Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!
This topic is locked
New Member
RootRepeal_report_09_16_09__12_44_35_.txt 636bytes
102 downloads
OTL.Txt 66.9KB
204 downloads
Extras.Txt 55.97KB
613 downloads
Win32kDiag.txt 21.02KB
527 downloads
Edited by StephenYu, 16 September 2009 - 01:57 PM.
GeekU Moderator
First you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.@echo off
copy C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll c:\
exit
Begin copying here: Files to move: c:\cngaudit.dll | C:\Windows\System32\cngaudit.dll
New Member
Running from: C:\Users\Admin\Desktop\win32kdiag.exe
Log file at : C:\Users\Admin\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'C:\Windows'...
Found mount point : C:\Windows\AppPatch\Custom\Custom
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\AppPatch\Custom\Custom
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2DF2.tmp\ZAP2DF2.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP81A.tmp\ZAP81A.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE752.tmp\ZAPE752.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED79.tmp\ZAPED79.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPED79.tmp\ZAPED79.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEEF0.tmp\ZAPEEF0.tmp
Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF24A.tmp\ZAPF24A.tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPF24A.tmp\ZAPF24A.tmp
Found mount point : C:\Windows\assembly\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\temp\temp
Found mount point : C:\Windows\assembly\tmp\tmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\assembly\tmp\tmp
Found mount point : C:\Windows\ehome\CreateDisc\style\style
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ehome\CreateDisc\style\style
Found mount point : C:\Windows\Globalization\Globalization
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Globalization\Globalization
Found mount point : C:\Windows\Help\Corporate\Corporate
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Help\Corporate\Corporate
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109510090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Found mount point : C:\Windows\Microsoft.NET\authman\authman
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Microsoft.NET\authman\authman
Found mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Found mount point : C:\Windows\Minidump\Minidump
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Minidump\Minidump
Found mount point : C:\Windows\nap\configuration\configuration
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\nap\configuration\configuration
Found mount point : C:\Windows\Panther\setup.exe\setup.exe
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Panther\setup.exe\setup.exe
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES
Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF
Found mount point : C:\Windows\PIF\PIF
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PIF\PIF
Found mount point : C:\Windows\PLA\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\PLA\Templates\Templates
Found mount point : C:\Windows\Registration\CRMLog\CRMLog
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Registration\CRMLog\CRMLog
Found mount point : C:\Windows\SchCache\SchCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SchCache\SchCache
Found mount point : C:\Windows\security\logs\logs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\security\logs\logs
Found mount point : C:\Windows\security\templates\templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\security\templates\templates
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Media Center Programs\Media Center Programs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop
Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents
Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads
Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites
Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links
Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music
Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures
Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games
Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Temporary Internet Files
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Media Center Programs\Media Center Programs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\v2.0.50727.312
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\Cookies
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent
Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games
Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos
Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache
Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile
Found mount point : C:\Windows\SolidWorks\SolidWorks
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\SolidWorks\SolidWorks
Found mount point : C:\Windows\Sun\Java\Deployment\Deployment
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\Sun\Java\Deployment\Deployment
Found mount point : C:\Windows\System32\0409\0409
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\0409\0409
Found mount point : C:\Windows\System32\Branding\en-US\en-US
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\Branding\en-US\en-US
Found mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Cannot access: C:\Windows\System32\cngaudit.dll
Attempting to restore permissions of : C:\Windows\System32\cngaudit.dll
[1] 2006-11-02 02:46:03 62464 C:\Windows\System32\cngaudit.dll ()
[2] 2006-11-02 02:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)
[1] 2006-11-02 02:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)
Found mount point : C:\Windows\System32\com\dmp\dmp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\com\dmp\dmp
Found mount point : C:\Windows\System32\config\Journal\Journal
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\Journal\Journal
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\Recovery
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\Recovery
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\System\System
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\System\System
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\User\User
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\Groove\User\User
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\Virtualized
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\Virtualized
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Hewlett-Packard\HP Software UI\cee\cee
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Hewlett-Packard\HP Software UI\cee\cee
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3V5PT54K\3V5PT54K
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\3V5PT54K\3V5PT54K
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\IECompatCache
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\IECompatCache
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\Low\Low
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\Low\Low
Found mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\Low
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\Low
Found mount point : C:\Windows\System32\DriverStore\Temp\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\DriverStore\Temp\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}\{bcbbfbb9-c2fd-4845-a1bd-29d876ff905d}
Found mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\GroupPolicyUsers\GroupPolicyUsers
Found mount point : C:\Windows\System32\inetsrv\inetsrv
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\inetsrv\inetsrv
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Found mount point : C:\Windows\System32\MUI\dispspec\dispspec
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\MUI\dispspec\dispspec
Found mount point : C:\Windows\System32\setup\en-US\en-US
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\setup\en-US\en-US
Found mount point : C:\Windows\System32\SMI\Manifests\Manifests
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\SMI\Manifests\Manifests
Found mount point : C:\Windows\System32\spool\drivers\IA64\IA64
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\drivers\IA64\IA64
Found mount point : C:\Windows\System32\spool\drivers\w32x86\3\temp\temp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\drivers\w32x86\3\temp\temp
Found mount point : C:\Windows\System32\spool\drivers\x64\x64
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\drivers\x64\x64
Found mount point : C:\Windows\System32\spool\PRINTERS\PRINTERS
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\PRINTERS\PRINTERS
Found mount point : C:\Windows\System32\spool\SERVERS\STEPHEN\STEPHEN
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\SERVERS\STEPHEN\STEPHEN
Found mount point : C:\Windows\System32\spool\SERVERS\WINSTON-PC\WINSTON-PC
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\spool\SERVERS\WINSTON-PC\WINSTON-PC
Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\SyncCenter
