Author Topic: Can't find virus (Read 8228 times)

dften · « **on:** August 20, 2010, 08:16:24 PM »

I have a home computer running windows xp, auto updates on so service packs should be up to date.

I've been fighting this virus for a few weeks now and I am on the verge of formatting the C: drive.
I've got a virus that tries to pop up windows at random times whether I have a browser running or not. Most of the time it doesn't show a window, it just pulls focus or minimizes whatever you are doing. Sometimes it shows an ad but the links don't work.
I have downloaded and run several virus programs including:

Avira (running at the time of infection)
AVG
Avast
Microsoft Security Essentials
ESET
Spybot Search and Destroy
Malwarebytes
Super Anti Spyware
Comodo Fire Wall
Another firewall recommended on this site I don't remember the name.

None of these has detected the problem.

One thing that I found interesting is that AVG will not install or uninstall without telling me that a conflicting program needs to be closed before it can continue. The program listed is "http://ad.seeknet2.com/goad/!aff_ID=***** - Microsoft Internet Explorer (****'s represent a number that changes and seems to be different every time I see it.)

I am having two other issues with the computer which may or may not be related.
Virus programs were crashing and auto-rebooting computer due to a problem with Idechndr storage driver, no longer supported by intel. This seems to come and go, lately scans have been running all the way through.
What has been happening lately are random "blue screen" crashes when I am using the computer and about half the time it fails to reboot without crashing and starting over.

Any advice would be appreciated.

Following is a current HighJack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:06:03 PM, on 8/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [Apploader] C:\Program Files\Gateway\HPA\pshell.exe 10000
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-21-854245398-1450960922-839522115-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Cassie')
O4 - HKUS\S-1-5-21-854245398-1450960922-839522115-1006\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup (User 'Cassie')
O4 - HKUS\S-1-5-21-854245398-1450960922-839522115-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Kathy')
O4 - HKUS\S-1-5-21-854245398-1450960922-839522115-1007\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Kathy')
O4 - S-1-5-21-854245398-1450960922-839522115-1006 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Cassie')
O4 - S-1-5-21-854245398-1450960922-839522115-1006 User Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Cassie')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/World%20Mosaics/Images/stg_drm.ocx
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1280595189343
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {BF17C411-9ADA-4C73-B12C-BD814BDE187F} -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/World%20Mosaics/Images/armhelper.ocx
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: vtUomklK - vtUomklK.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console - WildGames\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 8314 bytes

Allan · « **Reply #1 on:** August 21, 2010, 04:55:44 AM »

http://www.computerhope.com/forum/index.php/topic,46313.0.html

dften · « **Reply #2 on:** August 25, 2010, 06:13:10 PM »

I was a good boy, I went through all the steps in that link before posting for help, except for the program at the bottom that checks the HijackThis log. Since my first post I have found my way through that to the best of my ability and my problem remains.

Anyone have any advice for me?

SuperDave · « **Reply #3 on:** August 26, 2010, 04:47:41 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O20 - Winlogon Notify: vtUomklK - vtUomklK.dll (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

****************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

dften · « **Reply #4 on:** August 27, 2010, 11:39:45 PM »

I think that did it. I believe I saw a notice that Combofix found issues in the boot sector and so far so good as far as the virus popups go since it finished.

Here is the log.

ComboFix 10-08-26.04 - Doug Tennant 08/27/2010 8:17.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1667 [GMT -7:00]
Running from: c:\documents and settings\Doug Tennant\desktop\commy.exe
Command switches used :: /stepdel
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cassie\Application Data\.#
c:\documents and settings\Doug Tennant\Application Data\.#
c:\documents and settings\Cassie\Application Data\.#\MBX@8C0@3841A0.###
c:\documents and settings\Cassie\Application Data\.#\MBX@8C0@3841D0.###
c:\documents and settings\Cassie\Application Data\.#\MBX@8C0@384200.###
c:\documents and settings\Cassie\Application Data\.#\MBX@D0C@3841A0.###
c:\documents and settings\Cassie\Application Data\.#\MBX@D0C@3841D0.###
c:\documents and settings\Cassie\Application Data\.#\MBX@D0C@384200.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@D3C@3841A0.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@D3C@3841D0.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@D3C@384200.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@F2C@3841A0.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@F2C@3841D0.###
c:\documents and settings\Doug Tennant\Application Data\.#\MBX@F2C@384200.###
C:\khq
c:\program files\Internet Explorer\SET86.tmp
c:\program files\Internet Explorer\SET87.tmp
c:\program files\Internet Explorer\SET88.tmp

