0

First off, I've read Kevin's thread and the others. I have followed all those instructions yet mbam stops after 25 seconds.
I'm running Windows XP Compaq laptop.

I've tried command prompt for mbam also, I get access denied.

I've killed svchasts.exe through tsmgr and admin tools. Renamed Windows Police Pro program folder and deleted it. After restart I kill svchasts.exe and under admin it is disabled.
I've uninstalled mbam and reinstalled to no avail. All anti-virus programs are hijacked.

It seems that mbam will solve the problem, but I am unable to get it to run.

Any help will be greatly appreciated as we have no Windows disk or recovery drive.

6
Contributors
51
Replies
52
Views
7 Years
Discussion Span
Last Post by PhilliePhan
Featured Replies
  • Ok - If you already have[B] combofix [/B]on your machine, DELETE it. Then follow the instructions in the link below to DL a fresh Combofix and run it: [url]http://www.malwarebytes.org/forums/index.php?showtopic=22723[/url] What I want you to do, though, is this: When you download it and it ask you to "Save File As," … Read More

0

If you like, this is an old tool that I wrote some time ago and if you can get it to run, may give us a better picture of what is going on.
This is a strictly "Run at your own risk" proposition:

Download PKBOO.zip and EXTRACT the PKBOO Folder to your C:\ Drive

Open a command prompt with Command.com

TYPE C:\PKBOO\PKBOO.bat ENTER

It should run for a few seconds and then pop up with a log. Please post that for us.

I will try to check back Monday Evening as time permits.

Best Luck :)
PP

0

Here's the log.

###############################################
#                                             #
# *** PeekabooXP v1.2.7 ©  by PhilliePhan *** #
#                                             #
###############################################


PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE  NOT  BADDIES!
PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION.


______________________________________________________________________________________________________



Microsoft Windows XP [Version 5.1.2600]
Mon 08/31/2009
01:50 AM


PeekabooXP is running from C:\PKBOO


ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rachel\Application Data
CLASSPATH=.;C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=QAPMOC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rachel
LOGONSERVER=\\QAPMOC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0a00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\j2re1.4.2\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rachel\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rachel\LOCALS~1\Temp
USERDOMAIN=QAPMOC
USERNAME=Rachel
USERPROFILE=C:\Documents and Settings\Rachel
windir=C:\WINDOWS


______________________________________________________________________________________________________


** RUNNING PROCESSES **


PROCESS            PID PRIO     PATH
smss.exe             540 Normal   C:\WINDOWS\System32\smss.exe
csrss.exe            604 Normal   C:\WINDOWS\system32\csrss.exe
winlogon.exe         628 High     C:\WINDOWS\system32\winlogon.exe
services.exe         680 Normal   C:\WINDOWS\system32\services.exe
lsass.exe            692 Normal   C:\WINDOWS\system32\lsass.exe
svchost.exe          868 Normal   C:\WINDOWS\system32\svchost.exe
svchost.exe          980 Normal   C:\WINDOWS\system32\svchost.exe
svchost.exe         1084 Normal   C:\WINDOWS\System32\svchost.exe
acs.exe             1192 Normal   C:\WINDOWS\System32\acs.exe
svchost.exe         1360 Normal   C:\WINDOWS\System32\svchost.exe
svchost.exe         1448 Normal   C:\WINDOWS\System32\svchost.exe
spoolsv.exe         1652 Normal   C:\WINDOWS\system32\spoolsv.exe
svchost.exe         1840 Normal   C:\WINDOWS\System32\svchost.exe
AppleMobileDeviceService.exe     1872 Normal   C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
Ati2evxx.exe        1896 Normal   C:\WINDOWS\System32\Ati2evxx.exe
mDNSResponder.exe     1984 Normal   C:\Program Files\Bonjour\mDNSResponder.exe
HPConfig.exe         280 Normal   C:\WINDOWS\system32\HPConfig.exe
HPWirelessMgr.exe      332 Normal   C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
McSACore.exe         412 Normal   C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
mcmscsvc.exe         528 Normal   C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
mcnasvc.exe          912 Normal   c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
mcproxy.exe         1080 Normal   c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
mcshield.exe        1252 High     C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
MPFSrv.exe          1496 Normal   C:\Program Files\McAfee\MPF\MPFSrv.exe
svchost.exe         1744 Normal   C:\WINDOWS\System32\svchost.exe
MsPMSPSv.exe        2128 Normal   C:\WINDOWS\System32\MsPMSPSv.exe
mcagent.exe         3060 Normal   c:\PROGRA~1\mcafee.com\agent\mcagent.exe
Explorer.exe        3532 Normal   C:\WINDOWS\Explorer.exe
svchost.exe         3712 Normal   C:\WINDOWS\System32\svchost.exe
carpserv.exe         748 Normal   C:\WINDOWS\system32\carpserv.exe
DrgToDsc.exe        2832 Normal   C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
SynTPEnh.exe        3496 Normal   C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
atiptaxx.exe         832 Normal   C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
SynTPLpr.exe        3276 Normal   C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
OxiTray.exe         3956 Normal   C:\Program Files\Oxigen\bin\OxiTray.exe
Oxigen.exe          4052 Normal   C:\Program Files\Oxigen\bin\Oxigen.exe
SweetIM.exe          192 Normal   C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
AirPlus.exe         2056 Normal   C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
braviax.exe         1332 Normal   C:\WINDOWS\system32\braviax.exe
Reg.exe             3232 Normal   C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe
FirePod.exe         4012 Normal   C:\Program Files\PreSonus\1394AudioDriver_FirePod\FirePod.exe
GoogleToolbarNotifier.exe     2100 Normal   C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
iTunesHelper.exe     3360 Normal   C:\Program Files\iTunes\iTunesHelper.exe
winampa.exe          904 Normal   C:\Program Files\Winamp\winampa.exe
iPodService.exe     2844 Normal   C:\Program Files\iPod\bin\iPodService.exe
mcsysmon.exe        2624 Normal   C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
cmd.exe             2336 Normal   C:\WINDOWS\system32\cmd.exe
ntvdm.exe           2208 Normal   C:\WINDOWS\system32\ntvdm.exe
pv.exe              1788 Normal   C:\PKBOO\pv.exe


______________________________________________________________________________________________________


** SELECT RUN KEYS **


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"ATIModeChange"="Ati2mdxx.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"Workflow"="D:\\Workflow.exe"
"SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe"
"OxigenClientAdmin"="\"C:\\Program Files\\Oxigen\\bin\\Oxigen.exe\""
"OxigenTrayIcon"="C:\\Program Files\\Oxigen\\bin\\OxiTray.exe"
"Google IME Autoupdater"="\"C:\\Program Files\\Google\\Google Pinyin\\GooglePinyinDaemon.exe\""
"WinampAgent"="\"C:\\Program Files\\Winamp\\winampa.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"mcagent_exe"="\"C:\\Program Files\\McAfee.com\\Agent\\mcagent.exe\" /runkey"
"McENUI"="C:\\PROGRA~1\\McAfee\\MHN\\McENUI.exe /hide"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"braviax"="C:\\WINDOWS\\system32\\braviax.exe"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"vamanipetu"="Rundll32.exe \"C:\\WINDOWS\\system32\\nepimari.dll\",s"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


---------------------------------------------------------------------


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


---------------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WhenUSave"="\"C:\\Program Files\\Save\\Save.exe\""
"SweetIM"="C:\\Program Files\\Macrogaming\\SweetIM\\SweetIM.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"braviax"="C:\\WINDOWS\\system32\\braviax.exe"
"DelayShred"="c:\\PROGRA~1\\mcafee\\mshr\\ShrCL.EXE /P7 /q C:\\DOCUME~1\\Rachel\\LOCALS~1\\TEMPOR~1\\Content.IE5\\7S7JRGNA\\GOOGLE~1.SH!"



______________________________________________________________________________________________________


** Browser Helper Objects **


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3cf1638a-499b-4985-b05b-940e200c870b}]



______________________________________________________________________________________________________


** SYSTEM.INI **


; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


______________________________________________________________________________________________________


** UNINSTALL LIST **


(Please note that Many Microsoft Updates and Hotfixes have been filtered from this list)


"Adobe Flash Player 10 ActiveX"
"Adobe Flash Player 10 Plugin"
"Adobe Reader 7.0.8"
"Adobe Shockwave Player 11.5"
"Apple Mobile Device Support"
"Apple Software Update"
"ASIO4ALL"
"ATI Control Panel"
"ATI Display Driver"
"Bonjour"
"CCleaner (remove only)"
"CCScore"
"Collab"
"Conexant 56K ACLink Modem"
"Conexant AC-Link Audio"
"D-Link AirPlus G Wireless Adapter "
"DP8381x 10/100 PCI Network Adapter Driver"
"Easy CD & DVD Creator 6"
"ESSBrwr"
"ESSCDBK"
"ESScore"
"ESSgui"
"ESSini"
"ESSPCD"
"ESSPDock"
"ESSSONIC"
"ESSTOOLS"
"essvatgt"
"fflink"
"FL Studio 7"
"Google Pinyin IME"
"Google Updater"
"HP Wireless LAN Driver"
"HP WLAN 54g W450 Network Adapter"
"IL Download Manager"
"InterVideo WinDVD"
"iPod for Windows 2005-09-06"
"iPod for Windows 2005-09-06"
"iTunes"
"Java 2 Runtime Environment, SE v1.4.2"
"Jockey"
"kgcbaby"
"kgcbase"
"kgchday"
"kgchlwn"
"kgcinvt"
"kgckids"
"kgcmove"
"kgcvday"
"Kodak EasyShare software"
"LiveReg (Symantec Corporation)"
"Macrogaming SweetIM 1.2a"
"Macromedia Shockwave Player"
"McAfee SecurityCenter"
"Microsoft .NET Framework 1.1"
"Microsoft .NET Framework 1.1"
"Microsoft .NET Framework 2.0 Service Pack 2"
"Microsoft .NET Framework 3.0 Service Pack 2"
"Microsoft .NET Framework 3.5 SP1"
"Microsoft .NET Framework 3.5 SP1"
"Microsoft Compression Client Pack 1.0 for Windows XP"
"Microsoft Internationalized Domain Names Mitigation APIs"
"Microsoft National Language Support Downlevel APIs"
"Microsoft Office Professional Edition 2003"
"Microsoft Silverlight"
"Microsoft User-Mode Driver Framework Feature Pack 1.0"
"Mozilla Firefox (3.5.2)"
"MPlayer for Windows (Full Package)"
"Native Instruments Guitar Rig v1.1.2"
"netbrdg"
"Notebook Utilities"
"OfotoXMI"
"One-Touch Buttons"
"Oxigen Client v5.00.0000"
"PC Antispyware 2010"
"Pitch Fix Trial"
"PreSonus 1394 Audio Driver v2.46 (FirePod)"
"QuickTime"
"Replay Converter 2.8"
"Replay Media Catcher"
"Replay Media Splitter  1.6.903"
"Replay Video Capture"
"SFR"
"SHASTA"
"skin0001"
"SKINXSDK"
"SopCast 3.0.3"
"staticcr"
"Steinberg Cubase SX v2.2.0.33"
"Stream Torrent 1.0"
"Symantec KB-DocID:2003093015493306"
"Synaptics Pointing Device Driver"
"T-RackS Plug-in"
"tooltips"
"TVAnts 1.0"
"TVUPlayer 2.4.7.2"
"UUSee ýúý†¬_¯—'­ø 4.8.2.4"
"UUSee IoA‡æ‡EO [4.8.204.15]"
"Veetle TV 0.9.15"
"VLC media player 0.9.8a"
"VPRINTOL"
"WebFldrs XP"
"Winamp"
"Windows Genuine Advantage v1.3.0254.0"
"Windows Imaging Component"
"Windows Internet Explorer 7"
"Windows Internet Explorer 8"
"Windows Media Format 11 runtime"
"Windows Media Format 11 runtime"
"Windows Media Player 11"
"Windows Media Player 11"
"Windows XP Service Pack 2"
"WinRAR archiver"
"WIRELESS"
"Zoran Video Camera Drivers V1.0"
______________________________________________________________________________________________________