Found mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar\WindowsCalendar
Found mount point : C:\Windows\System32\wbem\MOF\bad\bad
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\wbem\MOF\bad\bad
Found mount point : C:\Windows\System32\wbem\MOF\good\good
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\wbem\MOF\good\good
Found mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}
Found mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\WDI\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}\{ecfb03d1-58ee-4cc7-a1b5-9bc6febcb915}
Cannot access: C:\Windows\System32\WerFault.exe
Attempting to restore permissions of : C:\Windows\System32\WerFault.exe
Found mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\System32\winevt\TraceFormat\TraceFormat
Found mount point : C:\Windows\tracing\tracing
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\tracing\tracing
Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp
Mount point destination : \Device\__max++>\^
Removing mount point : C:\Windows\winsxs\InstallTemp\InstallTemp
Finished!
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:45:16 2009
13:45:15: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:45:30 2009
13:45:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Wed Sep 16 13:46:08 2009
13:46:08: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\cngaudit.dll|C:\Windows\System32\cngaudit.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
ComboFix 09-09-14.02 - Admin 09/16/2009 13:53.1.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2999 [GMT -7:00]
Running from: F:\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1061942412-1823489271-1393647071-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-4235296297-4181994746-4189477521-500
C:\cleanup.exe
c:\windows\system32\drivers\OCA_LOG.TXT
c:\windows\SYSTEM32\haligogu.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nsprs.dll
c:\windows\SYSTEM32\pukayane.dll
c:\windows\SYSTEM32\refayuze.dll
c:\windows\SYSTEM32\sefofele.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\ygsuhdf83id.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-16 21:00 . 2009-09-16 21:02 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-09-16 20:46 . 2009-09-16 20:46 574 ----a-w- C:\cleanup.bat
2009-09-16 20:46 . 2009-09-16 20:46 135168 ----a-w- C:\zip.exe
2009-09-16 19:37 . 2009-09-16 19:37 -------- d-----w- c:\program files\ERUNT
2009-09-16 18:56 . 2009-09-16 19:00 -------- d-----w- c:\program files\Spybot2
2009-09-16 18:31 . 2009-09-16 19:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-16 18:31 . 2009-09-16 18:38 -------- d-----w- c:\program files\Spybot
2009-09-16 18:30 . 2009-09-16 18:30 -------- d-----w- c:\program files\Includes
2009-09-16 08:59 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 08:59 . 2009-09-16 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 08:59 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:52 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 02:46 . 2009-09-12 07:07 -------- d-----w- c:\program files\Heroes of Newerth
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 11:46 . 2009-07-29 07:07 -------- d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-09-16 11:38 . 2007-09-20 05:36 1356 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-09-16 09:31 . 2009-07-28 09:01 -------- d-----w- c:\program files\Microsoft Windows Feedback Panel
2009-09-16 09:31 . 2008-06-26 02:14 -------- d-----w- c:\programdata\WFP
2009-09-16 09:31 . 2007-09-11 19:18 -------- d-----w- c:\programdata\NVIDIA
2009-09-15 18:46 . 2007-09-11 18:59 94936 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-15 08:13 . 2008-07-10 00:33 -------- d-----w- c:\program files\SolidWorks
2009-09-14 15:55 . 2009-07-03 07:22 -------- d-----w- c:\users\Guest\AppData\Roaming\vlc
2009-09-12 20:45 . 2008-01-06 05:47 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-08 20:39 . 2008-01-06 05:32 -------- d-----w- c:\users\Admin\AppData\Roaming\Nero
2009-09-08 20:30 . 2008-01-06 05:30 -------- d-----w- c:\program files\Common Files\Nero
2009-09-08 20:29 . 2008-01-06 05:30 -------- d-----w- c:\program files\Nero
2009-09-08 20:28 . 2008-01-06 05:30 -------- d-----w- c:\programdata\Nero
2009-08-09 08:06 . 2007-12-21 08:25 -------- d-----w- c:\users\Admin\AppData\Roaming\U3
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-06 15:47 . 2008-06-17 22:17 107016 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-04 08:47 . 2009-08-04 08:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-04 08:37 . 2007-10-25 08:21 -------- d-----w- c:\program files\WC3Banlist
