. I suggest uninstalling Windows Live OneCare. ------------------------------------------------------ Due to the restrictions on Vista, all tools should be started by Right-Click >>> Run As Administrator ------------------------------------------------------ Please visit this webpage for download links, and instructions for running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Get help here Please post the C:\ComboFix.txt in your next reply for further review. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-07-2009, 07:22 PM	#5 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop l have changed the time and date back but now the laptop gets the warning message on start up and just closes down again ? msg reced "Windows has encounted a critical problem and will restart automatically in one minute please save you work" onecare has been disabled as requested regards hayley

10-07-2009, 08:42 PM	#7 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop sorry l was ready the post on how to disable antiviris while uninstalling the onecare - just a typo it was uninstalled. Combofix log below ComboFix 09-10-06.04 - HAYLEY 08/10/2009 13:20.1.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.1915.964 [GMT 11:00] Running from: c:\users\HAYLEY\Desktop\ComboFix.exe SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp25CA.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp29A.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp33E5.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp3C72.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4509.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4B3A.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp4F44.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5099.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5EE.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp5F13.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmp7C6.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpA1EC.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpA2BA.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpAEF6.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB0FB.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpB85B.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpC3F5.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpDC6C.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpDE13.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpE20D.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpEDD5.tmp c:\users\HAYLEY\AppData\Local\Microsoft\Windows\Temporary Internet Files\tmpF5BE.tmp c:\windows\Installer\WMEncoder.msi c:\windows\system32\u_ehtotlxhrelqzbv.dll.exe Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 ))))))))))))))))))))))))))))))) . 2009-10-08 20:12 . 2008-02-29 07:11 988216 ----a-w- c:\windows\system32\winload.exe 2009-10-08 02:29 . 2009-10-08 02:29 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-09-30 12:08 . 2009-09-30 12:08 -------- d-----w- c:\windows\system32\EventProviders 2009-09-29 08:41 . 2009-05-12 06:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2009-09-29 06:18 . 2009-09-29 06:18 -------- d-----w- c:\programdata\Fugazo 2009-09-28 10:28 . 2009-09-28 10:28 -------- d-----w- c:\program files\Common Files\Deterministic Networks 2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-09-28 08:42 . 2009-09-28 08:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\SUPERAntiSpyware.com 2009-09-28 08:42 . 2007-07-19 23:17 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Sanna 2009-09-27 01:01 . 2009-09-27 01:01 -------- d-----w- c:\programdata\The Legend of Sanna - Rise of a Great Colony 2009-09-26 23:42 . 2009-09-26 23:42 -------- d-----w- c:\users\HAYLEY\AppData\Local\Astar Games 2009-09-26 23:41 . 2009-09-26 23:41 -------- d-----w- c:\windows\Paradise Beach 2009-09-19 04:11 . 2009-09-19 05:25 -------- d-----w- c:\programdata\FarmFrenzy3 2009-09-19 01:50 . 2009-09-19 01:50 -------- d-----w- c:\windows\Empire Builder - Ancient Egypt 2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Merscom 2009-09-18 12:38 . 2009-09-18 12:38 -------- d-----w- c:\programdata\Merscom 2009-09-11 09:32 . 2009-09-11 09:32 -------- d-----w- c:\windows\Be Richer 2009-09-10 06:40 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-09-10 06:40 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll 2009-09-10 06:40 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-09-10 06:40 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-09-10 06:40 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-09-10 06:40 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe 2009-09-10 06:40 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll 2009-09-10 06:40 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-09-10 06:40 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-09-10 06:40 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-09-10 06:39 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll 2009-09-10 06:39 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll 2009-09-10 06:39 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll 2009-09-10 06:39 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll 2009-09-10 06:38 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll 2009-09-09 11:47 . 