** RECENTLY ADDED FILES **


2009-08-31      AD...                    "C:\PKBOO"
2009-08-31      A.SH.   704,643,072      "C:\pagefile.sys"
2009-08-31      A.SH.   468,242,432      "C:\hiberfil.sys"
2009-08-31      A.SH.        16,384      "C:\WINDOWS\system32\config\systemprofile\IETldCache\index.dat"
2009-08-31      A.S..         2,048      "C:\WINDOWS\bootstat.dat"
2009-08-31      A..H.             6      "C:\WINDOWS\Tasks\SA.DAT"
2009-08-31      A....     5,799,936      "C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA"
2009-08-31      A....        32,768      "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"
2009-08-31      A....        32,768      "C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
2009-08-31      A....        32,768      "C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat"
2009-08-31      .D...                    "C:\Program Files\CCleaner"
2009-08-31      .D...                    "C:\PKBTEMP"
2009-08-30      A.SH.           211      "C:\boot.ini"
2009-08-30      A..H.     4,841,690      "C:\Documents and Settings\Rachel\Local Settings\Application Data\IconCache.db"
2009-08-30      A....       488,960      "C:\WINDOWS\system32\dddesot.dll"
2009-08-30      A....       440,320      "C:\WINDOWS\system32\desote.exe"
2009-08-30      A....       336,272      "C:\WINDOWS\Prefetch\Layout.ini"
2009-08-30      A....       191,111      "C:\WINDOWS\system32\wisdstr.exe"
2009-08-30      A....       163,840      "C:\WINDOWS\svchasts.exe"
2009-08-30      A....        76,288      "C:\WINDOWS\system32\~.exe"
2009-08-30      A....        18,630      "C:\Documents and Settings\Rachel\Local Settings\Application Data\ezilemad.dl"
2009-08-30      A....        18,310      "C:\Documents and Settings\Rachel\Application Data\ysemoton.dat"
2009-08-30      A....        16,964      "C:\WINDOWS\fixozepy.vbs"
2009-08-30      A....        16,890      "C:\Documents and Settings\All Users\Application Data\esacomub.inf"
2009-08-30      A....        16,669      "C:\Documents and Settings\All Users\Application Data\icyw.dat"
2009-08-30      A....        15,056      "C:\Documents and Settings\Rachel\Local Settings\Application Data\ygoky.lib"
2009-08-30      A....        14,629      "C:\Documents and Settings\Rachel\Application Data\cywac._sy"
2009-08-30      A....        14,412      "C:\Documents and Settings\Rachel\Local Settings\Application Data\aryqiborip.dl"
2009-08-30      A....        12,955      "C:\WINDOWS\system32\aluzivo.exe"
2009-08-30      A....        12,264      "C:\Program Files\Common Files\pijihyb.com"
2009-08-30      A....        11,264      "C:\WINDOWS\system32\braviax.exe"
2009-08-30      A....        10,035      "C:\Documents and Settings\Rachel\Local Settings\Application Data\pekesor._sy"
2009-08-30      A....           613      "C:\WINDOWS\win.ini"
2009-08-30      A....           227      "C:\WINDOWS\system.ini"
2009-08-30      A....            58      "C:\WINDOWS\ppp4.dat"
2009-08-30      A....            36      "C:\WINDOWS\system32\sysnet.dat"
2009-08-30      A....             4      "C:\WINDOWS\system32\bincd32.dat"
2009-08-30      A....             3      "C:\WINDOWS\ppp3.dat"
2009-08-30      A....             0      "C:\1478131342"
2009-08-30      .D...                    "C:\Documents and Settings\Rachel\Application Data\Mozilla"
2009-08-24      A....        69,632      "C:\Documents and Settings\Rachel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini"
2009-08-22      .D...                    "C:\Program Files\TVUPlayer"
2009-08-22      .D...                    "C:\Documents and Settings\All Users\Application Data\TVU Networks"
2009-08-19      .D...                    "C:\Program Files\MPlayer for Windows"
2009-08-19      .D...                    "C:\Program Files\Common Files\NSV"
2009-08-18      A....           778      "C:\split.log"
2009-08-14      A....       737,280      "C:\WINDOWS\iun6002.exe"
2009-08-14      .D...                    "C:\REPSPL"
2009-08-12      A...R       794,624      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe"
2009-08-12      A...R       593,920      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe"
2009-08-12      A...R       409,600      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe"
2009-08-12      A...R       286,720      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe"
2009-08-12      A...R       249,856      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe"
2009-08-12      A...R       135,168      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe"
2009-08-12      A...R        61,440      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe"
2009-08-12      A...R        27,136      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe"
2009-08-12      A...R        23,040      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe"
2009-08-12      A...R        12,288      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe"
2009-08-12      A...R        11,264      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe"
2009-08-12      A...R         4,096      "C:\WINDOWS\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe"
2009-08-09      A....        74,424      "C:\Documents and Settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT"
2009-08-08      A....    17,317,888      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\4146033013edebd7e0cb604e504ebfee\System.ServiceModel.ni.dll"
2009-08-08      A....    14,327,808      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96e710f47c601cba3f2348a8d11ddede\PresentationFramework.ni.dll"
2009-08-08      A....    12,430,848      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll"
2009-08-08      A....    12,216,320      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\956375d487cbef36165b3250030e3574\PresentationCore.ni.dll"
2009-08-08      A....    11,796,992      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll"
2009-08-08      A....    11,486,720      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll"
2009-08-08      A....    10,683,392      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\8ee220bc3cce4f7bbd7818946519ed7f\System.Design.ni.dll"
2009-08-08      A....     9,924,096      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6479f975b105808a8d9e7a7fdc762551\System.Data.Entity.ni.dll"
2009-08-08      A....     7,868,416      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll"
2009-08-08      A....     6,616,576      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\c70731047b0022638b3f9fb158948a03\System.Data.ni.dll"
2009-08-08      A....     5,931,008      "C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll"
2009-08-08      A....     5,450,752      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll"
2009-08-08      A....     5,283,840      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll"
2009-08-08      A....     5,242,880      "C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll"
2009-08-08      A....     5,062,656      "C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll"
2009-08-08      A....     5,025,792      "C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll"
2009-08-08      A....     4,546,560      "C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll"
2009-08-08      A....     4,514,304      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\693a8fbe6f7ad6e4e429052da4317e59\System.Workflow.ComponentModel.ni.dll"
2009-08-08      A....     4,210,688      "C:\WINDOWS\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll"
2009-08-08      A....     3,313,664      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\14cd5f4b61d35f9b76327d6be9853755\WindowsBase.ni.dll"
2009-08-08      A....     3,149,824      "C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll"
2009-08-08      A....     2,992,640      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\cc99fbbac0b6e4e9ca62093e49b0c16b\System.Workflow.Activities.ni.dll"
2009-08-08      A....     2,933,248      "C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll"
2009-08-08      A....     2,884,288      "C:\WINDOWS\system32\FNTCACHE.DAT"
2009-08-08      A....     2,879,488      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Entity\3.5.0.0__b77a5c561934e089\System.Data.Entity.dll"
2009-08-08      A....     2,516,480      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\0bbec79460b1137df5313f9baf7b246f\System.Data.Linq.ni.dll"
2009-08-08      A....     2,510,336      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\826b09ab0d0e36f4d631b4cd335df511\System.Data.SqlXml.ni.dll"
2009-08-08      A....     2,403,328      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\7f64c9d25471b72e1e957bdfe67947c8\System.Web.Extensions.ni.dll"
2009-08-08      A....     2,338,304      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\034c91b133dee73d452652c52767b5ea\System.Runtime.Serialization.ni.dll"
2009-08-08      A....     2,332,160      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b261961046545831aa60963e84905968\Microsoft.JScript.ni.dll"
2009-08-08      A....     2,295,296      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\47d87251e93256c635eb73403b8db33e\System.Core.ni.dll"
2009-08-08      A....     2,209,280      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\81197e32ec931f439b3114e9031b65d6\System.Web.Mobile.ni.dll"
2009-08-08      A....     2,128,896      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ReachFramework\4bfb3048bf200a6a8592d1b4ba861a7f\ReachFramework.ni.dll"
2009-08-08      A....     2,048,000      "C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll"
2009-08-08      A....     1,966,080      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a47100d8f4574bed2d49d83d0ab8964e\Microsoft.Build.Tasks.v3.5.ni.dll"
2009-08-08      A....     1,917,440      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll"
2009-08-08      A....     1,908,224      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d265da36954fcb4cb7ad5adc693ea0f2\System.Workflow.Runtime.ni.dll"
2009-08-08      A....     1,888,768      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6cfe582681724965fb817e8ece5f0909\Microsoft.Build.Engine.ni.dll"
2009-08-08      A....     1,840,640      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\b57bb002a655920cbfa2bee29d1e22b7\System.Web.Services.ni.dll"
2009-08-08      A....     1,801,216      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\a6b58624486714fa71e5e35186850ff0\System.Deployment.ni.dll"
2009-08-08      A....     1,712,128      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\1c86afc399d0fdd8e069266ffbe748d1\Microsoft.VisualBasic.ni.dll"
2009-08-08      A....     1,706,496      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\340cad17fe57947eacbc8fa2cea780da\System.ServiceModel.Web.ni.dll"
2009-08-08      A....     1,657,856      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationUI\6bafb1a2a73794ddb9761cb321c9e7e2\PresentationUI.ni.dll"
2009-08-08      A....     1,630,208      "C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.ComponentModel\3.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll"
2009-08-08      A....     1,620,992      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bd241492d96db39f20e758c13c845033\Microsoft.Build.Tasks.ni.dll"
2009-08-08      A....     1,587,200      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll"
2009-08-08      A....     1,451,008      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\e634bc4c4a00635a0a254febab0e2e2c\PresentationBuildTasks.ni.dll"
2009-08-08      A....     1,356,288      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\ac1750e78d79520dcf19195772eff1b6\System.WorkflowServices.ni.dll"
2009-08-08      A....     1,328,128      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Services\956a513dcbd44d5a6801840ef2b0b47b\System.Data.Services.ni.dll"
2009-08-08      A....     1,277,952      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll"
2009-08-08      A....     1,245,184      "C:\WINDOWS\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll"
2009-08-08      A....     1,138,688      "C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll"
2009-08-08      A....     1,116,672      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\543aced762f6b0c3f8e037955941afc6\System.DirectoryServices.ni.dll"
2009-08-08      A....     1,093,120      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\6b2f62f5e981913fce1d223f645d9ddf\Microsoft.Transactions.Bridge.ni.dll"
2009-08-08      A....     1,056,768      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c2de8479e54852f56996f79bc93acb13\System.IdentityModel.ni.dll"
2009-08-08      A....     1,049,600      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\f3c7957351aec85f526a3350c9718b1e\UIAutomationClientsideProviders.ni.dll"
2009-08-08      A....     1,035,264      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Printing\646ab52eef343380aa002c220dc31e13\System.Printing.ni.dll"
2009-08-08      A....       998,400      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\8642fdfbf02a6cb6f01169fe6fdb5d11\System.Management.ni.dll"
2009-08-08      A....       971,264      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\b82c00e2d24305ad6cb08556e3779b75\System.Configuration.ni.dll"
2009-08-08      A....       970,752      "C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll"
2009-08-08      A....       966,656      "C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll"
2009-08-08      A....       939,008      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\a4b887f476fa4b8746a93a9fc2208560\System.Data.Services.Client.ni.dll"
2009-08-08      A....       881,152      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8b3bb7a2c2f3ffe94c866283f1cd5957\System.DirectoryServices.AccountManagement.ni.dll"
2009-08-08      A....       864,256      "C:\WINDOWS\assembly\GAC_MSIL\PresentationUI\3.0.0.0__31bf3856ad364e35\PresentationUI.dll"
2009-08-08      A....       859,648      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\58f62044fa702ea6f936071aa5520baa\System.Web.Extensions.Design.ni.dll"
2009-08-08      A....       842,240      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\b5b2feadc3943e3976daebc0bcd2b5e2\AspNetMMCExt.ni.dll"
2009-08-08      A....       839,680      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\96825c34d7e1f7df1923ff2123bed8da\Microsoft.Build.Engine.ni.dll"
2009-08-08      A....       839,680      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll"
2009-08-08      A....       835,584      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll"
2009-08-08      A....       802,816      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v3.5.dll"
2009-08-08      A....       756,736      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\392de34573f9f8ec885714f2f3e7f07f\System.Data.Entity.Design.ni.dll"
2009-08-08      A....       749,568      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll"
2009-08-08      A....       745,472      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll"
2009-08-08      A....       733,184      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll"
2009-08-08      A....       688,128      "C:\WINDOWS\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll"
2009-08-08      A....       684,032      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Linq\3.5.0.0__b77a5c561934e089\System.Data.Linq.dll"
2009-08-08      A....       676,352      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\1c8df2da33222c048d683017f2095f04\System.Security.ni.dll"
2009-08-08      A....       667,648      "C:\WINDOWS\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\System.Core.dll"
2009-08-08      A....       659,456      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll"
2009-08-08      A....       655,360      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll"
2009-08-08      A....       633,856      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.AddIn\ce984d754e3c0b6be4504b785cc43574\System.AddIn.ni.dll"
2009-08-08      A....       627,712      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.ni.dll"
2009-08-08      A....       627,200      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\5a555c9ae6984c40157cf940bb519f7c\System.Transactions.ni.dll"
2009-08-08      A....       626,688      "C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll"
2009-08-08      A....       621,056      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Net\519d9c618341b136f9b963ffb7495308\System.Net.ni.dll"
2009-08-08      A....       598,016      "C:\WINDOWS\assembly\GAC_MSIL\PresentationBuildTasks\3.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll"
2009-08-08      A....       569,344      "C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll"
2009-08-08      A....       547,328      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\b7891f5659db299dbd1b3c72db7edb9f\System.Web.DynamicData.ni.dll"
2009-08-08      A....       540,672      "C:\WINDOWS\assembly\GAC_MSIL\System.Workflow.Runtime\3.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll"
2009-08-08      A....       539,648      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8003abaf6bcf70f7eb620d06837e897b\PresentationFramework.Luna.ni.dll"
2009-08-08      A....       528,384      "C:\WINDOWS\assembly\GAC_MSIL\ReachFramework\3.0.0.0__31bf3856ad364e35\ReachFramework.dll"
2009-08-08      A....       507,904      "C:\WINDOWS\assembly\GAC_MSIL\System.WorkflowServices\3.5.0.0__31bf3856ad364e35\System.WorkflowServices.dll"