2009-08-04 08:36 . 2007-06-08 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 02:32 . 2007-09-20 06:02 -------- d-----w- c:\program files\Warcraft III
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-31 01:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-31 01:09 . 2008-08-13 23:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:06 . 2007-09-23 03:52 -------- d-----w- c:\programdata\Microsoft Help
2009-07-31 01:04 . 2007-06-08 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-07-24 03:39 . 2009-07-24 03:39 93 ----a-w- c:\users\Admin\AppData\Local\fusioncache.dat
2009-07-21 21:52 . 2009-07-31 01:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-31 01:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-31 01:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-31 01:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 08:13 . 2009-07-19 08:13 -------- d-----w- c:\users\Admin\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-07-17 13:54 . 2009-08-30 03:50 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-30 03:50 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-30 03:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-30 03:50 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-30 03:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 21:37 . 2009-08-07 01:36 66056 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_HelperSvc.exe
2009-07-14 21:37 . 2009-08-07 01:36 32456 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-07-14 21:37 . 2009-08-07 01:36 242272 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-07-14 21:37 . 2009-08-07 01:36 22848 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-07-14 21:37 . 2009-08-07 01:36 18776 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-06-30 21:26 . 2009-06-30 21:22 1915520 ----a-w- c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2007-09-11 21:24 . 2007-09-11 21:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-06-16 12:41 . 2009-06-16 12:41 2713 --sh--w- c:\windows\System32\dasakebe.exe
2009-04-14 08:09 . 2009-04-14 08:09 848 --sha-w- c:\windows\System32\KGyGaAvL.sys
2009-06-16 08:35 . 2009-06-16 08:35 49152 --sha-w- c:\windows\System32\lutokujo.dll
2009-06-16 08:35 . 2009-06-16 08:35 49152 --sha-w- c:\windows\System32\wukahuro.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Mouse and Keyboard Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\WfpRescover\wfprescover.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"VistaSp2"=hex(b):74,32,b9,f3,80,11,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{54A45CBD-8D84-4EDC-BEC8-62B9E5985BFA}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0784761A-E1A2-486E-8D9C-B1E863B8A10E}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A3D7F7AC-36A4-4D45-AFCE-E0177A9BC060}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E93AE87D-76BF-4B3E-8735-3C4566B78EAB}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E236F62F-DD1B-454E-9D3B-BA6F963B15EA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{88652854-FF22-4D2D-8912-7253A7A33944}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3BE6EBAC-0D80-4DBE-8AA5-2109389A0380}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4B2F6E24-1698-4BB9-BB28-4EF7188052D3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{5169CE20-2540-4DD1-AF42-374EDF07B588}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{2DF9410E-9D0F-4FDB-98C0-81C94BEF4652}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{8D911C71-A8B3-4322-AED8-34C5F1454A2D}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C9F9A0F3-E2AC-478D-B000-4A7DE1EAD4CC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3060D9C1-0184-415F-9BC7-66FB87E4A09E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E666B6AC-7D13-4AFD-BDCD-802DD4AA5A20}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5DF87D88-914D-4F91-BE39-026CF57C7AFB}"= UDP:25901:BitComet 25901 TCP
"{A45BB9F8-FC48-4F69-A71B-209A86FB531C}"= TCP:25901:BitComet 25901 UDP
"{B1BF435B-C0F0-4372-9B36-A05B85E0F522}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{590228EC-782B-4199-8721-8E881CA7940E}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{6262EFBD-E435-46CC-A086-ECDD74A79C1B}"= UDP:25901:BitComet 25901 TCP
"{BCD7C386-C612-4C57-898F-308DBB92A6CE}"= TCP:25901:BitComet 25901 UDP
"{14E844FE-A113-4817-B7C2-A5FEFFF8DFB4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A075DB20-294C-4367-B380-5748937A8647}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{13405024-6972-458F-8318-DAD16E7EDDC1}"= UDP:8395:League of Legends Launcher