2009-09-09 11:47 -------- d-----w- c:\programdata\DivoGames 2009-09-09 11:45 . 2009-09-09 11:45 -------- d-----w- c:\windows\Be Rich 2009-09-09 10:25 . 2009-09-09 10:25 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\DivoGames . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-08 02:30 . 2009-08-27 15:00 183260 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-10-08 02:30 . 2009-08-27 15:00 15548448 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-10-08 01:15 . 2009-08-28 09:14 -------- d-----w- c:\program files\Alwil Software 2009-09-27 00:03 . 2009-07-31 13:55 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\Hide IP NG 2009-09-27 00:02 . 2009-08-24 11:17 -------- d-----w- c:\programdata\NCH Software 2009-09-26 23:56 . 2009-08-17 13:15 -------- d-----w- c:\programdata\Norton 2009-09-10 17:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-09-10 17:02 . 2009-04-05 08:12 -------- d-----w- c:\programdata\Microsoft Help 2009-09-03 09:35 . 2009-09-03 09:23 -------- d-----w- c:\programdata\game_fillup_v2_usa 2009-09-03 09:21 . 2009-08-30 00:16 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\MegaplexMadnessSummerBlockbuster 2009-08-28 12:39 . 2009-09-03 09:00 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-28 10:15 . 2009-09-03 09:00 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-28 09:52 . 2009-08-28 09:52 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\fillup 2009-08-28 04:37 . 2009-04-05 07:48 1356 ----a-w- c:\users\HAYLEY\AppData\Local\d3d9caps.dat 2009-08-27 15:19 . 2009-08-27 15:19 -------- d-----w- c:\programdata\is-EQHF8 2009-08-27 14:45 . 2009-08-27 14:45 -------- d-----w- c:\programdata\is-RAPJP 2009-08-24 11:55 . 2009-08-24 11:55 -------- d-----w- c:\program files\Business Objects 2009-08-24 11:27 . 2009-04-05 08:18 -------- d-----w- c:\program files\Microsoft Small Business 2009-08-22 03:58 . 2009-08-22 03:58 -------- d-----w- c:\programdata\WinZip 2009-08-22 02:59 . 2009-08-22 02:59 -------- d-----w- c:\programdata\GoBit Games 2009-08-21 10:49 . 2009-08-21 10:49 -------- d-----w- c:\program files\Common Files\SWF Studio 2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\PlayFirst 2009-08-21 08:56 . 2009-05-10 03:11 -------- d-----w- c:\programdata\PlayFirst 2009-08-19 09:08 . 2009-08-19 09:08 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\GraveyardShift 2009-08-17 13:15 . 2009-08-17 13:15 -------- d-----w- c:\programdata\NortonInstaller 2009-08-17 12:54 . 2009-08-17 12:54 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\EzySoft 2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\CasualForge 2009-08-15 10:42 . 2009-08-15 10:42 -------- d-----w- c:\programdata\CasualForge 2009-08-15 09:52 . 2009-08-15 09:52 -------- d-----w- c:\programdata\HipSoft 2009-08-15 08:39 . 2009-04-05 08:01 -------- d-----w- c:\users\HAYLEY\AppData\Roaming\toshiba 2009-08-03 05:07 . 2009-08-03 05:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 05:07 . 2009-08-03 05:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 05:07 . 2009-08-03 05:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe 2009-07-28 06:33 . 2007-07-19 12:30 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-07-21 21:52 . 2009-07-29 10:56 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-21 21:47 . 2009-07-29 10:56 109056 ----a-w- c:\windows\system32\iesysprep.dll 2009-07-21 21:47 . 2009-07-29 10:56 71680 ----a-w- c:\windows\system32\iesetup.dll 2009-07-21 20:13 . 2009-07-29 10:56 133632 ----a-w- c:\windows\system32\ieUnatt.exe 2009-07-17 14:35 . 2009-08-13 09:13 71680 ----a-w- c:\windows\system32\atl.dll 2009-07-14 13:00 . 2009-08-13 09:12 313344 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-14 12:59 . 2009-08-13 09:12 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-07-14 12:58 . 2009-08-13 09:12 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-07-14 10:59 . 2009-08-13 09:12 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-07 39408] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576] "WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2008-01-21 2153472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800] "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-09-26 417792] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-04-05 29744] "BigPondWirelessBroadbandCM"="c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe" [2008-05-07 2162688] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072] "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "NDSTray.exe"="NDSTray.exe" [BU] "RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504] "Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-11-20 1826816] c:\users\HAYLEY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ is-RAPJP.lnk - c:\users\HAYLEY\Desktop\Virus Removal Tool123\is-RAPJP\startup12.exe [2009-8-28 65536] Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2009-2-14 337264] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2009-9-28 6144] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-19 525640] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"=wdmaud.drv [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{BD41BE36-351F-47E0-B705-B13D01F85D36}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox "{478D379D-30FA-44AA-86F2-DC38D8837D91}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox "{E1E63877-89CA-45E8-B785-0E35B2EF16F3}"= UDP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0 "{8F6CABFB-9679-4E81-97F7-75CB04034974}"= TCP:c:\program files\Telstra\BigPond Wireless Broadband 2.0\BigPond_CM.exe:BigPond Wireless Broadband 2.0 "{2D862163-0A19-4D43-87AF-D7859E5473F1}"= UDP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility "{C55CC87E-F5D5-4AF4-8765-F794365810BB}"= TCP:c:\program files\TOSHIBA\Utilities\TACSPROP.exe:Accessibility "{9EDACDFE-8CFA-4765-836C-4A5A70A4AB80}"= TCP:6004\|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook "{076E5AF5-43E7-43B5-B84D-76AD9C62C219}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{EAAC7BAE-62B0-4007-8181-E1A4D69E1056}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove "{B263895D-DB23-46E7-9D35-828E008196EC}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{BEA0A74F-DD6D-4E9A-86B9-EFC395C592D1}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{F23DEDC4-9449-44FA-BE1A-177C06D8563D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{D48370A6-09E9-487E-BA3E-9FD877BAE504}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{4474B371-DEED-4581-A167-35C9E0495EF7}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{D810C8F8-98B5-49FE-8210-DAAB63B6D39E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "{E3AD1E28-61BC-4823-94D8-332B8EDC5CAD}"= UDP:96:Express Invoice TCP/IP Port "{41C6CA9C-89CC-4ACD-948E-CEAB8159A373}"= TCP:8000:Axon Virtual PBX RTP Incoming Audio (UDP) "{70BB8CDD-B9C1-40AD-AD97-B0A7765B1507}"= TCP:8001:Axon Virtual PBX RTP Incoming Audio (UDP) "{DE219340-C8D0-4DD3-819D-8008B3D44D66}"= TCP:8002:Axon Virtual PBX RTP Incoming Audio (UDP) "{7994A1B5-C305-4C2A-B5B8-48C6530651A4}"= TCP:8003:Axon Virtual PBX RTP Incoming Audio (UDP) "{889BAEF9-2E71-43CA-91C4-901A8E29AA16}"= TCP:8004:Axon Virtual PBX RTP Incoming Audio (UDP) "{86222769-744C-450C-BAB5-2688119001DB}"= TCP:8005:Axon Virtual PBX RTP Incoming Audio (UDP) "{537A200D-65D1-4EC0-8799-54ED93C222E9}"= TCP:8006:Axon Virtual PBX RTP Incoming Audio (UDP) "{3D2129AB-9B30-4E06-9FA8-3843D3283293}"= TCP:8007:Axon Virtual PBX RTP Incoming Audio (UDP) "{F8B4147D-55F3-4CF0-999E-861933A25FCE}"= TCP:8008:Axon Virtual PBX RTP Incoming Audio (UDP) "{67BD11D7-29E7-4CC7-A173-4B2381D8BC42}"= TCP:8009:Axon Virtual PBX RTP Incoming Audio (UDP) "{3CDF81A4-156B-49A8-A075-D355B225F092}"= UDP:81:Axon Virtual PBX TCP/IP Port [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 is-EQHF8drv;is-EQHF8drv;c:\windows\System32\drivers\43365401.sys [28/08/2009 02:19 148496] R1 is-RAPJPdrv;is-RAPJPdrv;c:\windows\System32\drivers\84491961.sys [28/08/2009 01:44 148496] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [19/07/2007 23:30 108289] R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [11/01/2008 18:50 30312] R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [17/04/2008 18:19 40960] R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\System32\dllhost.exe [2/11/2006 19:50 7168] R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [3/12/2007 18:03 126976] R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [25/07/2008 12:28 7168] R3 HssDrv;Hotspot Shield Helper Miniport;c:\windows\System32\drivers\HssDrv.sys [2/07/2009 13:34 33840] R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712] R3 NETw5v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\System32\drivers\NETw5v32.sys [12/07/2008 06:32 3658752] R3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\TOSHIBA\SmartFaceV\SmartFaceVWatchSrv.exe [25/08/2008 10:58 77824] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [20/12/2007 18:13 1553896] S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe" --> c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [?] S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?] S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\System32\drivers\cmusbnet.sys [22/06/2007 10:54 87424] S3 cmusbser;%CMUSBSER%;c:\windows\System32\drivers\cmusbser.sys [13/12/2006 19:31 87040] S3 tap0901;TAP-Win32 Adapter V9;c:\windows\System32\drivers\tap0901.sys [2/07/2009 14:25 25472] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bigpond.com/ mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHN&bmod=TSHN uInternet Settings,ProxyOverride = .local uInternet Settings,ProxyServer = socks= IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 . - - - - ORPHANS REMOVED - - - - BHO-{F7DA5488-3232-3730-CD42-4BF631B35E55} - c:\windows\system32\ehtotlxhrelqzbv.dll HKCU-Run-Sidebar - (no file) HKCU-Run-TOSCDSPD - TOSCDSPD.EXE HKLM-Run-Advanced System Protector - c:\program files\Systweak\Advanced System Protector\ASP.exe HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe Notify-GoToAssist - c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll AddRemove-DABE FreeSales_is1 - c:\program files\DABE FreeSales\unins000.exe AddRemove-{8CB57F46-E1CA-B134-9F7D-D38F37DBC549} - c:\windows\system32\u_ehtotlxhrelqzbv.dll.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-08 13:32 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\System32\audiodg.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe c:\program files\Norton Ghost\Agent\VProSvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe c:\windows\System32\TODDSrv.exe c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\windows\System32\drivers\XAudio.exe c:\windows\System32\msdtc.exe c:\windows\System32\wbem\WMIADAP.exe . ************************************************************************ . Completion time: 2009-10-08 13:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-08 02:37 Pre-Run: 225,208,213,504 bytes free Post-Run: 225,031,380,992 bytes free 305 --- E O F --- 2009-09-30 12:52

