Infections I haven't been able to remove

Gunslinger · March 15, 2012

Did the scan, no malicious results. Only one suspicious which said physical drive: \Device\Harddisk0\DR0 which I assume was for my flash drive which has CF, DDS, Unhide and TDSSKiller on it.

Gunslinger · March 15, 2012

On a side-note, in the last 2-3 days I have been able to turn on Windows Defender again, which I have not been able to do for weeks. I still cannot turn on my Firewall nor MSE. Nor am I allowed to uninstall MSE so as to install it again. It keeps giving me that message about needing a bogus filter rollup file to install the program and sends me off to download a file for XP, not Vista.

LDTate · March 15, 2012

Try running combofix this way

Click Start > Run -> copy/paste in the following single line command & click OK

"%userprofile%\desktop\combofix.exe" /nombr

Gunslinger · March 15, 2012

Bingo. You rock.

ComboFix 12-03-09.05 - Owner 03/15/2012 15:25:53.1.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1349 [GMT -7:00]

Running from: c:\users\Owner\Desktop\combofix.exe

Command switches used :: /nombr

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\System Check.lnk

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Check\Uninstall System Check.lnk

c:\windows\system32\dds_trash_log.cmd

.

((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))

.

2012-03-15 22:27 . 2012-03-15 22:33 -------- d-----w- c:\users\Owner\AppData\Local\temp

2012-03-15 22:27 . 2012-03-15 22:27 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-14 04:38 . 2012-03-14 04:38 -------- d-----w- C:\ieexplore

2012-03-13 18:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-13 18:22 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-03-13 18:22 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-03-13 18:22 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-03-13 18:22 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-03-13 18:22 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-03-13 18:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2012-03-13 04:10 . 2012-03-13 04:10 -------- d--h--w- c:\windows\PIF

2012-03-07 21:52 . 2012-03-07 21:52 2923248 ----a-w- c:\users\Owner\WindowsXP-KB914882-x86-ENU.exe

2012-03-06 01:52 . 2012-03-06 01:51 389024 ----a-w- c:\windows\unhide.exe

2012-03-06 00:04 . 2012-03-06 00:03 607260 ------r- c:\program files\dds.scr

2012-02-15 14:22 . 2011-12-14 03:32 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll

2012-02-15 14:22 . 2011-12-14 02:54 194048 ----a-w- c:\program files\Internet Explorer\IEShims.dll

2012-02-15 14:22 . 2011-12-14 02:59 678912 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-13 18:50 . 2011-05-17 08:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-03-01 21:34 . 2012-03-13 19:29 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5950FDF1-C830-42C9-9E49-871C801BDDE0}\mpengine.dll

2012-02-23 17:18 . 2010-01-31 09:43 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-02 15:16 . 2012-03-13 18:22 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-01-09 15:54 . 2012-03-13 18:22 613376 ----a-w- c:\windows\system32\rdpencom.dll

2011-12-26 18:31 . 2011-12-26 18:31 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3A8C709D-6A03-4C35-9BA8-D019E8894430}\offreg.dll

2011-12-19 16:27 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-12-19 16:27 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-01 2295080]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-19 296056]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

U81xbus

hpdskflt

LwUsbHid

mi-raysat_3dsMax2008_32

cpqdmi

sdcoreservice

WaveFDE

btwavdt

usbio

abiosdsk

update

roxmediadb

forcewarewebinterface

db2ntsecserver

houdinilicenseserver

ypcservice

cdudf_xp

symmpi

mqdmbus

Wtcls2k

netcfgsvr

NetTcpActivator

bwmservice

CDRPDACC

tosrfusb

w810bus

mail2ec

alerter

lxcf_device

acmservice

Spsmqvsm

dmprimer

WcesComm

pcx1unic

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\shell\AutoRun\command - E:\Autorun.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bab5aa97-8580-11df-8545-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - G:\VZAccess_Manager.exe /z detect

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-23 c:\windows\Tasks\HPCeeScheduleForOwner.job

- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-04 21:23]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: DhcpNameServer = 192.168.1.254