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-24 02:38 . 2010-08-24 02:40   --------   d-----w-   c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-21 22:12 . 2010-08-22 22:05   --------   d-----w-   c:\documents and settings\All Users\Application Data\NOS
2010-08-18 05:33 . 2010-08-18 05:33   --------   d-----w-   c:\documents and settings\Kathy\Application Data\Trusteer
2010-08-16 00:23 . 2010-08-16 00:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-08-15 06:40 . 2010-08-15 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\clp
2010-08-08 05:40 . 2010-07-18 12:47   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Trusteer
2010-08-07 18:23 . 2010-08-07 18:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\Carbonite
2010-08-07 02:29 . 2010-08-07 02:29   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\DeviceDoctorSoftware
2010-08-07 01:23 . 2010-08-07 01:23   --------   d-----w-   c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-08-05 01:43 . 2010-08-05 01:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-03 12:00 . 2010-08-15 23:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-01 20:47 . 2010-08-01 20:47   --------   d-----w-   c:\documents and settings\Cassie\Application Data\Malwarebytes
2010-08-01 20:24 . 2010-08-01 20:24   --------   d-----w-   c:\documents and settings\Cassie\Application Data\freshgames
2010-07-31 15:56 . 2010-07-31 15:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Driver Whiz
2010-07-30 08:39 . 2010-07-31 15:51   --------   d-----w-   c:\documents and settings\LocalService\Application Data\Yahoo!
2010-07-29 02:54 . 2010-07-29 02:54   --------   d-----w-   c:\documents and settings\Cassie\Application Data\Trusteer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-27 04:47 . 2010-08-19 04:47   0   ----a-w-   c:\documents and settings\Doug Tennant\Local Settings\Application Data\prvlcl.dat
2010-08-27 04:40 . 2008-09-17 02:27   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-08-26 15:25 . 2008-09-17 04:52   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-25 04:15 . 2010-08-22 21:57   166928   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-08-24 02:48 . 2008-09-18 03:53   --------   d-----w-   c:\documents and settings\Cassie\Application Data\Apple Computer
2010-08-24 02:44 . 2008-09-17 02:52   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\Apple Computer
2010-08-24 02:40 . 2010-08-24 02:38   --------   d-----w-   c:\program files\iTunes
2010-08-24 02:38 . 2010-08-24 02:38   --------   d-----w-   c:\program files\iPod
2010-08-24 02:38 . 2008-09-17 02:48   --------   d-----w-   c:\program files\Common Files\Apple
2010-08-24 02:35 . 2010-08-24 02:33   --------   d-----w-   c:\program files\QuickTime
2010-08-24 02:25 . 2010-08-24 02:25   --------   d-----w-   c:\program files\Bonjour
2010-08-24 02:19 . 2008-09-17 02:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-08-23 05:42 . 2010-08-23 05:42   --------   d-----w-   c:\program files\CCleaner
2010-08-22 22:43 . 2008-09-18 06:34   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\gtk-2.0
2010-08-21 22:21 . 2010-08-21 22:18   --------   d-----w-   c:\program files\Common Files\Adobe
2010-08-21 22:15 . 2010-08-21 22:15   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-21 01:50 . 2008-10-06 18:10   --------   d-----w-   c:\program files\Yahoo!
2010-08-21 01:49 . 2009-02-14 04:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2010-08-21 01:48 . 2008-10-11 21:15   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\Yahoo!
2010-08-19 04:54 . 2010-08-19 04:54   --------   d-----w-   c:\program files\ESET
2010-08-18 05:30 . 2010-08-18 05:30   --------   d-----w-   c:\program files\My Tribe
2010-08-16 07:12 . 2010-08-16 07:11   --------   d-----w-   c:\program files\Ranch Rush 2 - Sara's Island Experiment
2010-08-16 00:27 . 2009-02-08 16:14   --------   d-----w-   c:\program files\COMODO
2010-08-15 17:35 . 2009-01-23 02:31   --------   d-----w-   c:\program files\Wonderland Adventures
2010-08-13 09:48 . 2010-08-13 09:48   --------   d-----w-   c:\program files\Trend Micro
2010-08-11 10:17 . 2010-08-07 01:24   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-08 18:45 . 2010-08-07 01:25   --------   d-----w-   c:\program files\Microsoft
2010-08-08 18:42 . 2010-08-07 18:16   --------   d-----w-   c:\program files\MozyHome
2010-08-08 18:37 . 2009-08-24 05:25   --------   d-----w-   c:\program files\Easy Duplicate Finder
2010-08-08 05:42 . 2010-05-02 07:04   --------   d-----w-   c:\program files\Canasis
2010-08-07 18:23 . 2010-08-07 18:23   --------   d-----w-   c:\program files\Carbonite
2010-08-07 16:44 . 2009-03-19 01:19   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-08-05 01:43 . 2010-08-05 01:43   --------   d-----w-   c:\program files\Alwil Software
2010-08-04 05:17 . 2010-03-19 14:25   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-04 04:48 . 2008-09-18 06:12   --------   d-----w-   c:\program files\Common Files\Java
2010-08-04 04:47 . 2008-09-18 06:12   --------   d-----w-   c:\program files\Java
2010-08-03 13:48 . 2009-08-24 04:57   --------   d-----w-   c:\program files\Free Offers from Freeze.com
2010-08-03 12:05 . 2010-08-03 12:00   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-08-02 06:11 . 2010-08-02 06:11   --------   d-----w-   c:\program files\AVG
2010-08-01 07:47 . 2009-09-05 23:48   --------   d-----w-   c:\program files\Google
2010-07-31 16:56 . 2010-07-31 16:56   --------   d-----w-   c:\program files\Microsoft CAPICOM 2.1.0.2
2010-07-29 03:09 . 2010-07-28 15:04   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-07-26 06:48 . 2009-02-08 16:57   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-26 06:40 . 2010-07-26 06:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-07-26 06:38 . 2010-07-26 06:37   --------   d-----w-   c:\program files\bfgclient
2010-07-25 04:47 . 2009-04-13 05:44   --------   d-----w-   c:\program files\Ice Cream Craze - Tycoon Takeover
2010-07-21 05:27 . 2008-09-18 06:13   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\LimeWire
2010-07-18 21:02 . 2010-05-23 22:43   --------   d-----w-   c:\documents and settings\Doug Tennant\Application Data\freshgames
2010-07-18 21:02 . 2009-01-24 01:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\FreshGames
2010-07-17 12:00 . 2010-08-04 04:47   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-16 09:05 . 2009-08-03 00:03   --------   d-----w-   c:\program files\Full Tilt Poker
2010-07-16 00:54 . 2008-10-06 20:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Sandlot Games
2010-07-16 00:51 . 2010-07-16 00:49   --------   d-----w-   c:\program files\Cake Mania - Lights, Camera, Action
2010-07-15 05:11 . 2008-12-19 03:23   --------   d-----w-   c:\program files\Fireworks Extravaganza
2010-06-30 12:31 . 2003-04-15 13:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-24 12:10 . 2003-04-15 13:00   667136   ------w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2003-04-15 13:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2003-04-15 13:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2003-04-15 13:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2003-04-15 13:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-06-04 18:55 . 2010-06-04 18:55   229312   ----a-w-   c:\windows\system32\drivers\cmdGuard.sys
2010-06-02 02:00 . 2010-06-02 02:00   278288   ----a-w-   c:\windows\system32\guard32.dll
2010-06-02 02:00 . 2010-06-02 02:00   25240   ----a-w-   c:\windows\system32\drivers\cmdhlp.sys
2010-06-02 02:00 . 2010-06-02 02:00   15464   ----a-w-   c:\windows\system32\drivers\cmderd.sys
2010-06-01 17:37 . 2010-08-12 14:40   221568   ------w-   c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-06-29 00:33   668816   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-06-29 00:33   668816   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-06-29 00:33   668816   ----a-r-   c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-23 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-23 126976]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2010-06-29 900240]