2009-08-08      A....       507,904      "C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll"
2009-08-08      A....       506,244      "C:\WINDOWS\system32\PerfStringBackup.INI"
2009-08-08      A....       486,400      "C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll"
2009-08-08      A....       455,680      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c434a07332ce490711c27fd0edb7562f\System.DirectoryServices.Protocols.ni.dll"
2009-08-08      A....       447,488      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\5c028c3d8db6c0f0277673ea4a2d89fb\UIAutomationClient.ni.dll"
2009-08-08      A....       444,596      "C:\WINDOWS\system32\perfh009.dat"
2009-08-08      A....       442,368      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll"
2009-08-08      A....       430,080      "C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll"
2009-08-08      A....       425,984      "C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll"
2009-08-08      A....       410,112      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\12629e2f3e315459bee67cbbaac85cb2\ComSvcConfig.ni.exe"
2009-08-08      A....       401,408      "C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll"
2009-08-08      A....       400,896      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\c338a470b14851ce5987bb0f0869c310\System.Xml.Linq.ni.dll"
2009-08-08      A....       397,312      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Luna\3.0.0.0__31bf3856ad364e35\PresentationFramework.Luna.dll"
2009-08-08      A....       397,312      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.dll"
2009-08-08      A....       386,560      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\1820d6a012fc0e16c3e1d29d973cd2d0\Microsoft.Transactions.Bridge.Dtc.ni.dll"
2009-08-08      A....       385,024      "C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClientsideProviders\3.0.0.0__31bf3856ad364e35\UIAutomationClientsideProviders.dll"
2009-08-08      A....       381,440      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7c367a96b10d626ec8cbf8149272d845\System.IO.Log.ni.dll"
2009-08-08      A....       372,736      "C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll"
2009-08-08      A....       372,736      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll"
2009-08-08      A....       368,640      "C:\WINDOWS\assembly\GAC_32\System.Printing\3.0.0.0__31bf3856ad364e35\System.Printing.dll"
2009-08-08      A....       368,128      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\59a67874d8d8475faa5be1d993083d12\PresentationFramework.Aero.ni.dll"
2009-08-08      A....       366,080      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMSvcHost\045dd501b7257b1cc26083538ae69045\SMSvcHost.ni.exe"
2009-08-08      A....       354,816      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1cf3acad6553d6c59df576794f4e8bd6\System.Data.Services.Design.ni.dll"
2009-08-08      A....       348,160      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll"
2009-08-08      A....       335,872      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Extensions.Design\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll"
2009-08-08      A....       330,752      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management.I#\1d3fbbd23ce1e8637ef4f40a8d23cd32\System.Management.Instrumentation.ni.dll"
2009-08-08      A....       328,704      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\79c29ac85dd57dd485ab60118ac292ff\System.Web.Entity.ni.dll"
2009-08-08      A....       321,536      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WsatConfig\2ef5bc3a2edd7570bb23886a4f32294a\WsatConfig.ni.exe"
2009-08-08      A....       320,512      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\10a0c9707876fc1f65e64b811a28b020\ServiceModelReg.ni.exe"
2009-08-08      A....       311,296      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfd6e16d8c3589cd2bd3f8d46f0a5402\System.Runtime.Serialization.Formatters.Soap.ni.dll"
2009-08-08      A....       303,104      "C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll"
2009-08-08      A....       301,056      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\d3d65e34fa60f0b6c72ca0d12ec89933\System.Web.Entity.Design.ni.dll"
2009-08-08      A....       294,912      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll"
2009-08-08      A....       286,720      "C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll"
2009-08-08      A....       280,064      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\4267bd908175603006c6c90bb5d900c7\System.EnterpriseServices.Wrapper.dll"
2009-08-08      A....       261,632      "C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll"
2009-08-08      A....       258,048      "C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll"
2009-08-08      A....       258,048      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2c980c9a5051d723c6ec2a78a3d0e2b3\PresentationFramework.Royale.ni.dll"
2009-08-08      A....       258,048      "C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll"
2009-08-08      A....       258,048      "C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll"
2009-08-08      A....       258,048      "C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll"
2009-08-08      A....       256,000      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\9790551187e294b4ed3aaa1c221891c7\SMDiagnostics.ni.dll"
2009-08-08      A....       240,128      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\6a818099f0386e2356ae94f886a2196f\WindowsFormsIntegration.ni.dll"
2009-08-08      A....       233,472      "C:\WINDOWS\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System.Net.dll"
2009-08-08      A....       229,376      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll"
2009-08-08      A....       229,376      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Entity.Design\3.5.0.0__b77a5c561934e089\System.Data.Entity.Design.dll"
2009-08-08      A....       224,768      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f475294d8c7dc2dd4febeef27bc0417e\PresentationFramework.Classic.ni.dll"
2009-08-08      A....       222,720      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\9b321ebf67587237f576df6104a32588\Microsoft.Build.Conversion.v3.5.ni.dll"
2009-08-08      A....       220,672      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\9bea05938bee3555c5aa8763d89a68f9\CustomMarshalers.ni.dll"
2009-08-08      A....       212,992      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll"
2009-08-08      A....       212,992      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\68e71147704ef0d34d9a4bece7767fc5\System.IdentityModel.Selectors.ni.dll"
2009-08-08      A....       208,384      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\18bbe2b6717e7f1d1dd672526e9889ee\System.Drawing.Design.ni.dll"
2009-08-08      A....       202,240      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\6ee255220d90dcbe80c990e443051cc5\System.Web.RegularExpressions.ni.dll"
2009-08-08      A....       196,608      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Aero\3.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll"
2009-08-08      A....       188,416      "C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll"
2009-08-08      A....       187,904      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\a6d9503962d47c722231c1478f180695\UIAutomationTypes.ni.dll"
2009-08-08      A....       175,104      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4217124db1ea5de5f1a1f3eea75e8d32\Microsoft.Build.Utilities.v3.5.ni.dll"
2009-08-08      A....       167,936      "C:\WINDOWS\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\UIAutomationClient.dll"
2009-08-08      A....       163,840      "C:\WINDOWS\assembly\GAC_MSIL\System.AddIn\3.5.0.0__b77a5c561934e089\System.AddIn.dll"
2009-08-08      A....       163,840      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Royale\3.0.0.0__31bf3856ad364e35\PresentationFramework.Royale.dll"
2009-08-08      A....       163,840      "C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll"
2009-08-08      A....       144,384      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\55b9eff9e23359faed4351386c062238\Microsoft.Build.Utilities.ni.dll"
2009-08-08      A....       143,360      "C:\WINDOWS\assembly\GAC_MSIL\System.Management.Instrumentation\3.5.0.0__b77a5c561934e089\System.Management.Instrumentation.dll"
2009-08-08      A....       141,312      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\00ec08741a765c707bd9169346064a81\System.Web.Abstractions.ni.dll"
2009-08-08      A....       141,312      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\de514e484e49b04b016949d57ffac03e\System.Configuration.Install.ni.dll"
2009-08-08      A....       139,264      "C:\WINDOWS\assembly\GAC_MSIL\System.Xml.Linq\3.5.0.0__b77a5c561934e089\System.Xml.Linq.dll"
2009-08-08      A....       139,264      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll"
2009-08-08      A....       139,264      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework.Classic\3.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll"
2009-08-08      A....       135,680      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\1db495ff00bbd14df4af6680c4de0653\System.Data.DataSetExtensions.ni.dll"
2009-08-08      A....       133,632      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\MSBuild\6d38e317128608bc4516ea46ab94590e\MSBuild.ni.exe"
2009-08-08      A....       131,072      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Entity.Design\3.5.0.0__b77a5c561934e089\System.Web.Entity.Design.dll"
2009-08-08      A....       131,072      "C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll"
2009-08-08      A....       131,072      "C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll"
2009-08-08      A....       129,536      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\bb77ea11f46ab438b2b7ed7c180011a1\System.Web.Routing.ni.dll"
2009-08-08      A....       126,976      "C:\WINDOWS\assembly\GAC_MSIL\System.IdentityModel.Selectors\3.0.0.0__b77a5c561934e089\System.IdentityModel.Selectors.dll"
2009-08-08      A....       114,688      "C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll"
2009-08-08      A....       114,688      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.Services.Design\3.5.0.0__b77a5c561934e089\System.Data.Services.Design.dll"
2009-08-08      A....       113,664      "C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll"
2009-08-08      A....       113,664      "C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll"
2009-08-08      A....       110,592      "C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll"
2009-08-08      A....       110,592      "C:\WINDOWS\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll"
2009-08-08      A....       110,592      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll"
2009-08-08      A....       106,496      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Conversion.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v3.5.dll"
2009-08-08      A....        98,304      "C:\WINDOWS\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll"
2009-08-08      A....        94,208      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll"
2009-08-08      A....        94,208      "C:\WINDOWS\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll"
2009-08-08      A....        94,208      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v3.5.dll"
2009-08-08      A....        82,944      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll"
2009-08-08      A....        81,920      "C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll"
2009-08-08      A....        81,920      "C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll"
2009-08-08      A....        77,824      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll"
2009-08-08      A....        77,824      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\System.Web.Abstractions.dll"
2009-08-08      A....        77,824      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll"
2009-08-08      A....        77,824      "C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll"
2009-08-08      A....        74,752      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll"
2009-08-08      A....        73,728      "C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll"
2009-08-08      A....        72,306      "C:\WINDOWS\system32\perfc009.dat"
2009-08-08      A....        72,192      "C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll"
2009-08-08      A....        69,120      "C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll"
2009-08-08      A....        65,024      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll"
2009-08-08      A....        61,440      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.Routing\3.5.0.0__31bf3856ad364e35\System.Web.Routing.dll"
2009-08-08      A....        60,928      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a715aa442ef87ae99b3ade185599249d\UIAutomationProvider.ni.dll"
2009-08-08      A....        57,344      "C:\WINDOWS\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll"
2009-08-08      A....        55,296      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll"
2009-08-08      A....        53,248      "C:\WINDOWS\assembly\GAC_MSIL\System.Data.DataSetExtensions\3.5.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll"
2009-08-08      A....        47,104      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2d7408a0232f2e2efd0d7adf5dfa733a\PresentationFontCache.ni.exe"
2009-08-08      A....        46,104      "C:\WINDOWS\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe"
2009-08-08      A....        45,056      "C:\WINDOWS\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll"
2009-08-08      A....        41,984      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll"
2009-08-08      A....        40,960      "C:\WINDOWS\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll"
2009-08-08      A....        39,424      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c8fd2d9233f8ea3031fb16f697635231\PresentationCFFRasterizer.ni.dll"
2009-08-08      A....        37,888      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll"
2009-08-08      A....        36,864      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll"
2009-08-08      A....        36,864      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll"
2009-08-08      A....        36,864      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll"
2009-08-08      A....        32,768      "C:\WINDOWS\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll"
2009-08-08      A....        32,768      "C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll"
2009-08-08      A....        32,768      "C:\WINDOWS\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll"
2009-08-08      A....        32,768      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll"
2009-08-08      A....        28,672      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll"
2009-08-08      A....        25,600      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll"
2009-08-08      A....        14,336      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe"
2009-08-08      A....        13,312      "C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll"
2009-08-08      A....        12,800      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll"
2009-08-08      A....        12,288      "C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\System.Windows.Presentation.dll"
2009-08-08      A....        10,752      "C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll"
2009-08-08      A....         8,192      "C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll"
2009-08-08      A....         8,192      "C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll"
2009-08-08      A....         7,168      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll"
2009-08-08      A....         6,656      "C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll"
2009-08-08      A....         5,632      "C:\WINDOWS\assembly\GAC_MSIL\Sentinel.v3.5Client\3.5.0.0__b03f5f7f11d50a3a\Sentinel.v3.5Client.dll"
2009-08-08      A....         5,632      "C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll"
2009-08-08      .D...                    "C:\Program Files\Reference Assemblies"
2009-08-08      .D...                    "C:\Program Files\MSXML 6.0"
2009-08-08      .D...                    "C:\Program Files\MSBuild"
2009-08-08      .D...                    "C:\Program Files\Microsoft Silverlight"
2009-08-08      .D...                    "C:\a6934de93bf88e0a3bce6630233dd5"
2009-08-08      ...HR             0      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index8a.dat"
2009-08-08      ...HR             0      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index89.dat"
2009-08-08      ...HR             0      "C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index33.dat"
2009-08-05      A..H.        56,972      "C:\WINDOWS\system32\mlfcache.dat"
2009-08-05      A....       204,800      "C:\WINDOWS\system32\mswebdvd.dll"
2009-08-05      A....       204,800      "C:\WINDOWS\$hf_mig$\KB973815\SP3QFE\mswebdvd.dll"
2009-08-05      A....       204,800      "C:\WINDOWS\$hf_mig$\KB973815\SP3GDR\mswebdvd.dll"
2009-08-05      A....       204,800      "C:\WINDOWS\$hf_mig$\KB973815\SP2QFE\mswebdvd.dll"
2009-08-05      .....       204,800      "C:\WINDOWS\system32\dllcache\mswebdvd.dll"