10-07-2009, 09:02 PM	#8 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, hmk_32. Please tell us how your system is behaving. Please save this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Go Start > Run and copy/paste the following single-line command into the Run box and click OK: sc delete OcHealthMon A DOS window will open and close again, this is normal. ------------------------------------------------------ Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4): Code: REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\publicprofile] "EnableFirewall"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"=dword:00000001 Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file. It should look like this: Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards. ------------------------------------------------------ Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop. Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16 The Java SE Runtime Environment (JRE) allows end-users to run Java applications. Click the Download button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement Click Continue The page will refresh. Click on the link to download Windows Offline Installation and Save the file to your Desktop. Close any programs you may have running - especially your web browser. Go to Start(or My Computer) > Control Panel and double-click on Programs and Features and remove all older versions of Java. Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java version. Reboot your computer once all Java components are removed. Then from your desktop right-click on jre-6u16-windows-i586-p.exe and select Run as Administrator to install the newest version. After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button. There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window. Note: This deletes ALL the Downloaded Applications and Applets from the CACHE Click OK to leave the Temporary Files Window. Click OK to leave the Java Control Panel. Delete jre-6u16-windows-i586-p.exe from your desktop. ------------------------------------------------------ Please download ATF-Cleaner by Atribune and Save it to your Desktop. Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------ Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan. In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command. Establish an internet connection & perform an online scan at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at any Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. Note To optimize scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%. ------------------------------------------------------ Please post the following in your next reply: Kaspersky report report on system behavior __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-07-2009, 09:38 PM	#9 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop HI l have not made it passed it the first step yet.... ------------------------------------------------------ Go Start > Run and copy/paste the following single-line command into the Run box and click OK: sc delete OcHealthMon l get an error message saying" illegal operation attempt on a registry key that has been maked for deletion" - the overall system if moving forward - the laptop is now logging in with the correct date and time and not shutting down but l am still unable to open a webpage or acess alot of folders ie - documents and settings regards Hayley

10-08-2009, 05:55 AM	#10 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, Hayley. Go Start and type cmd in the Start Search box. In the Results area, right-click cmd.exe and then click 'Run as Administrator'. You will be prompted to type the password for an administrator account. Click 'Continue' if you are the administrator or type the administrator password then click 'Continue'. Type(or right-click Copy, then right-click Paste) the following bolded text into the command window and press 'Enter': secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose You should receive a 'Task is completed' message and a warning message that something could not be done. You can safely ignore this message. If you are missing any user accounts when logging on, let me know. ------------------------------------------------------ Can you access your folders now? Can you open a webpage? ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-08-2009, 06:34 AM	#11 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop hello, user accounts are fine but still unable to load a web page and folders still telling me acess denied l was able to run the below as requested earlier Go Start > Run and copy/paste the following single-line command into the Run box and click OK: sc delete OcHealthMon would you like me to continue to follow those instructions ? Thanks Hayley