"{CC0B6D01-1E1C-4E8D-9653-150940BBE6B7}"= TCP:8395:League of Legends Launcher
"{2025FCDA-5CFC-49CE-B904-8F8142E1CA8D}"= UDP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{78503524-7292-4A44-8987-2DE49A25E789}"= TCP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{680191BA-EBEB-4B8E-8948-C1D2DFDF7567}"= UDP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{C433AD45-63CF-4F29-8B65-9F040D6A4C8F}"= TCP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{37F64FFF-5711-4411-B943-B49ED5E15A86}"= UDP:8396:League of Legends Launcher
"{C19E2739-E04E-4C8C-AAAE-6915F14F379D}"= TCP:8396:League of Legends Launcher
"{116DD32F-304F-42AE-B489-ED9087C2ADE1}"= UDP:8397:League of Legends Launcher
"{A40CF8AD-4023-43F2-9338-2656F766D6DD}"= TCP:8397:League of Legends Launcher
"{38CFBB17-D87E-4B9F-A72D-CBFE701FFEDA}"= UDP:8398:League of Legends Launcher
"{DF4BF06B-816E-4EEB-A2FC-C775EB201595}"= TCP:8398:League of Legends Launcher
"{B466ACE2-2925-4515-A08D-F1F6AEEC05EE}"= UDP:8399:League of Legends Launcher
"{BD5DACB7-844A-452E-A9AB-71F82705E00A}"= TCP:8399:League of Legends Launcher
"{4120B4DE-72E6-4A37-AA5D-F0DC978C1A98}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{0A5EB31A-9732-4387-8D82-05FF39BB1C74}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{5C08F94F-B5DC-4D56-8FA5-4C6919D320C4}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{640788E3-7CF4-4CAA-BEED-5CB3DEC98C9E}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{25552A7A-19F5-47E8-9BDC-EF9D7E7766FD}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{BE5DF06A-5F06-4B93-A456-90648F9CEC1F}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{489C7B77-5C6E-4F01-BDB3-E538D2DE5C7F}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C2D7F6E2-B070-4BDD-94DF-D32CAE1990C7}"= TCP:c:\windows\System32\wininit.exe:wininit
"{87B79004-29C9-4136-8040-A7EBBE4BAD8D}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2D5947B0-B2D3-410D-9B0B-1D96E91984A9}"= TCP:c:\windows\System32\wininit.exe:wininit
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
S2 wfpservice;Windows Feedback Panel Background Service;c:\program files\Microsoft Windows Feedback Panel\WFPService.EXE [7/9/2009 3:36 AM 248080]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 PRSUSB;Sony Reader;c:\windows\System32\drivers\PRSUSB.sys [11/21/2006 5:52 PM 18944]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winhelper.dll
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.7/TSWeb.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
HKLM-Run-letomoyana - haligogu.dll
HKLM-RunOnce-Cleanup - C:\cleanup.exe
HKLM-RunOnce-<NO NAME> - (no file)
SharedTaskScheduler-{BA603215-23F2-42AD-F4E4-00AAC39CAA53} - c:\windows\system32\ygsuhdf83id.dll
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,72,5e,f3,c7,a9,bb,7c,ed,c1,43,9d,ea,b2,07,f8,12,1a,c9,a2,34,3a,b3,
02,28,ba,6e,b4,84,a4,8d,21,cd,75,fe,70,4f,af,db,dc,4f,d9,c4,0d,e7,41,62,9b,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,b9,a1,70,c2,5c,7a,30,45,89,c2,88,05,04,6e,98,38,8a,98,a8,97,
69,49,3c,46,4b,ac,eb,af,ed,15,a2,11,6e,0a,f4,42,6e,0f,54,4e,46,55,7c,d6,88,\
"rkeysecu"=hex:9b,54,29,a0,89,4e,30,e7,db,26,85,97,ff,5f,2a,fa
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\HelpPane.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-09-16 14:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 21:05
Pre-Run: 116,836,712,448 bytes free
Post-Run: 116,500,144,128 bytes free
289 --- E O F --- 2009-08-30 03:52
GeekU Moderator
File:: c:\windows\System32\dasakebe.exe c:\windows\System32\lutokujo.dll c:\windows\System32\wukahuro.dll
to insert the attachment into your post
New Member
ComboFix 09-09-14.02 - Admin 09/16/2009 14:29.2.2 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.3112 [GMT -7:00]
Running from: c:\users\Admin\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Admin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
FILE ::
"c:\windows\System32\dasakebe.exe"
"c:\windows\System32\lutokujo.dll"
"c:\windows\System32\wukahuro.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\System32\dasakebe.exe
c:\windows\System32\lutokujo.dll
c:\windows\System32\wukahuro.dll
.
((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Admin\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-09-16 21:36 . 2009-09-16 21:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-16 20:46 . 2009-09-16 20:46 574 ----a-w- C:\cleanup.bat
2009-09-16 20:46 . 2009-09-16 20:46 135168 ----a-w- C:\zip.exe