______________________________________________________________________________________________________


** LISTING SERVICES **


SERVICE_NAME: ACS
BINARY_PATH_NAME   : C:\WINDOWS\System32\acs.exe
SERVICE_NAME: Apple Mobile Device
BINARY_PATH_NAME   : "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
SERVICE_NAME: Ati HotKey Poller
BINARY_PATH_NAME   : C:\WINDOWS\System32\Ati2evxx.exe
SERVICE_NAME: AudioSrv
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: BITS
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: Bonjour Service
BINARY_PATH_NAME   : "C:\Program Files\Bonjour\mDNSResponder.exe"
SERVICE_NAME: Browser
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: CryptSvc
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_NAME: DcomLaunch
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost -k DcomLaunch
SERVICE_NAME: Dhcp
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: Dnscache
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k NetworkService
SERVICE_NAME: ERSvc
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: Eventlog
BINARY_PATH_NAME   : C:\WINDOWS\system32\services.exe
SERVICE_NAME: EventSystem
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: helpsvc
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: HPConfig
BINARY_PATH_NAME   : C:\WINDOWS\system32\HPConfig.exe
SERVICE_NAME: HPWirelessMgr
BINARY_PATH_NAME   : C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
SERVICE_NAME: HTTPFilter
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
SERVICE_NAME: iPod Service
BINARY_PATH_NAME   : "C:\Program Files\iPod\bin\iPodService.exe"
SERVICE_NAME: lanmanserver
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: lanmanworkstation
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: LmHosts
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_NAME: McAfee SiteAdvisor Service
BINARY_PATH_NAME   : "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe"
SERVICE_NAME: mcmscsvc
BINARY_PATH_NAME   : C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
SERVICE_NAME: McNASvc
BINARY_PATH_NAME   : "c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe"
SERVICE_NAME: McProxy
BINARY_PATH_NAME   : c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
SERVICE_NAME: McShield
BINARY_PATH_NAME   : C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
SERVICE_NAME: McSysmon
BINARY_PATH_NAME   : C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
SERVICE_NAME: MpfService
BINARY_PATH_NAME   : "C:\Program Files\McAfee\MPF\MPFSrv.exe"
SERVICE_NAME: Netman
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: Nla
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: PlugPlay
BINARY_PATH_NAME   : C:\WINDOWS\system32\services.exe
SERVICE_NAME: PolicyAgent
BINARY_PATH_NAME   : C:\WINDOWS\System32\lsass.exe
SERVICE_NAME: ProtectedStorage
BINARY_PATH_NAME   : C:\WINDOWS\system32\lsass.exe
SERVICE_NAME: RasMan
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: RpcSs
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost -k rpcss
SERVICE_NAME: SamSs
BINARY_PATH_NAME   : C:\WINDOWS\system32\lsass.exe
SERVICE_NAME: Schedule
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: seclogon
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: SENS
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_NAME: SharedAccess
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: ShellHWDetection
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: Spooler
BINARY_PATH_NAME   : C:\WINDOWS\system32\spoolsv.exe
SERVICE_NAME: srservice
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: SSDPSRV
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_NAME: stisvc
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k imgsvc
SERVICE_NAME: TapiSrv
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: TermService
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost -k DComLaunch
SERVICE_NAME: Themes
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: TrkWks
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_NAME: W32Time
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: WebClient
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k LocalService
SERVICE_NAME: winmgmt
BINARY_PATH_NAME   : C:\WINDOWS\system32\svchost.exe -k netsvcs
SERVICE_NAME: WMDM PMSP Service
BINARY_PATH_NAME   : C:\WINDOWS\System32\MsPMSPSv.exe
SERVICE_NAME: wscsvc
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs
SERVICE_NAME: WZCSVC
BINARY_PATH_NAME   : C:\WINDOWS\System32\svchost.exe -k netsvcs


______________________________________________________________________________________________________
** LISTING DRIVERS **