c:\documents and settings\Doug Tennant\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\Cassie\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-11-11 20:36   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MostFun\\Bin\\MostFun.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:@xpsp2res.dll,-22008

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [7/1/2010 12:07 PM 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [7/1/2010 12:07 PM 166632]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/15/2009 5:17 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 5:17 PM 67656]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [7/1/2010 12:07 PM 840936]
S3 AVFSFilter;AVFSFilter;c:\windows\system32\DRIVERS\avfsfilter.sys --> c:\windows\system32\DRIVERS\avfsfilter.sys [?]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 cpuz133;cpuz133;\??\c:\docume~1\DOUGTE~1\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys --> c:\docume~1\DOUGTE~1\LOCALS~1\Temp\cpuz133\cpuz133_x32.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 5:17 PM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260}
FF - ProfilePath - c:\documents and settings\Doug Tennant\Application Data\Mozilla\Firefox\Profiles\79f9hx51.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo!
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_ everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_a s_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-COMODO Internet Security - c:\program files\COMODO\COMODO Internet Security\cfp.exe
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
AddRemove-BFG-Cake Mania - Lights, Camera, Action - c:\program files\Cake Mania - Lights
AddRemove-Yahoo! Messenger - c:\progra~1\Yahoo!\MESSEN~1\UNWISE.EXE
AddRemove-Yahoo! Search Defender - c:\progra~1\Yahoo!\SEARCH~1\UNINST~1.EXE
AddRemove-Yahoo! Software Update - c:\progra~1\Yahoo!\SOFTWA~1\UNINST~1.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-27 08:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,cf,7e,e4,12,82,a0,44,8d,45,3f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7e,cf,7e,e4,12,82,a0,44,8d,45,3f,\

[HKEY_USERS\S-1-5-21-854245398-1450960922-839522115-1006\Software\Zango\Common]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-854245398-1450960922-839522115-1006\Software\Zango\HostOI]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-854245398-1450960922-839522115-1006\Software\Zango\HostOL]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-854245398-1450960922-839522115-1006\Software\Zango\Time]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-854245398-1450960922-839522115-1006\Software\Zango\Zango]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(6080)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\pctspk.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\System32\vssvc.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\dllhost.exe
c:\windows\System32\msdtc.exe
.
**************************************************************************
.
Completion time: 2010-08-27 09:06:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-27 16:06

Pre-Run: 2,229,399,552 bytes free
Post-Run: 5,975,461,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - B910BC4274B69131E8D2C2D775A6DE61

SuperDave · « **Reply #5 on:** August 28, 2010, 05:30:40 PM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\documents and settings\Doug Tennant\Local Settings\Application Data\prvlcl.dat

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

***************************************
P2P - I see you have P2P software installed on your machine (LimeWire). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*******************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

dften · « **Reply #6 on:** August 31, 2010, 11:10:27 AM »

As of this post, I still have not had any complaints about my computer operation. The popup windows have stopped and the crashes have ended. It now reboots cleanly every time as well.

Thank you so very much for your time and knowledge to help me resolve this problem.

The Jotti's scan failed, file prvlcl.dat exists but is empty.

Following is the rootrepeal log.