2009-09-16 19:37 . 2009-09-16 19:37 -------- d-----w- c:\program files\ERUNT
2009-09-16 18:56 . 2009-09-16 19:00 -------- d-----w- c:\program files\Spybot2
2009-09-16 18:31 . 2009-09-16 19:00 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-16 18:31 . 2009-09-16 18:38 -------- d-----w- c:\program files\Spybot
2009-09-16 18:30 . 2009-09-16 18:30 -------- d-----w- c:\program files\Includes
2009-09-16 08:59 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-16 08:59 . 2009-09-16 18:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-16 08:59 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-30 03:52 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 02:46 . 2009-09-12 07:07 -------- d-----w- c:\program files\Heroes of Newerth
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 11:46 . 2009-07-29 07:07 -------- d-----w- c:\users\Admin\AppData\Roaming\vlc
2009-09-16 11:38 . 2007-09-20 05:36 1356 ----a-w- c:\users\Admin\AppData\Local\d3d9caps.dat
2009-09-16 09:31 . 2009-07-28 09:01 -------- d-----w- c:\program files\Microsoft Windows Feedback Panel
2009-09-16 09:31 . 2008-06-26 02:14 -------- d-----w- c:\programdata\WFP
2009-09-16 09:31 . 2007-09-11 19:18 -------- d-----w- c:\programdata\NVIDIA
2009-09-15 18:46 . 2007-09-11 18:59 94936 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-15 08:13 . 2008-07-10 00:33 -------- d-----w- c:\program files\SolidWorks
2009-09-14 15:55 . 2009-07-03 07:22 -------- d-----w- c:\users\Guest\AppData\Roaming\vlc
2009-09-12 20:45 . 2008-01-06 05:47 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-08 20:39 . 2008-01-06 05:32 -------- d-----w- c:\users\Admin\AppData\Roaming\Nero
2009-09-08 20:30 . 2008-01-06 05:30 -------- d-----w- c:\program files\Common Files\Nero
2009-09-08 20:29 . 2008-01-06 05:30 -------- d-----w- c:\program files\Nero
2009-09-08 20:28 . 2008-01-06 05:30 -------- d-----w- c:\programdata\Nero
2009-08-09 08:06 . 2007-12-21 08:25 -------- d-----w- c:\users\Admin\AppData\Roaming\U3
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2009-08-06 18:08 . 2009-08-06 18:08 -------- d-----w- c:\programdata\Malwarebytes
2009-08-06 15:47 . 2008-06-17 22:17 107016 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-04 08:47 . 2009-08-04 08:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-04 08:37 . 2007-10-25 08:21 -------- d-----w- c:\program files\WC3Banlist
2009-08-04 08:36 . 2007-06-08 15:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-03 02:32 . 2007-09-20 06:02 -------- d-----w- c:\program files\Warcraft III
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-07-31 01:42 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-07-31 01:42 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-31 01:09 . 2008-08-13 23:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-31 01:06 . 2007-09-23 03:52 -------- d-----w- c:\programdata\Microsoft Help
2009-07-31 01:04 . 2007-06-08 15:32 -------- d-----w- c:\program files\Microsoft Works
2009-07-24 03:39 . 2009-07-24 03:39 93 ----a-w- c:\users\Admin\AppData\Local\fusioncache.dat
2009-07-21 21:52 . 2009-07-31 01:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-31 01:00 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-31 01:00 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-31 01:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-19 08:13 . 2009-07-19 08:13 -------- d-----w- c:\users\Admin\AppData\Roaming\LolClient.F24C99354F615F3BAB18AE7B93E3F9B9E8784FA6.1
2009-07-17 13:54 . 2009-08-30 03:50 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-30 03:50 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-30 03:50 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-30 03:50 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-30 03:50 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 21:37 . 2009-08-07 01:36 66056 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlus_HelperSvc.exe
2009-07-14 21:37 . 2009-08-07 01:36 32456 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-07-14 21:37 . 2009-08-07 01:36 242272 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe.exe