SERVICE_NAME: ACPI
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\ACPI.sys
SERVICE_NAME: ACPIEC
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\ACPIEC.sys
SERVICE_NAME: AFD
BINARY_PATH_NAME   : \SystemRoot\System32\drivers\afd.sys
SERVICE_NAME: AliIde
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\aliide.sys
SERVICE_NAME: AmdK7
BINARY_PATH_NAME   : System32\DRIVERS\amdk7.sys
SERVICE_NAME: atapi
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\atapi.sys
SERVICE_NAME: ati2mtag
BINARY_PATH_NAME   : System32\DRIVERS\ati2mtag.sys
SERVICE_NAME: audstub
BINARY_PATH_NAME   : System32\DRIVERS\audstub.sys
SERVICE_NAME: Beep
BINARY_PATH_NAME   :
SERVICE_NAME: caboagp
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\atisgkaf.sys
SERVICE_NAME: CALIAUD
BINARY_PATH_NAME   : system32\drivers\caliaud.sys
SERVICE_NAME: CALIHALA
BINARY_PATH_NAME   : system32\drivers\calihal.sys
SERVICE_NAME: Cdr4_xp
BINARY_PATH_NAME   :
SERVICE_NAME: Cdralw2k
BINARY_PATH_NAME   :
SERVICE_NAME: Cdrom
BINARY_PATH_NAME   : System32\DRIVERS\cdrom.sys
SERVICE_NAME: cdudf_xp
BINARY_PATH_NAME   :
SERVICE_NAME: CmBatt
BINARY_PATH_NAME   : System32\DRIVERS\CmBatt.sys
SERVICE_NAME: Compbatt
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\compbatt.sys
SERVICE_NAME: Disk
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\disk.sys
SERVICE_NAME: DP83815
BINARY_PATH_NAME   : System32\DRIVERS\DP83815.SYS
SERVICE_NAME: eeCtrl
BINARY_PATH_NAME   : \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
SERVICE_NAME: Fdc
BINARY_PATH_NAME   : System32\DRIVERS\fdc.sys
SERVICE_NAME: Fips
BINARY_PATH_NAME   :
SERVICE_NAME: FltMgr
BINARY_PATH_NAME   : \SystemRoot\system32\drivers\fltmgr.sys
SERVICE_NAME: Ftdisk
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\ftdisk.sys
SERVICE_NAME: GEARAspiWDM
BINARY_PATH_NAME   : SYSTEM32\DRIVERS\GEARAspiWDM.sys
SERVICE_NAME: Gpc
BINARY_PATH_NAME   : System32\DRIVERS\msgpc.sys
SERVICE_NAME: HPCI
BINARY_PATH_NAME   : System32\DRIVERS\hpci.sys
SERVICE_NAME: HSFHWALI
BINARY_PATH_NAME   : System32\DRIVERS\HSFHWALI.sys
SERVICE_NAME: HSF_DP
BINARY_PATH_NAME   : System32\DRIVERS\HSF_DP.sys
SERVICE_NAME: HTTP
BINARY_PATH_NAME   : System32\Drivers\HTTP.sys
SERVICE_NAME: i8042prt
BINARY_PATH_NAME   : System32\DRIVERS\i8042prt.sys
SERVICE_NAME: Imapi
BINARY_PATH_NAME   : System32\DRIVERS\imapi.sys
SERVICE_NAME: IpFilterDriver
BINARY_PATH_NAME   : System32\DRIVERS\ipfltdrv.sys
SERVICE_NAME: IpNat
BINARY_PATH_NAME   : System32\DRIVERS\ipnat.sys
SERVICE_NAME: IPSec
BINARY_PATH_NAME   : System32\DRIVERS\ipsec.sys
SERVICE_NAME: isapnp
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\isapnp.sys
SERVICE_NAME: Kbdclass
BINARY_PATH_NAME   : System32\DRIVERS\kbdclass.sys
SERVICE_NAME: KSecDD
BINARY_PATH_NAME   :
SERVICE_NAME: MDC8021X
BINARY_PATH_NAME   : System32\DRIVERS\mdc8021x.sys
SERVICE_NAME: mdmxsdk
BINARY_PATH_NAME   : System32\DRIVERS\mdmxsdk.sys
SERVICE_NAME: mfeavfk
BINARY_PATH_NAME   : system32\drivers\mfeavfk.sys
SERVICE_NAME: mfebopk
BINARY_PATH_NAME   : system32\drivers\mfebopk.sys
SERVICE_NAME: mfehidk
BINARY_PATH_NAME   : system32\drivers\mfehidk.sys
SERVICE_NAME: mfesmfk
BINARY_PATH_NAME   : system32\drivers\mfesmfk.sys
SERVICE_NAME: mmc_2K
BINARY_PATH_NAME   :
SERVICE_NAME: mnmdd
BINARY_PATH_NAME   :
SERVICE_NAME: Modem
BINARY_PATH_NAME   :
SERVICE_NAME: MODEMCSA
BINARY_PATH_NAME   : system32\drivers\MODEMCSA.sys
SERVICE_NAME: Mouclass
BINARY_PATH_NAME   : System32\DRIVERS\mouclass.sys
SERVICE_NAME: MountMgr
BINARY_PATH_NAME   :
SERVICE_NAME: MPFP
BINARY_PATH_NAME   : System32\Drivers\Mpfp.sys
SERVICE_NAME: MRxDAV
BINARY_PATH_NAME   : System32\DRIVERS\mrxdav.sys
SERVICE_NAME: MRxSmb
BINARY_PATH_NAME   : System32\DRIVERS\mrxsmb.sys
SERVICE_NAME: Msfs
BINARY_PATH_NAME   :
SERVICE_NAME: mssmbios
BINARY_PATH_NAME   : System32\DRIVERS\mssmbios.sys
SERVICE_NAME: Mup
BINARY_PATH_NAME   :
SERVICE_NAME: NDIS
BINARY_PATH_NAME   :
SERVICE_NAME: NdisTapi
BINARY_PATH_NAME   : System32\DRIVERS\ndistapi.sys
SERVICE_NAME: Ndisuio
BINARY_PATH_NAME   : System32\DRIVERS\ndisuio.sys
SERVICE_NAME: NdisWan
BINARY_PATH_NAME   : System32\DRIVERS\ndiswan.sys
SERVICE_NAME: NDProxy
BINARY_PATH_NAME   :
SERVICE_NAME: NetBIOS
BINARY_PATH_NAME   : System32\DRIVERS\netbios.sys
SERVICE_NAME: NetBT
BINARY_PATH_NAME   : System32\DRIVERS\netbt.sys
SERVICE_NAME: Npfs
BINARY_PATH_NAME   :
SERVICE_NAME: Ntfs
BINARY_PATH_NAME   :
SERVICE_NAME: Null
BINARY_PATH_NAME   :
SERVICE_NAME: ohci1394
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\ohci1394.sys
SERVICE_NAME: Parport
BINARY_PATH_NAME   : System32\DRIVERS\parport.sys
SERVICE_NAME: PartMgr
BINARY_PATH_NAME   :
SERVICE_NAME: ParVdm
BINARY_PATH_NAME   :
SERVICE_NAME: PCI
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\pci.sys
SERVICE_NAME: Pcmcia
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\pcmcia.sys
SERVICE_NAME: pfc
BINARY_PATH_NAME   : system32\drivers\pfc.sys
SERVICE_NAME: PptpMiniport
BINARY_PATH_NAME   : System32\DRIVERS\raspptp.sys
SERVICE_NAME: PSched
BINARY_PATH_NAME   : System32\DRIVERS\psched.sys
SERVICE_NAME: Ptilink
BINARY_PATH_NAME   : System32\DRIVERS\ptilink.sys
SERVICE_NAME: pwd_2k
BINARY_PATH_NAME   :
SERVICE_NAME: PxHelp20
BINARY_PATH_NAME   : \SystemRoot\System32\Drivers\PxHelp20.sys
SERVICE_NAME: RasAcd
BINARY_PATH_NAME   : System32\DRIVERS\rasacd.sys
SERVICE_NAME: Rasl2tp
BINARY_PATH_NAME   : System32\DRIVERS\rasl2tp.sys
SERVICE_NAME: RasPppoe
BINARY_PATH_NAME   : System32\DRIVERS\raspppoe.sys
SERVICE_NAME: Raspti
BINARY_PATH_NAME   : System32\DRIVERS\raspti.sys
SERVICE_NAME: Rdbss
BINARY_PATH_NAME   : System32\DRIVERS\rdbss.sys
SERVICE_NAME: RDPCDD
BINARY_PATH_NAME   : System32\DRIVERS\RDPCDD.sys
SERVICE_NAME: redbook
BINARY_PATH_NAME   : System32\DRIVERS\redbook.sys
SERVICE_NAME: SbcpHid
BINARY_PATH_NAME   : \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
SERVICE_NAME: serenum
BINARY_PATH_NAME   : System32\DRIVERS\serenum.sys
SERVICE_NAME: Serial
BINARY_PATH_NAME   : System32\DRIVERS\serial.sys
SERVICE_NAME: sr
BINARY_PATH_NAME   : \SystemRoot\System32\DRIVERS\sr.sys
SERVICE_NAME: Srv
BINARY_PATH_NAME   : System32\DRIVERS\srv.sys
SERVICE_NAME: StreamDispatcher
BINARY_PATH_NAME   : System32\DRIVERS\strmdisp.sys
SERVICE_NAME: swenum
BINARY_PATH_NAME   : System32\DRIVERS\swenum.sys
SERVICE_NAME: symlcbrd
BINARY_PATH_NAME   : \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
SERVICE_NAME: SynTP
BINARY_PATH_NAME   : System32\DRIVERS\SynTP.sys
SERVICE_NAME: sysaudio
BINARY_PATH_NAME   : system32\drivers\sysaudio.sys
SERVICE_NAME: Tcpip
BINARY_PATH_NAME   : System32\DRIVERS\tcpip.sys
SERVICE_NAME: TermDD
BINARY_PATH_NAME   : System32\DRIVERS\termdd.sys
SERVICE_NAME: UdfReadr_xp
BINARY_PATH_NAME   :
SERVICE_NAME: Udfs
BINARY_PATH_NAME   :
SERVICE_NAME: Update
BINARY_PATH_NAME   : System32\DRIVERS\update.sys
SERVICE_NAME: usbhub
BINARY_PATH_NAME   : System32\DRIVERS\usbhub.sys
SERVICE_NAME: usbohci
BINARY_PATH_NAME   : System32\DRIVERS\usbohci.sys
SERVICE_NAME: VgaSave
BINARY_PATH_NAME   : \SystemRoot\System32\drivers\vga.sys
SERVICE_NAME: VolSnap
BINARY_PATH_NAME   :
SERVICE_NAME: Wanarp
BINARY_PATH_NAME   : System32\DRIVERS\wanarp.sys
SERVICE_NAME: wdmaud
BINARY_PATH_NAME   : system32\drivers\wdmaud.sys
SERVICE_NAME: winachsf
BINARY_PATH_NAME   : System32\DRIVERS\HSF_CNXT.sys


______________________________________________________________________________________________________


** SCHEDULED TASKS **


HR     C:\WINDOWS\tasks\desktop.ini
A          C:\WINDOWS\tasks\Google Software Updater.job
A          C:\WINDOWS\tasks\McDefragTask.job
A          C:\WINDOWS\tasks\McQcTask.job
A   H      C:\WINDOWS\tasks\SA.DAT


[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'Google Software Updater.job'
[TRACE] Printing all job properties


ApplicationName:    'C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe'
Parameters:         'scheduled_start'
WorkingDirectory:   ''
Comment:            'Google Updater keeps your Google software up to date. If Google Updater Service is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work.'
Creator:            'SYSTEM'
Priority:           NORMAL
MaxRunTime:         INFINITE
IdleWait:           10
IdleDeadline:       60
MostRecentRun:      00/00/0000  0:00:00
NextRun:            08/31/2009 13:17:00
StartError:         SCHED_S_TASK_HAS_NOT_RUN
ExitCode:           0
Status:             SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone          = 0
Suspend                 = 0
StartOnlyIfIdle         = 0
KillOnIdleEnd           = 0
RestartOnIdleResume     = 0
DontStartIfOnBatteries  = 0
KillIfGoingOnBatteries  = 0
RunOnlyIfLoggedOn       = 0
SystemRequired          = 0
Hidden                  = 0
TaskFlags:          0


2 Triggers


Trigger 0:
Type:            Daily
DaysInterval:    1
StartDate:       08/31/2009
EndDate:         00/00/0000
StartTime:       13:17
MinutesDuration: 144000
MinutesInterval: 0
Flags:
HasEndDate      = 0
KillAtDuration  = 0
Disabled        = 0


Trigger 1:
Type:            Once
StartDate:       09/01/2009
EndDate:         00/00/0000
StartTime:       00:44
MinutesDuration: 144000
MinutesInterval: 20
Flags:
HasEndDate      = 0
KillAtDuration  = 0
Disabled        = 0