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe

HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe

SafeBoot-MsMpSvc

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-15 15:31

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2b,6f,

36,3f,a7,59,09,d5,8b,53,ec,9e,f5,e0,78

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,

02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7

"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,

57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b

"{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}"=hex:51,66,7a,6c,4c,1d,38,12,70,56,ea,

6c,23,4a,8a,0d,e5,b9,08,84,2f,34,02,aa

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{03C1C47F-0538-4645-8372-D3109B9FC636}"=hex:51,66,7a,6c,4c,1d,38,12,11,c7,d2,

07,0a,4b,2b,03,fc,64,90,50,9e,c1,82,22

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:da,fd,33,c1,1e,bc,cc,01

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(2868)

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\windows\system32\locator.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\windows\System32\rundll32.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\windows\servicing\TrustedInstaller.exe

.

**************************************************************************

.

Completion time: 2012-03-15 15:41:50 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-15 22:39

.

Pre-Run: 79,000,879,104 bytes free

Post-Run: 78,929,362,944 bytes free

.

- - End Of File - - C4D5A0969DE7D800A41EAD17850BCFF1

LDTate · March 15, 2012

See if combofix will run normal now

Gunslinger · March 16, 2012

No dice. The route you had me take did say "limited functionality" when I ran the scan. It deleted some files. But I've tried ComboFix multiple times in regular mode and safe mode. It gives me the pop ups of RootkitZeroAccess is detected and wait for some moments. But nothing happens. It just eventually freezes my pc.

LDTate · March 16, 2012

Lets see if this will run

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  
  Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"
[*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Gunslinger · March 17, 2012

Hmmm...doesn't look like anything turned up.

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-03-16 19:11:00

Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9160821AS rev.3.BHE

Running: f2uhbhyo.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kgloapow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Gunslinger · March 17, 2012

Just going to mention one other thing, since you instructed me to run GMER on only my C drive. I have a D drive that is about 6.6 GB of HP Recovery. And also, a Local F drive was created a little while back, but I don't recall what program required it to be made. It says it has .03 GB used, although when you open it, it says the folder is empty. I assume the .03 GB is simply for formatting. When I opened it, it had a $Recycle Bin folder (empty) in it, which I deleted.

I don't think these two drives contain the problem, but I'm certainly not an expert so I am mentioning them to you.

LDTate · March 18, 2012

Start -> Run (if you're using Vista/7, press and hold the Windows key on your keyboard and then press R to access Run):

type diskmgmt.msc

Click "OK"

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply. You can take a screenshot by pressing the PrintScreen/PrtScrn button loacted somewhere at the top of your keyboard and using Paste in the Paint program to paste the copied screenshot.

==========================

Gunslinger · March 20, 2012

Here you go.

LDTate · March 20, 2012

I'm not sure about that F partition or all those NetSvcs

Download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Custom Scan box paste this in:
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and include them in your next post.

Please include the following in your next post:

OTL and Extras logs

Gunslinger · March 21, 2012

Ok, had a surprise last night. I ran mbam, as I'm doing often, no infections detected. Also ran Spybot SD, which I had not run for a few days, and removed some things. Then noticed things were different.

I checked to see if I could turn on my Firewall, it was already on. At least it's telling me it's on. There was a time when it wasn't on, but would tell me it was on. As far as I can tell, I do believe it is operating now. Although for the life of me, I can't figure out why it all of a sudden now is working.

Secondly, I was still missing some items on my Start up Menu, like Control Panel, Help and Support, Pictures, Music, etc.... I thought they were just left over hiddens from my battles with the infections. Previously, when I would start up in regular mode, the infection would start hiding all my stuff. I ran unhide two or three times a couple of weeks ago as I would go back and forth from safe to reg mode. I'd been intending to run the unhide again when I had time to sit here and monitor it to get those items back. But as I mentioned, they appeared out of nowhere. I cannot be positive that these changes happened after running Mbam and Spybot, cause I was not paying attention. They may have been restored prior.

Perhaps the hidden things are just the pc gradually discovering things on it's own and restoring them as I start using old programs more and more. I dunno. The Firewall coming back has me puzzled though.