2009-07-14 21:37 . 2009-08-07 01:36 22848 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-07-14 21:37 . 2009-08-07 01:36 18776 ----a-w- c:\users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\23ne4ct2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-06-30 21:26 . 2009-06-30 21:22 1915520 ----a-w- c:\users\Guest\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2007-09-11 21:24 . 2007-09-11 21:24 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-04-14 08:09 . 2009-04-14 08:09 848 --sha-w- c:\windows\System32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-09-16_21.02.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 10:33 . 2009-09-16 21:34 633102 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-16 20:57 633102 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-16 21:34 116660 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-09-16 20:57 116660 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13580832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 92704]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-10-25 4702208]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]
c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Mouse and Keyboard Settings.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-23 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\WfpRescover\wfprescover.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"VistaSp2"=hex(b):74,32,b9,f3,80,11,ca,01
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{54A45CBD-8D84-4EDC-BEC8-62B9E5985BFA}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections
"{0784761A-E1A2-486E-8D9C-B1E863B8A10E}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections
"{A3D7F7AC-36A4-4D45-AFCE-E0177A9BC060}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E93AE87D-76BF-4B3E-8735-3C4566B78EAB}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E236F62F-DD1B-454E-9D3B-BA6F963B15EA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{88652854-FF22-4D2D-8912-7253A7A33944}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{3BE6EBAC-0D80-4DBE-8AA5-2109389A0380}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4B2F6E24-1698-4BB9-BB28-4EF7188052D3}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"TCP Query User{5169CE20-2540-4DD1-AF42-374EDF07B588}c:\\program files\\warcraft iii\\war3.exe"= UDP:c:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{2DF9410E-9D0F-4FDB-98C0-81C94BEF4652}c:\\program files\\warcraft iii\\war3.exe"= TCP:c:\program files\warcraft iii\war3.exe:Warcraft III
"{8D911C71-A8B3-4322-AED8-34C5F1454A2D}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C9F9A0F3-E2AC-478D-B000-4A7DE1EAD4CC}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3060D9C1-0184-415F-9BC7-66FB87E4A09E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E666B6AC-7D13-4AFD-BDCD-802DD4AA5A20}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5DF87D88-914D-4F91-BE39-026CF57C7AFB}"= UDP:25901:BitComet 25901 TCP
"{A45BB9F8-FC48-4F69-A71B-209A86FB531C}"= TCP:25901:BitComet 25901 UDP
"{B1BF435B-C0F0-4372-9B36-A05B85E0F522}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{590228EC-782B-4199-8721-8E881CA7940E}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{6262EFBD-E435-46CC-A086-ECDD74A79C1B}"= UDP:25901:BitComet 25901 TCP
"{BCD7C386-C612-4C57-898F-308DBB92A6CE}"= TCP:25901:BitComet 25901 UDP
"{14E844FE-A113-4817-B7C2-A5FEFFF8DFB4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{A075DB20-294C-4367-B380-5748937A8647}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{13405024-6972-458F-8318-DAD16E7EDDC1}"= UDP:8395:League of Legends Launcher
"{CC0B6D01-1E1C-4E8D-9653-150940BBE6B7}"= TCP:8395:League of Legends Launcher
"{2025FCDA-5CFC-49CE-B904-8F8142E1CA8D}"= UDP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{78503524-7292-4A44-8987-2DE49A25E789}"= TCP:c:\riot games\League of Legends\Air\LolClient.exe:League of Legends Lobby
"{680191BA-EBEB-4B8E-8948-C1D2DFDF7567}"= UDP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{C433AD45-63CF-4F29-8B65-9F040D6A4C8F}"= TCP:c:\riot games\League of Legends\Game\League of Legends.exe:League of Legends Game Client
"{37F64FFF-5711-4411-B943-B49ED5E15A86}"= UDP:8396:League of Legends Launcher
"{C19E2739-E04E-4C8C-AAAE-6915F14F379D}"= TCP:8396:League of Legends Launcher
"{116DD32F-304F-42AE-B489-ED9087C2ADE1}"= UDP:8397:League of Legends Launcher
"{A40CF8AD-4023-43F2-9338-2656F766D6DD}"= TCP:8397:League of Legends Launcher
"{38CFBB17-D87E-4B9F-A72D-CBFE701FFEDA}"= UDP:8398:League of Legends Launcher
"{DF4BF06B-816E-4EEB-A2FC-C775EB201595}"= TCP:8398:League of Legends Launcher
"{B466ACE2-2925-4515-A08D-F1F6AEEC05EE}"= UDP:8399:League of Legends Launcher
"{BD5DACB7-844A-452E-A9AB-71F82705E00A}"= TCP:8399:League of Legends Launcher
"{4120B4DE-72E6-4A37-AA5D-F0DC978C1A98}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{0A5EB31A-9732-4387-8D82-05FF39BB1C74}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe:TurbineMessageService