[TRACE] Activating job 'McDefragTask.job'
[TRACE] Printing all job properties


ApplicationName:    'c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
Parameters:         '"C:\WINDOWS\system32\defrag.exe" C: -f'
WorkingDirectory:   ''
Comment:            'Disk Defragmenter'
Creator:            'Rachel'
Priority:           NORMAL
MaxRunTime:         259200000 (3d  0:00:00)
IdleWait:           10
IdleDeadline:       60
MostRecentRun:      07/15/2009  1:00:00
NextRun:            09/15/2009  1:00:00
StartError:         S_OK
ExitCode:           0xc000013a
Status:             SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone          = 0
Suspend                 = 0
StartOnlyIfIdle         = 0
KillOnIdleEnd           = 0
RestartOnIdleResume     = 0
DontStartIfOnBatteries  = 0
KillIfGoingOnBatteries  = 0
RunOnlyIfLoggedOn       = 1
SystemRequired          = 0
Hidden                  = 0
TaskFlags:          0


1 Trigger


Trigger 0:
Type:            MonthlyDate
Days:            15
Months:          JanFebMarAprMayJunJulAugSepOctNovDec
StartDate:       06/23/2009
EndDate:         00/00/0000
StartTime:       01:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate      = 0
KillAtDuration  = 0
Disabled        = 0



[TRACE] Activating job 'McQcTask.job'
[TRACE] Printing all job properties


ApplicationName:    'c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
Parameters:         '14 0'
WorkingDirectory:   'c:\PROGRA~1\mcafee\mqc'
Comment:            'McAfee McAfee QuickClean'
Creator:            'Rachel'
Priority:           NORMAL
MaxRunTime:         259200000 (3d  0:00:00)
IdleWait:           10
IdleDeadline:       60
MostRecentRun:      08/01/2009  0:59:59
NextRun:            09/01/2009  1:00:00
StartError:         S_OK
ExitCode:           0
Status:             SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone          = 0
Suspend                 = 0
StartOnlyIfIdle         = 0
KillOnIdleEnd           = 0
RestartOnIdleResume     = 0
DontStartIfOnBatteries  = 0
KillIfGoingOnBatteries  = 0
RunOnlyIfLoggedOn       = 1
SystemRequired          = 0
Hidden                  = 0
TaskFlags:          0


1 Trigger


Trigger 0:
Type:            MonthlyDate
Days:            1
Months:          JanFebMarAprMayJunJulAugSepOctNovDec
StartDate:       06/23/2009
EndDate:         00/00/0000
StartTime:       01:00
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate      = 0
KillAtDuration  = 0
Disabled        = 0


______________________________________________________________________________________________________


** SHARED TASK SCHEDULER REGISTRY ITEMS **


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



______________________________________________________________________________________________________


** STARTUP ITEMS DISABLED VIA MSCONFIG **


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000000
"services"=dword:00000000
"startup"=dword:00000002



______________________________________________________________________________________________________


** CHECKING SELECT POLICIES KEYS **


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001



[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


______________________________________________________________________________________________________


** CHECKING WINLOGON NOTIFY **
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\. . . . .]
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
WgaLogon
wlballoon


______________________________________________________________________________________________________


** SSODL **


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"



______________________________________________________________________________________________________


** EXE KEYS **


[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"


[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@="{098f2470-bae0-11cd-b579-08002b30bfeb}"



[HKEY_CLASSES_ROOT\exefile]
@="Application"
"EditFlags"=hex:38,07,00,00
"TileInfo"="prop:FileDescription;Company;FileVersion"
"InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"


[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@="%1"


[HKEY_CLASSES_ROOT\exefile\shell]


[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"


[HKEY_CLASSES_ROOT\exefile\shell\runas]


[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"


[HKEY_CLASSES_ROOT\exefile\shellex]


[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@="{86C86720-42A0-1069-A2E8-08002B30309D}"


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@="{86F19A00-42A0-1069-A2E9-08002B30309D}"


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"


[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}]
@=""



######################################################################################################



PeekabooXP v1.2.7 ©  by PhilliePhan (2006-2009)

Edited by Nick Evan: Fixed formatting

0

I apologize for the length of that sucker! I never got around to fixing that.....

There is a good deal of malware showing that we can remove. I am sure crunchie and the other volunteers can see it and can show you what needs to be deleted.

I will definitely be gone until Monday Night EST, but will check back then.

Cheers :)
PP

0

Hi Sisaly,

Here is a fix you can try. Again, it is a "Use at your own Risk!" proposition:

-- Download the attached KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive.

Use command.com to get a command prompt

TYPE C:\KILLBAD\KILLBAD.bat ENTER

It should run quickly.


-- Now, try to run MBA-M.

Let me know if you run into any problems.

*** To any others reading this post: This fix was specifically made for Sisaly. IT MAY OR MAY NOT WORK FOR YOU. IT MAY RESTORE SOME FUNCTION TO YOUR COMPY, BUT YOU RUN IT AT YOUR OWN RISK.....
'Course your compy's pretty borked already, or you wouldn't be reading this . . . . .


Best Luck :)
PP

0

OK, installed KILLBAD to C:drive and ran cmd. Got a bunch of strings saying could not find specified file, could not find several exes. Went ahead and tried mbam and still get the start up and preparing for scan, then after 25 seconds it crashes. (And I get all kinds of desots on start up. But then that's not new. Checked tskmgr and admin and could not see anything, but I need a break, I think I'm tired and missing stuff.)

Then my desktop changed to some red letters that say...

"Warning! Your're (sic) in Danger...blah blah..."

PhilliePhan, you're very awesome for writing something for my system, but it's not working (could be user error, it's late). Will try again later as it is 4:30 am and I need to call it a night. Will be back later to try again and check back. I'm very worn out now.

Again, thank you for trying to help.

0

One idea that may be worth a shot. Open up your "My Computer" and do a search for mbam.exe. Once located, right click on it and select rename. Rename it to helpme.exe then try running it.

0

I tried renaming mbam in normal and safe mode and I get the Access Denied error message.

Phillie, when I'm using cmd to run KILLBAD, I can't get rid of C:\Documents and Settings\Username\_

I can't backspace to get rid of it and when I hit enter it's still like that instead of C:_
I'm assuming that is why I can't get KILLBAD to run properly.

*continues to pull hair out*

0

I tried renaming mbam in normal and safe mode and I get the Access Denied error message.

Phillie, when I'm using cmd to run KILLBAD, I can't get rid of C:\Documents and Settings\Username\_

I can't backspace to get rid of it and when I hit enter it's still like that instead of C:_
I'm assuming that is why I can't get KILLBAD to run properly.

*continues to pull hair out*

That shouldn't be an issue - type cd c:\ enter to change it back. That doesn't matter when you type the whole path to the tool...

Let's try this:

First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.


If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

Then, try running MBA-M again.

I'll try to check back as time permits.

Best Luck :)
PP

0

Phillie, I can't rename mbam. See my last post.

KILLBAD won't run even when typed in as you posted. It lists many lines of Cannot find specified file...no log report. :(

0

Phillie, I can't rename mbam. See my last post.

KILLBAD won't run even when typed in as you posted. It lists many lines of Cannot find specified file...no log report. :(

Sorry - it didn't register.

Did you download the new KILLBAD I linked in my last post? It is a different tool - just used the same name.

You'll need to delete the old one first.

-- What happens when you navigate to the new C:\KILLBAD folder and DoubleClick on KILLBAD.bat?

PP :)

0

All right Phillie, I ran the new KILLBAD and it can't find the specified files, like svchasts and others because I have deleted them, I assume. Looking at Kevin's mbam log I have deleted any file he had that was in my system.
After running KB, Notepad opened but is empty.
mbam crashes after asking to scan and now I'm locked out of the mbam directory.

Good god! This sucker is evil I tell you.

0

Good god! This sucker is evil I tell you.

Something is not right - if notepad opened with a blank log. I'll have to have another look at the darn thing. I very easily could have made a mistake - doing ten things at once here.... :)

-- Did it run when you DoubleClicked the .bat file or did you use command.com for command prompt?
-- Are you comfortable digging around the registry? We need to change this:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

To This:
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"

Basically, we want to remove only the part in bold:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desote.exe \"%1\" %*"

The thing is, I don't think regedit will run for you. The tool I wrote should have done this automatically - I need to re-check it.

It seems you've killed all the processes, so fixing the registry value ought to work, if we can do it....

Hang in there:)

-- Hey, did we try System Restore? That might be an option:
Open a command prompt with command.com

Type %systemroot%\system32\restore\rstrui.exe ENTER

See what happens.

I've got to cut out for a bit to get something to eat - Will try to check back tonight.

PP :)

0

I tried system restore, nada.
I double clicked the .bat.

0

I tried system restore, nada.
I double clicked the .bat.

OK - The problem with the KILLBAD was PhilliePhan Error!
Not a big error, though and the registry should have been fixed....

Try this one:

KILLBAD.zip

This one should pop up with the right log. Let's see what it says.

PP :)

0

Okay . . . . I've managed to get somewhat up to speed, LOL!

Turns out that this particular baddie is extremely nasty, and I don't mean the obvious stuff. It has all sorts of rootkit components involved and is a real pain to clean.

Our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.
However, if you'd like to give cleaning this a shot, we can try to get combofix to run.

See if you can get this tool to run:

Please Download Win32kDiag and save it to your Desktop.

http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to. If it doesn't run, try renaming it to Win32kDiag.com

-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

0

Good luck, greetings from Germany
Morganfield

Thanks, but that is not an option just yet - poster cannot get MBA-M to run.

Hopefull, after Sisaly gets me the Win32kDiag log, we can change that.

PP:)

Edited by mike_2000_17: Fixed formatting

0

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

                    ** EXE KEY INFECTED? **                     


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"



        SEARCHING KNOWN FILES                   

Looking for windows Police Pro.exe                  

No matches found.

Looking for dddesot.dll                     

No matches found.

Looking for wisdstr.exe                         

C:\WINDOWS\SYSTEM32\
   wisdstr.exe    Tue Sep  1 2009   5:39:36p  A....        191,159   186.68 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  191,159 bytes    186.68 K

Looking for desote.exe                      

No matches found.

Looking for svchasts.exe                        

No matches found.

Looking for ppp4.dat                        

No matches found.

Looking for sysnet.dat                      

No matches found.

Looking for bincd32.dat                     

No matches found.

Looking for ppp3.dat                        

No matches found.

Looking for desot.exe                       

No matches found.

Looking for wispex.html                     

No matches found.

Looking for qcfbc.wbg                       

No matches found.

Looking for windows Police Pro.exe                  

No matches found.

Looking for svchast.exe                     

No matches found.

Looking for dbsinit.exe                     

No matches found.


File/Folder: C:\WINDOWS\Program Files\Windows Police Pro\windows Police Pro.exe does not exist


File/Folder: C:\WINDOWS\system32\dddesot.dll does not exist

File: "C:\WINDOWS\system32\wisdstr.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

File/Folder: C:\WINDOWS\system32\wincom32.ini does not exist


File/Folder: C:\WINDOWS\system32\desote.exe does not exist


File/Folder: C:\WINDOWS\svchasts.exe does not exist


File/Folder: C:\WINDOWS\ppp4.dat does not exist


File/Folder: C:\WINDOWS\system32\sysnet.dat does not exist


File/Folder: C:\WINDOWS\system32\bincd32.dat does not exist


File/Folder: C:\WINDOWS\ppp3.dat does not exist


File/Folder: C:\WINDOWS\system32\desot.exe does not exist


File/Folder: C:\WINDOWS\system32\wispex.html does not exist


File/Folder: C:\WINDOWS\qcfbc.wbg does not exist


File/Folder: C:\WINDOWS\svchast.exe does not exist


File/Folder: C:\WINDOWS\Program Files\Windows Police Pro\tmp\dbsinit.exe does not exist


Looking for windows Police Pro.exe                  

No matches found.
     Successfully Removed!              