Thank you again.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/08/31 09:33
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAFA34000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E1000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xABEFF000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Yahoo! Games\Cake Mania 3\CakeMania3.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Diner Dash Seasonal Snack Pack\Diner Dash - Seasonal Snack Pack.exe:{90EA4EC0-A3AB-2159-1957-E47CC2A8B116}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\AliceGreenfingers\AliceGreenfingers.exe:{8BACC0FF-4D89-EC16-1108-637774987FCE}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\BeachPartyCraze\Beach Party Craze.exe:{FA05C3B9-AF1A-BDD5-49FB-4E3156B34A36}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\BigCityAdventureSanF\BigCityAdventureSF.exe:{C2F9F485-701F-16C4-DF0B-89094EFECFC8}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\BigKahunaReef\Big Kahuna Reef.exe:{65AA585D-F08B-074D-C06C-07247957A489}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\CoyotesTaleFireWater\Coyote's Tale - Fire and Water.exe:{A5A8F366-F13E-B2D3-0B56-8690C98543ED}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\DinerDash\Diner Dash.exe:{C8E7BCA3-9F68-C6AA-9D96-63E96C001CD2}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\DinerDash2\DINERD~1.EXE:{FCC2F2A2-704C-E965-1284-262EB7006E42}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\DreamChronicles\dream.exe:{E24C313D-3CDC-029E-4A71-D8A0D27FE112}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\FlowerShopBigCityBre\FlowerShop.exe:{E81A557E-DB90-875F-7148-ED546F67E219}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\GrannyInParadise\granny_download.exe:{FCB7B8B9-F576-2539-3F07-AEA9D711DDFA}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\MyExoticFarm\My Exotic Farm.exe:{EFB26D89-845D-2C30-617B-BC29625B4C65}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\MyFarm\MYFARM~1.EXE:{CA52DFF7-F3CA-0203-7593-97BC9324E53E}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\NatalieBrooksTheTrea\NatalieBrooksAndTheTreasuresOfTheLostKingdom.exe:{F78BD1E5-5461-2D13-23E0-B62E57FCCED0}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\PartyDown\Party Down.exe:{F4648391-C1D2-AEBD-D87C-6D1350852E82}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\SuperGranny3\SuperGranny3.exe:{F2F2123E-285A-FBC9-36B2-56E514542C48}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\SuperGranny4\SuperGranny4.exe:{975FE163-E625-A450-00D7-CE1DCAE734F1}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\MostFun\VirtualFarm\VirtualFarm.exe:{D726743A-B154-BD5D-1103-8E7A0FA5EEC7}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP709\A0183141.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP710\A0183174.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP711\A0185307.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP713\A0185376.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP714\A0185460.exe:{DA8C0C61-F373-B99D-1FBA-B3730E61923D}
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{85DD7ABB-CB94-4C30-AC1E-15836A6C3899}\RP730\A0196262.exe:{A5A8F366-F13E-B2D3-0B56-8690C98543ED}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-03~2.KAC:{AEF97B55-0071-69E5-3FAE-EAE59CE90463}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\CakeMania.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-141654fd5a54b3f196659f251e84ac29.kac:{1FC243EA-D060-1DCA-6D5F-EFE20E5357A9}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-141654fd5a54b3f196659f251e84ac29.kac:{263456DE-A2DC-8529-4724-2B4B54D7F062}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-141654fd5a54b3f196659f251e84ac29.kac:{9746B0B0-2FF2-AFDB-BC65-2A5275AEE51F}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\Poker3.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-245e6745d8edbd289a27ced476b75306.kac:{5013EE1C-94DF-E951-CF33-EE34CBB8A32A}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-245e6745d8edbd289a27ced476b75306.kac:{7E3DBB60-530F-4807-82BA-46CB8AC007DD}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-245e6745d8edbd289a27ced476b75306.kac:{9F4BE79B-2C0E-9836-F8D0-54449CCA2E4C}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoDesk_PokerSuperstarsIII.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\AliceGreenfingers.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-ce300d20e5a67bd83db68508382c40b0.kac:{0A1362C8-DC47-C67A-E472-CB38AE68D8B9}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-ce300d20e5a67bd83db68508382c40b0.kac:{32B54FBB-6F35-F4CE-ECB1-75542EF8B8EE}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\MD5-ce300d20e5a67bd83db68508382c40b0.kac:{E953C340-4021-7A97-1D13-6EC647A9FB7A}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\dx7h.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoDesk_AliceGreenfingers.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoEdge.Toast.Agent.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\logo.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoEdge.Toast.Services.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\buy.swf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoEdge.Toast.Services.Agent.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\mainmenu.swf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoEdge.Toast.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoDesk_BurgerIsland.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\KAC\NeoDesk_CAKEMANIA.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_Plantasia.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_0.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_ChessmasterChallenge.