10-08-2009, 07:19 AM	#12 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Did you receive the message 'Task is completed' when you entered the command in the command window? Just to be sure, you cannot connect to the internet at all. Is that correct? __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-08-2009, 07:36 AM	#13 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop the message l received is below an extended error has occured the task has completed with an error see log %windir%\security\logs\scesru.log for detail info yes correct l am unable to connect to the internet

10-08-2009, 09:44 AM	#14 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, Hayley. Please download Junction.zip and Save it to your Desktop. Click on the Junction.zip folder and extract it to it's own folder on your Desktop. Click on the Junction folder in the window that just opened. Double-click peek.bat and allow it to run. It will take some time to complete, so please be patient and wait until it finishes. A log will be produced at C:\log.txt. Please attach log.txt to your next reply. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-08-2009, 02:57 PM	#15 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop Hi Again, It didnt work log that was created below Junction v1.05 - Windows junction creator and reparse point viewer Copyright (C) 2000-2007 Mark Russinovich Systems Internals - http://www.sysinternals.com No matching files were found. Hayley

10-08-2009, 03:58 PM	#16 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, Hayley. Delete Win32kdiag.exe from your desktop. We're going to download a fresh copy. Please save this file to your desktop. Go Start > Run and copy/paste the following command into the Run box and click OK: "%userprofile%\desktop\win32kdiag.exe" -f -r When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-08-2009, 04:55 PM	#17 (permalink)
hmk_32 Registered User Join Date: Oct 2009 Location: Australia Posts: 31 OS: vista	Re: something clever and nasty on my laptop Ok as requested the log is below: Running from: C:\Users\HAYLEY\Desktop\win32kdiag.exe Log file at : C:\Users\HAYLEY\Desktop\Win32kDiag.txt Removing all found mount points. Attempting to reset file permissions. WARNING: Could not get backup privileges! Searching 'C:\Windows'... Found mount point : C:\Windows\AppPatch\Custom\Custom Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\AppPatch\Custom\Custom Found mount point : C:\Windows\ehome\CreateDisc\style\style Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\ehome\CreateDisc\style\style Found mount point : C:\Windows\Globalization\Globalization Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\Globalization\Globalization Found mount point : C:\Windows\Microsoft.NET\authman\authman Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\Microsoft.NET\authman\authman Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl [1] 2009-10-08 23:19:52 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl [1] 2009-10-08 13:31:26 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl [1] 2009-10-08 23:19:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl [1] 2009-10-08 23:19:46 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl () Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl [1] 2009-10-08 23:20:51 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl () Cannot access: C:\Windows\System32\WerFault.exe Attempting to restore permissions of : C:\Windows\System32\WerFault.exe Found mount point : C:\Windows\tracing\tracing Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\tracing\tracing Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp Found mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames Mount point destination : \Device\__max++>\^ Removing mount point : C:\Windows\winsxs\Temp\PendingRenames\PendingRenames Finished!

10-08-2009, 06:39 PM	#18 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, Hayley. I'm assuming there's no change in behavior? Are you able to access System Restore? Please reboot your computer, disable Avira, and double-click ComboFix.exe to run it again. Post the log in your next reply. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE

10-09-2009, 09:45 AM	#20 (permalink)
chemist Moderator, Analyst, Security Team; Rangemaster, TSF Academy Join Date: Oct 2007 Location: Georgia Posts: 10,621 OS: XP SP3	Re: something clever and nasty on my laptop Hello again, Hayley. Please describe what happens when you try to open a webpage. Any error messages? What does IE do or say? Click on the Junction folder again. Double-click peek.bat and allow it to run. A log will be produced at C:\log.txt. Please attach log.txt to your next reply. ------------------------------------------------------ __________________ Our help is free but please donate Proud member of ASAP Proud member of UNITE