Looking for dddesot.dll                     

No matches found.
     Successfully Removed!              

Looking for wisdstr.exe                         

No matches found.
     Successfully Removed!              

Looking for desote.exe                      

No matches found.
     Successfully Removed!              

Looking for svchasts.exe                        

No matches found.
     Successfully Removed!              

Looking for ppp4.dat                        

No matches found.
     Successfully Removed!              

Looking for sysnet.dat                      

No matches found.
     Successfully Removed!              

Looking for bincd32.dat                     

No matches found.
     Successfully Removed!              

Looking for ppp3.dat                        

No matches found.
     Successfully Removed!              

Looking for desot.exe                       

No matches found.
     Successfully Removed!              

Looking for wispex.html                     

No matches found.
     Successfully Removed!              

Looking for qcfbc.wbg                       

No matches found.
     Successfully Removed!              

Looking for svchast.exe                     

No matches found.
     Successfully Removed!              

Looking for dbsinit.exe                     

No matches found.
     Successfully Removed!              



                    ** EXE KEY STILL INFECTED? **                   


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


_________________________




Log file is located at: C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point       : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB941644\KB941644

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\AU_Temp\AU_Temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe

[1] 2003-03-31 14:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe ()

[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\helpsvc.exe (Microsoft Corporation)



Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msft

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDir

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2003-03-31 14:00:00 49152 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 02:56:42 55808 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 19:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll (Microsoft Corporation)

[1] 2004-08-04 02:56:42 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-04 02:56:42 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point       : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\Macromed\update\update

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFiles

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\spool\drivers\IA64\IA64

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHA

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wbem\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Cookies\Cookies

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\da

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\de

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\el

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\en

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\es

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\it

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\no

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\th

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\cs

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\da

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\de

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\el

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\en

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gb

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\es

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fi

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\fr

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTML

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\it

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\ja

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\ko

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nl

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\no

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\pl

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-br

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ru

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\sv

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\th

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\tr

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cn

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-tw

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\History\History.IE5\History.IE5

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slu832.tmp\slu832.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\slufae.tmp\slufae.tmp

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlow

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMK

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5O

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXB

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYF

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4V

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WP

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHN

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7F

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\WMD\WMD

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\Temp\WMFA\WMFA

Mount point destination : \Device\__max++>\^

Found mount point       : C:\WINDOWS\WinSxS\InstallTemp\51836\51836

Mount point destination : \Device\__max++>\^



Finished!

Edited by mike_2000_17: Fixed formatting

0

Wow Phil you are a trooper.
I got KILLBAD and win32kdiag to run. Here are the logs.

The stuff that is hard to kill is more fun for us Forum volunteers :)

Please Download The Avenger v2 by Swandog46
http://swandog46.geekstogo.com/avenger.zip

-- Extract Avenger.exe from the ZIP to your Desktop
-- Highlight the complete text in bold below and copy it using Ctrl+C or RightClick > Copy :


Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


-- Now, DoubleClick avenger.exe on your desktop to run it
-- Read the Warning Prompt and press OK
-- Paste the script you just copied into the textbox , using Ctrl+V or RightClick > Paste
-- Press Execute
-- Answer YES to the confirmation prompts and allow your computer to reboot.
In some cases, The Avenger will reboot your machine a second time. No worries.
-- After reboot, The Avenger should open a log – please post that for me.


NEXT:

Click START > RUN and then Copy&Paste the following into the command field: "%userprofile%\desktop\win32kdiag.exe" -f –r

That should produce a log, as well. Please post it for me.

Let me know if you ran into any difficulties along the way with these instructions and we'll go from there.

-- Check and see if MBA-M will run now and, if it does, do a Full Scan and have it remove what it finds and post that log too...

Best Luck :)
PP

0

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!


I'm going bald.

0

Phil I did exactly as stated and when I run Execute ( after copy/paste) on avenger I get this...

Invalid script Error: A valid script must begin with a command directive. Aborting execution!

Copy and paste the everything in red including "files to move."

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll


Try again and see if that works and then do the rest.

PP :)

0

Opps, my bad. Got it now...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:37:37 2009

18:37:37: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Tue Sep 01 18:38:50 2009

18:38:50: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

0

All right got the next log. Tried mbam tried to update and got a blue screen crash.


Log file is located at: C:\Documents and Settings\Rachel\Desktop\Win32kDiag.txtRemoving all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729Found mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB941644\KB941644Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460Found mount point : C:\WINDOWS\addins\addinsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\addins\addinsFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\ZAP103.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1A5.tmp\ZAP1A5.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP28E.tmp\ZAP28E.tmpFound mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2B8.tmp\ZAP2B8.tmpFound mount point : C:\WINDOWS\assembly\temp\tempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\temp\tempFound mount point : C:\WINDOWS\assembly\tmp\tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\assembly\tmp\tmpFound mount point : C:\WINDOWS\AU_Temp\AU_TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\AU_Temp\AU_TempFound mount point : C:\WINDOWS\Config\ConfigMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Config\ConfigFound mount point : C:\WINDOWS\Connection Wizard\Connection WizardMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Connection Wizard\Connection WizardFound mount point : C:\WINDOWS\Debug\UserMode\UserModeMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Debug\UserMode\UserModeFound mount point : C:\WINDOWS\ime\imejp\applets\appletsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp\applets\appletsFound mount point : C:\WINDOWS\ime\imejp98\imejp98Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imejp98\imejp98Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dictsFound mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Found mount point : C:\WINDOWS\java\classes\classesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\classes\classesFound mount point : C:\WINDOWS\java\trustlib\trustlibMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\java\trustlib\trustlibFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsFound mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesFound mount point : C:\WINDOWS\Minidump\MinidumpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Minidump\MinidumpFound mount point : C:\WINDOWS\msapps\msinfo\msinfoMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\msapps\msinfo\msinfoFound mount point : C:\WINDOWS\mui\muiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\mui\muiFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESFound mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFFound mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\ERRORREP\UserDumps\UserDumpsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHCannot access: C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exeAttempting to restore permissions of : C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe[1] 2003-03-31 14:00:00 703488 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpsvc.exe (Microsoft Corporation)[1] 2004-08-04 02:56:50 743936 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)[1] 2008-04-13 19:12:21 744448 C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\helpsvc.exe (Microsoft Corporation)Found mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPointFound mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesFound mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System\News\NewsFound mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\System_OEM\System_OEMFound mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PCHealth\HelpCtr\Temp\TempFound mount point : C:\WINDOWS\PIF\PIFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\PIF\PIFFound mount point : C:\WINDOWS\Registration\CRMLog\CRMLogMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLogFound mount point : C:\WINDOWS\security\logs\logsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\security\logs\logsFound mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedFound mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\146ae5e7b51a37f45e0e5cf03d0d5e3c\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\10\10Found mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\52\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\60\msft\msftFound mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\backup\asms\70\70Found mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Sun\Java\Deployment\DeploymentFound mount point : C:\WINDOWS\system32\1025\1025Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1025\1025Found mount point : C:\WINDOWS\system32\1028\1028Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1028\1028Found mount point : C:\WINDOWS\system32\1031\1031Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1031\1031Found mount point : C:\WINDOWS\system32\1037\1037Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1037\1037Found mount point : C:\WINDOWS\system32\1041\1041Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1041\1041Found mount point : C:\WINDOWS\system32\1042\1042Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1042\1042Found mount point : C:\WINDOWS\system32\1054\1054Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\1054\1054Found mount point : C:\WINDOWS\system32\2052\2052Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\2052\2052Found mount point : C:\WINDOWS\system32\3076\3076Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3076\3076Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\3com_dmi\3com_dmiFound mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\TempDir\TempDirFound mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bakFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\CertificatesFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLsFound mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\DesktopFound mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\FavoritesFound mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICEFound mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My DocumentsFound mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHoodFound mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\config\systemprofile\Recent\RecentFound mount point : C:\WINDOWS\system32\dhcp\dhcpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\dhcp\dhcpFound mount point : C:\WINDOWS\system32\drivers\disdn\disdnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\drivers\disdn\disdnFound mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\export\exportFound mount point : C:\WINDOWS\system32\inetsrv\inetsrvMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrvFound mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDFFound mount point : C:\WINDOWS\system32\Macromed\update\updateMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\Macromed\update\updateFound mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspecFound mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupFound mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustFound mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwFound mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregFound mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\sample\sampleFound mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386Found mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\DriverFilesFound mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExtFound mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\IA64\IA64Found mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\W32ALPHA\W32ALPHAFound mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\drivers\WIN40\WIN40Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSFound mount point : C:\WINDOWS\system32\wbem\Logs\LogsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\Logs\LogsFound mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\badFound mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmpFound mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wins\winsFound mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\xircom\xircomFound mount point : C:\WINDOWS\Temp\Cookies\CookiesMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Cookies\CookiesFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\cs\csFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\da\daFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\de\deFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\el\elFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en\enFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\es\esFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fi\fiFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\fr\frFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\it\itFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ja\jaFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ko\koFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\nl\nlFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\no\noFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pl\plFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\ru\ruFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\sv\svFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\th\thFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\tr\trFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gis2b78e4\2.4.1399.3742\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\cs\csFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\da\daFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\de\deFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\el\elFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en\enFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\en-gb\en-gbFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\es\esFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fi\fiFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\fr\frFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\HTML\HTMLFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\it\itFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ja\jaFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ko\koFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\nl\nlFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\no\noFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pl\plFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\pt-br\pt-brFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\ru\ruFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\sv\svFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\th\thFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\tr\trFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-cn\zh-cnFound mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\gisd91f0\2.4.1536.6592\zh-tw\zh-twFound mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\GUM15.tmp\CrashReports\CrashReportsFound mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\History\History.IE5\History.IE5Found mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\SiteAdvisor\SiteAdvisorFound mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu19b.tmp\slu19b.tmpFound mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu3b4d.tmp\slu3b4d.tmpFound mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu6539.tmp\slu6539.tmpFound mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu7f0.tmp\slu7f0.tmpFound mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slu832.tmp\slu832.tmpFound mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\slufae.tmp\slufae.tmpFound mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\StandardInstall_1-5-0\WorkFlow\WorkFlowFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\11BQ7CMK\11BQ7CMKFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\31TUIS5O\31TUIS5OFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\43UFA0R8\43UFA0R8Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\4F5IJOXB\4F5IJOXBFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\6EQ7NVYF\6EQ7NVYFFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\7GE5RVL2\7GE5RVL2Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\9MBJ2F4V\9MBJ2F4VFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\H6FM75Z5\H6FM75Z5Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K1GSDJK0\K1GSDJK0Found mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\QKMOJ1WP\QKMOJ1WPFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R4YPFEHN\R4YPFEHNFound mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\YETQBD7F\YETQBD7FFound mount point : C:\WINDOWS\Temp\WMD\WMDMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMD\WMDFound mount point : C:\WINDOWS\Temp\WMFA\WMFAMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\Temp\WMFA\WMFAFound mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Mount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\51836\51836Finished!