"{5C08F94F-B5DC-4D56-8FA5-4C6919D320C4}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{640788E3-7CF4-4CAA-BEED-5CB3DEC98C9E}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{25552A7A-19F5-47E8-9BDC-EF9D7E7766FD}"= UDP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{BE5DF06A-5F06-4B93-A456-90648F9CEC1F}"= TCP:c:\program files\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe:TurbineNetworkService
"{489C7B77-5C6E-4F01-BDB3-E538D2DE5C7F}"= UDP:c:\windows\System32\wininit.exe:wininit
"{C2D7F6E2-B070-4BDD-94DF-D32CAE1990C7}"= TCP:c:\windows\System32\wininit.exe:wininit
"{87B79004-29C9-4136-8040-A7EBBE4BAD8D}"= UDP:c:\windows\System32\wininit.exe:wininit
"{2D5947B0-B2D3-410D-9B0B-1D96E91984A9}"= TCP:c:\windows\System32\wininit.exe:wininit
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
S2 wfpservice;Windows Feedback Panel Background Service;c:\program files\Microsoft Windows Feedback Panel\WFPService.EXE [7/9/2009 3:36 AM 248080]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 1:22 PM 34064]
S3 PRSUSB;Sony Reader;c:\windows\System32\drivers\PRSUSB.sys [11/21/2006 5:52 PM 18944]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\winhelper.dll
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.7/TSWeb.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-<NO NAME> - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-16 14:36
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:54,72,5e,f3,c7,a9,bb,7c,ed,c1,43,9d,ea,b2,07,f8,12,1a,c9,a2,34,3a,b3,
02,28,ba,6e,b4,84,a4,8d,21,cd,75,fe,70,4f,af,db,dc,4f,d9,c4,0d,e7,41,62,9b,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
[HKEY_USERS\S-1-5-21-511701214-598833928-2956610662-1000\Software\SecuROM\License information*]
"datasecu"=hex:64,b9,a1,70,c2,5c,7a,30,45,89,c2,88,05,04,6e,98,38,8a,98,a8,97,
69,49,3c,46,4b,ac,eb,af,ed,15,a2,11,6e,0a,f4,42,6e,0f,54,4e,46,55,7c,d6,88,\
"rkeysecu"=hex:9b,54,29,a0,89,4e,30,e7,db,26,85,97,ff,5f,2a,fa
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-16 14:37
ComboFix-quarantined-files.txt 2009-09-16 21:37
ComboFix2.txt 2009-09-16 21:06
Pre-Run: 116,569,800,704 bytes free
Post-Run: 116,438,888,448 bytes free
278 --- E O F --- 2009-08-30 03:52
Access violation at address 0053A9E5 in module 'OTS.exe'. Read of address 00000000.
OTS.Txt 138.34KB
362 downloads
, I went ahead and uninstalled + reinstalled MalwareBytes (it works!) and ran a quick scan and a full system scan. Logs are below.
mbam_log_2009_09_16__15_40_02_.txt 979bytes
104 downloads
mbam_log_2009_09_16__17_40_35_.txt 1.01KB
174 downloads
Edited by StephenYu, 16 September 2009 - 06:52 PM.
GeekU Moderator
[Unregister Dlls] [Files/Folders - Modified Within 30 Days] NY -> hukudube -> C:\Windows\System32\hukudube [Empty Temp Folders]
New Member
All Processes Killed
[Files/Folders - Modified Within 30 Days]
C:\Windows\System32\hukudube moved successfully.
[Empty Temp Folders]
User: Admin
->Temp folder emptied: 343128 bytes
->Temporary Internet Files folder emptied: 517667 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 89492481 bytes
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\Windows\temp\TMP00000040939E0471999114D6 scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\TMP000000423702BC4CF6345EF3 scheduled to be deleted on reboot.
Windows Temp folder emptied: 527128 bytes
RecycleBin emptied: 2526 bytes
Total Files Cleaned = 86.67 mb
< End of fix log >
OTS by OldTimer - Version 3.0.12.1 fix logfile created on 09172009_020613
Files\Folders moved on Reboot...
C:\Windows\temp\TMP00000040939E0471999114D6 moved successfully.
C:\Windows\temp\TMP000000423702BC4CF6345EF3 moved successfully.
Registry entries deleted on Reboot...
Access violation at address 0053A9E5 in module 'OTS.exe'. Read of address 00000000
Edited by StephenYu, 17 September 2009 - 03:39 AM.
GeekU Moderator
New Member
This copy of windows is not activated. Click here to activate windows now.
My windows does not have a countdown period until I have to activate it either, so other than periodic annoying messages, it appears to be working fine. I really appreciate your help in removing that pesky virus from my system0xC004E003 error
. Is there anything else I need to do?Edited by StephenYu, 17 September 2009 - 10:37 PM.
GeekU Moderator
Any donations come directly to me. 
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems
GeekU Moderator
0 members, 0 guests, 0 anonymous users
Community Forum Software by IP.Board
Licensed to: Geeks to Go, Inc.
Sign In
Create Account