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_SubwayScramble.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\bg_title.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_2.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\screensaver.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_4.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_3.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_1_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\FireFlower_final.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-58~1:{A9D0971D-00A9-D159-807B-C448B81CB050}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\main_menu.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\Labyrinth_map.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_Lumen.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_4_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\subwayscramble.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-bfe8cdefa2e8e76f6b8a852586362295:{16AC9B92-DD70-FE91-5063-768001A06F4F}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-bfe8cdefa2e8e76f6b8a852586362295:{35889F0B-44AD-2A98-C778-02466259AE8E}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-bfe8cdefa2e8e76f6b8a852586362295:{790F86DE-D69E-52B3-26E6-A09034D8BDBE}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_Numericon.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\Lumen.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-38139b747b52ca1a6dcafa312421e388:{42696B1D-A4FE-19A4-55BF-8D7E66A6F1F4}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-38139b747b52ca1a6dcafa312421e388:{82D2A3E5-C8BF-10FE-368C-30E5167AE1A0}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-38139b747b52ca1a6dcafa312421e388:{A6DBE0C0-540D-E8FE-3FFF-4C3A9E206DB0}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoDesk_FireFlower.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\TheKing.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_2_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoEdge.CustomInstallActions.CleanUpDirectory.dll
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-5D~2:{D145C9C2-A0CC-BC8A-31D3-AB1D19E6A077}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\NeoEdge.Services.Agent.WebServices.slp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_1.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\global_map.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\chess.exe
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-96e803f11798283e20ebbf909dce3895:{37159234-61D0-D75C-E2F6-EF009D0BA960}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-96e803f11798283e20ebbf909dce3895:{B8421251-E8EA-A1EA-D5D2-7F2B19310CEA}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\MD5-96e803f11798283e20ebbf909dce3895:{BB957AB4-8AD3-8914-04E1-81D16F7C6DAE}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_5_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_0_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_3_one_side.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NAC\background_5.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_AliceGreenfingers\AliceGreenfingers.exe:{EA0FC4EC-08CE-2C25-A3A7-8DBDFD792781}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_BurgerIsland\MD5-03~2.KAC
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_BurgerIsland\BRBPreProcessed.js:{01236EA5-7868-37E3-77DF-E52B6FB8BA09}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_BurgerIsland\BRBPreProcessed.js:{08371451-0FFA-FEC8-A0BD-F5A4DB309C54}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_BurgerIsland\BRBPreProcessed.js:{70B926FB-8D8A-651C-281A-AEB08AA7B0E3}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_CAKEMANIA\CakeMania.exe:{B0E32714-8328-1726-1559-5DFF8ED3DF88}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_ChessmasterChallenge\chess.exe:{E0B7777B-5AA2-A5A1-510A-777B708E58E3}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Lumen\Lumen.exe:{B1EACDC7-CDE6-7362-2957-668FA6361C67}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Numericon\MD5-58~1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Numericon\numericon.log:{0508AD15-B60B-C8D3-6789-F4DFB4EDEB69}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Numericon\numericon.log:{2890E61E-5654-2371-2A90-41E6C3CCDB8B}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Numericon\numericon.log:{75FFCD3F-41B0-F147-98CA-CFCA6956692E}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Plantasia\MD5-5D~2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Plantasia\playfirst_logo.jpg:{3AAC7C5B-641D-0D98-46D7-CAB550CF8B14}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Plantasia\playfirst_logo.jpg:{443EEB83-83F0-7A98-683E-63176126C8C3}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_Plantasia\playfirst_logo.jpg:{BB79A83F-CF53-C094-941D-D402F2F4D1C9}
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_PokerSuperstarsIII\Poker3.exe:{A2368D0A-75B7-3698-3F14-125C612E7BEA}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Application Data\MostFun\RuntimeState\{e634145e-a3b3-40c0-96be-a7d25867d156}\NeoDesk_SubwayScramble\subwayscramble.exe:{F2B40FBE-2905-BC69-D706-282A4B8C0DBA}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\Microsoft.DirectX.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\Microsoft.DirectX.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\Microsoft.DirectX.DirectSound.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\Microsoft.DirectX.DirectSound.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\WorkoutGenSD.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Doug Tennant\Local Settings\Apps\2.0\08AKZ821.CWC\0TXXZQDK.5K0\manifests\WorkoutGenSD.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2ce26