1

Ok - If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.malwarebytes.org/forums/index.php?showtopic=22723

What I want you to do, though, is this:
When you download it and it ask you to "Save File As," rename combofix to Bunnyfix.exe and then download it to your desktop as that and follow the instructions in the linky to run it and post the log.

PP :)

0

Running now.....

All right . . . Now we are cooking with gas . . . or something like that.

I am calling it a night - My eyes are killing me + have some actual paying work to do.

Post the combofix log for me and I'll have a look at it first chance I get.

Cheers :)
PP

0

All right Phil!

Here we go....


ComboFix 09-09-01.04 - Rachel 09/01/2009 19:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.200 [GMT -5:00]
Running from: c:\documents and settings\Rachel\Desktop\Bunnyfix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394
c:\documents and settings\All Users\Application Data\15977394\15977394.exe
c:\documents and settings\All Users\Application Data\15977394\pc15977394ins
c:\documents and settings\All Users\Application Data\esacomub.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Rachel\Cookies\josi.pif
c:\recycler\NPROTECT
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Fonts\HELSM___.TTF
c:\windows\Fonts\INK2METR.TTF
c:\windows\Fonts\OPUSM___.TTF
c:\windows\Installer\18c019.msp
c:\windows\Installer\20a96.msi
c:\windows\patch.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\dahovibo.dll
c:\windows\system32\delejome.dll
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\kbiwkmmetjimqx.sys
c:\windows\system32\hatakuvu.dll
c:\windows\system32\kbiwkmbvsmrril.dll
c:\windows\system32\kbiwkmjklypdur.dll
c:\windows\system32\kbiwkmldyiuwyr.dat
c:\windows\system32\kbiwkmxvakcdpq.dat
c:\windows\system32\lolapeva.dll
c:\windows\system32\mdm.exe
c:\windows\system32\naluwota.dll
c:\windows\system32\nepusenu.dll
c:\windows\system32\simejufa.dll
c:\windows\system32\tapi.nfo
c:\windows\system32\terovozo.dll
c:\windows\system32\tuviloko.exe
c:\windows\system32\volosejo.dll
c:\windows\system32\vovugesi.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\yavayusa.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.97
c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100
-------\Service_kbiwkmbqvmttap


((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-09-02 00:19 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-02 00:19 . 2009-09-02 00:19 -------- d-----w- C:\ILU
2009-09-02 00:19 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-01 22:43 . 2009-09-01 22:43 -------- d---a-w- C:\KILLBAD
2009-09-01 02:48 . 2009-09-01 12:21 -------- d-----w- C:\suckmydick
2009-09-01 00:43 . 2009-09-01 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-09-01 00:35 . 2009-09-01 00:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-01 00:18 . 2009-09-01 00:18 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-08-31 06:48 . 2009-08-31 06:48 -------- d---a-w- C:\PKBOO
2009-08-31 05:55 . 2009-08-31 05:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-31 05:25 . 2009-08-31 05:25 -------- d-----w- c:\program files\CCleaner
2009-08-31 03:49 . 2009-08-31 03:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-31 03:07 . 2009-08-31 03:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-31 02:36 . 2009-08-31 02:36 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-23 00:13 . 2009-08-23 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-08-23 00:12 . 2009-08-23 00:13 -------- d-----w- c:\program files\TVUPlayer
2009-08-20 00:49 . 2009-08-20 00:49 -------- d-----w- c:\documents and settings\Rachel\fontconfig
2009-08-20 00:41 . 2009-08-31 05:00 -------- d-----w- c:\program files\MPlayer for Windows
2009-08-20 00:12 . 2009-08-20 00:12 -------- d-----w- c:\program files\Common Files\NSV
2009-08-15 01:23 . 2009-08-15 01:24 -------- d-----w- C:\REPSPL
2009-08-12 02:14 . 2009-08-12 02:15 5519752 ----a-w- c:\documents and settings\Rachel\Application Data\TVU networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-08-11 23:55 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-08 12:02 . 2009-08-08 12:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-08 08:14 . 2009-08-08 08:14 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\MSBuild
2009-08-08 08:13 . 2009-08-08 08:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 08:11 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-08 08:11 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-08 08:11 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-08 08:11 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-08 08:11 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-08 08:11 . 2009-08-08 08:12 -------- d-----w- C:\a6934de93bf88e0a3bce6630233dd5
2009-08-08 08:02 . 2009-08-08 08:02 -------- d-----w- c:\program files\MSXML 6.0
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 08:01 . 2009-08-05 08:01 56972 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 22:41 . 2009-06-24 01:05 -------- d-----w- c:\program files\McAfee
2009-09-01 22:36 . 2009-06-01 22:35 88576 --sha-w- c:\windows\system32\huverego.dll
2009-09-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ziperame.dll
2009-09-01 06:16 . 2007-12-01 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\luliwedo.dll
2009-08-31 06:55 . 2009-05-31 06:55 209408 --sha-w- c:\windows\system32\wimavapa.dll
2009-08-31 03:31 . 2009-06-28 02:44 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-31 02:23 . 2009-08-31 02:23 16669 ----a-w- c:\documents and settings\All Users\Application Data\icyw.dat
2009-08-29 22:13 . 2009-06-24 01:27 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-15 01:23 . 2009-07-12 13:20 737280 ----a-w- c:\windows\iun6002.exe
2009-08-14 12:33 . 2008-12-27 03:14 -------- d-----w- c:\documents and settings\Rachel\Application Data\uTorrent
2009-08-09 09:20 . 2005-11-18 06:46 74424 ----a-w- c:\documents and settings\Rachel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2003-03-31 19:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 03:09 . 2006-02-24 20:09 -------- d-----w- c:\documents and settings\Rachel\Application Data\Apple Computer
2009-07-27 23:35 . 2009-07-27 23:34 -------- d-----w- c:\program files\iTunes
2009-07-27 23:34 . 2006-10-04 16:16 -------- d-----w- c:\program files\iPod
2009-07-27 23:33 . 2007-10-22 19:48 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 23:13 . 2009-07-27 23:13 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-21 00:31 . 2008-12-13 19:37 -------- d-----w- c:\program files\Veetle
2009-07-20 09:04 . 2009-07-20 09:00 -------- d-----w- c:\program files\Image-Line
2009-07-20 09:04 . 2009-07-20 09:04 -------- d-----w- c:\program files\ASIO4ALL v2
2009-07-17 18:55 . 2003-03-31 19:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 10:00 . 2009-01-31 13:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-14 04:43 . 2004-08-04 07:56 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 07:46 . 2007-12-01 06:27 -------- d-----w- c:\program files\Google
2009-07-13 07:45 . 2006-06-02 20:06 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-12 13:19 . 2009-07-12 13:19 -------- d-----w- c:\program files\Replay Converter
2009-07-03 17:09 . 2005-06-18 05:49 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-30 00:14 . 2009-06-30 00:14 0 ----a-w- c:\windows\nsreg.dat
2009-06-25 08:44 . 2005-06-15 17:50 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2003-03-31 19:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2003-03-31 19:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2003-03-31 19:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2003-03-31 19:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2003-03-31 19:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 00:01 . 2009-06-25 00:01 127872 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\uninstall.exe
2009-06-25 00:01 . 2009-06-16 06:35 4183416 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
2009-06-25 00:00 . 2009-06-25 00:00 1686272 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\MoveMediaPlayerWin_071503000010.exe
2009-06-22 11:34 . 2003-03-31 19:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2003-03-31 19:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2003-03-31 19:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 06:35 . 2009-06-16 06:35 97144 ----a-w- c:\documents and settings\Rachel\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-12 15:06 . 2009-06-12 15:06 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\BindBins.exe
2009-06-12 15:06 . 2009-06-12 15:06 30720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\netfw.exe
2009-06-12 15:05 . 2009-06-12 15:05 23510720 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-06-12 15:05 . 2009-06-12 15:05 1179648 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_adafe\EasyShrx.Dll
2009-06-12 15:05 . 2009-06-12 15:05 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.8.20.2.dll
2009-06-12 11:50 . 2003-03-31 19:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2003-03-31 19:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2003-03-31 19:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2005-11-16 18:40 655872 ----a-w- c:\windows\system32\mstscax.dll
2007-03-09 07:12 . 2007-03-09 07:12 27648 --sha-w- c:\windows\system32\AVSredirect.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\guderasa.dll
2009-06-01 12:56 . 2009-06-01 12:56 49152 --sha-w- c:\windows\system32\ririzaki.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-06-25 335872]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Display Settings"="c:\program files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 45056]
"QT4HPOT"="c:\program files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 106496]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 868352]
"SweetIM"="c:\program files\Macrogaming\SweetIM\SweetIM.exe" [2006-01-02 40960]
"OxigenClientAdmin"="c:\program files\Oxigen\bin\Oxigen.exe" [2007-06-23 887264]
"OxigenTrayIcon"="c:\program files\Oxigen\bin\OxiTray.exe" [2007-06-23 557536]
"Google IME Autoupdater"="c:\program files\Google\Google Pinyin\GooglePinyinDaemon.exe" [2008-10-17 308720]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-05-01 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-04-09 1176808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"vamanipetu"="c:\windows\system32\ririzaki.dll" [2009-06-01 49152]
"midalolis"="c:\windows\system32\huverego.dll" [2009-09-01 88576]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
D-Link AirPlus G Wireless Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe [2005-11-17 782412]
D-Link REG Utility.lnk - c:\program files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe [2005-11-17 24576]
FirePod Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FirePod\FirePod.exe [2008-12-2 1126400]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-5-10 282624]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{c3ee902a-027d-4d77-829b-1697267ddd6c}"= "c:\windows\system32\huverego.dll" [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"metotozon"= {c3ee902a-027d-4d77-829b-1697267ddd6c} - c:\windows\system32\huverego.dll [2009-09-01 88576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HPQ\\Notebook Utilities\\HPWirelessCfg.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Oxigen\\bin\\OxiProc.exe"=
"c:\\Program Files\\uusee\\UUSeePlayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/23/2009 8:11 PM 203280]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [11/16/2005 1:53 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [11/16/2005 1:53 PM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [7/16/2003 9:01 PM 28280]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\W35UND.SYS [9/12/2006 5:18 PM 117632]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-01 23:47]

2009-07-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-24 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{19c97a07-5c6d-464d-8765-8d59d54aa792} - c:\windows\system32\nepusenu.dll
HKLM-Run-CPM5b294dbd - c:\windows\system32\lolapeva.dll
SafeBoot-mfehidk
SafeBoot-mferkdk
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Rachel\Application Data\Mozilla\Firefox\Profiles\0bpq0kpp.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Rachel\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?7?7?0??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
"imagepath"="\systemroot\system32\drivers\kbiwkmmetjimqx.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\kbiwkmbqvmttap]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmmetjimqx.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\Macrogaming\SweetIM\mgAdaptersProxy.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ririzaki.dll
c:\windows\system32\huverego.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\HPConfig.exe
c:\program files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\windows\system32\MsPMSPSv.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-02 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-02 01:29

Pre-Run: 14,684,491,776 bytes free
Post-Run: 14,734,770,176 bytes free

346 --- E O F --- 2009-08-27 08:01

0

PHIL....MBAM IS SCANNING!

In the first 10 seconds it found 6 infected objects, now it's at 13.

That combofix did the trick.

I uninstalled mbam, ran ccleaner, and reinstalled and updated. Is running great.
Go baby GO!!!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.