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2d704

#: 041   Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7a971fe

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7a971f4

#: 062   Function Name: NtDeleteFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2d864

#: 063   Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7a97203

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7a9720d

#: 098   Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7a97212

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2d7c8

#: 122   Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7a971e0

#: 128   Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7a971e5

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2d28e

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb31190

#: 192   Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb310fa

#: 193   Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7a9721c

#: 204   Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7a97217

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2cdcc

#: 224   Function Name: NtSetInformationFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2d8c4

#: 247   Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7a97208

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2cd68

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2ccbc

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2cd04

Shadow SSDT
-------------------
#: 007   Function Name: NtGdiAlphaBlend
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb33650

#: 013   Function Name: NtGdiBitBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb334e2

#: 227   Function Name: NtGdiMaskBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb3358a

#: 237   Function Name: NtGdiPlgBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb335d8

#: 292   Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb33530

#: 298   Function Name: NtGdiTransparentBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb33614

#: 378   Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2dbec

#: 477   Function Name: NtUserPrintWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb3368c

#: 483   Function Name: NtUserQueryWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xafb2db60

==EOF==

SuperDave · « **Reply #7 on:** August 31, 2010, 01:22:03 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

dften · « **Reply #8 on:** September 01, 2010, 02:06:23 AM »

I got and ran Eset as directed and the scan came up clean. No threats found, no files fixed.

SuperDave · « **Reply #9 on:** September 02, 2010, 07:14:23 PM »

That sound good. If there are no other issues, it's time for some cleanup.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type commy /uninstall in the runbox
* Make sure there's a space between commy and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.
******************************
Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

*******************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

******************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

Computer Hope Forum

News:

Author Topic: Can't find virus (Read 8228 times)

dften

Can't find virus

Allan

Re: Can't find virus

dften

Re: Can't find virus

SuperDave

Re: Can't find virus

dften

Re: Can't find virus

SuperDave

Re: Can't find virus

dften

Re: Can't find virus

SuperDave

Re: Can't find virus

dften

Re: Can't find virus

SuperDave

Re: Can't find virus