OTL Results:

OTL logfile created on: 3/20/2012 7:29:26 PM - Run 1

OTL by OldTimer - Version 3.2.39.1 Folder = G:\

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 0.61 Gb Available Physical Memory | 31.28% Memory free

4.50 Gb Paging File | 1.79 Gb Available in Paging File | 39.83% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 140.62 Gb Total Space | 77.28 Gb Free Space | 54.95% Space Free | Partition Type: NTFS

Drive D: | 7.36 Gb Total Space | 0.74 Gb Free Space | 10.00% Space Free | Partition Type: NTFS

Drive F: | 1.07 Gb Total Space | 1.04 Gb Free Space | 96.98% Space Free | Partition Type: NTFS

Drive G: | 3.80 Gb Total Space | 3.79 Gb Free Space | 99.79% Space Free | Partition Type: FAT32

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - G:\OTL.exe (OldTimer Tools)

PRC - C:\Windows\System32\Macromed\Flash\FlashUtil11g_ActiveX.exe (Adobe Systems, Inc.)

PRC - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)

PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Adobe\Reader 8.0\Reader\ViewerPS.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\ASL.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvcps.dll ()

========== Win32 Services (SafeList) ==========

SRV - (ypcservice) -- %systemroot%\system32\mrvw245.dll File not found

SRV - (Wtcls2k) -- %systemroot%\system32\cpqrcmc.dll File not found

SRV - (WcesComm) -- %systemroot%\system32\iam.dll File not found

SRV - (WaveFDE) -- %systemroot%\system32\pdlnemap.dll File not found

SRV - (w810bus) -- %systemroot%\system32\sthda.dll File not found

SRV - (usbio) -- %systemroot%\system32\WUSB54Gv4SVC.dll File not found

SRV - (update) -- %systemroot%\system32\RadProbe.dll File not found

SRV - (U81xbus) -- %systemroot%\system32\vsapint.dll File not found

SRV - (tosrfusb) -- %systemroot%\system32\pdlndqll.dll File not found

SRV - (symmpi) -- %systemroot%\system32\mcredirector.dll File not found

SRV - (Spsmqvsm) -- %systemroot%\system32\PAC7302.dll File not found

SRV - (sdcoreservice) -- %systemroot%\system32\areschatserver.dll File not found

SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found

SRV - (roxmediadb) -- %systemroot%\system32\flpydisk.dll File not found

SRV - (pcx1unic) -- %systemroot%\system32\Nmea.dll File not found

SRV - (NetTcpActivator) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (netcfgsvr) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (mqdmbus) -- %systemroot%\system32\nv4.dll File not found

SRV - (mi-raysat_3dsMax2008_32) -- %systemroot%\system32\mi-raysat_3dsmax8.dll File not found

SRV - (mail2ec) -- %systemroot%\system32\bb-run.dll File not found

SRV - (lxcf_device) -- %systemroot%\system32\netrcacm.dll File not found

SRV - (LwUsbHid) -- %systemroot%\system32\vhidmini.dll File not found

SRV - (hpdskflt) -- %systemroot%\system32\basic2.dll File not found

SRV - (houdinilicenseserver) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (forcewarewebinterface) -- %systemroot%\system32\TPPWRIF.dll File not found

SRV - (dmprimer) -- %systemroot%\system32\FreeTdi.dll File not found

SRV - (db2ntsecserver) -- %systemroot%\system32\lxbu_device.dll File not found

SRV - (cpqdmi) -- %systemroot%\system32\avgio.dll File not found

SRV - (cdudf_xp) -- %systemroot%\system32\radclock.dll File not found

SRV - (CDRPDACC) -- %systemroot%\system32\SlNtHal.dll File not found

SRV - (bwmservice) -- %systemroot%\system32\hclinetd.dll File not found

SRV - (btwavdt) -- %systemroot%\system32\se58mdm.dll File not found

SRV - (acmservice) -- %systemroot%\system32\DellAMBrokerService.dll File not found

SRV - (abiosdsk) -- %systemroot%\system32\diskperf.dll File not found

SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

========== Driver Services (SafeList) ==========

DRV - (pgjpxip) -- System32\drivers\wucwo.sys File not found

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found

DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found

DRV - (nirt) -- System32\drivers\voctbbry.sys File not found

DRV - (MpKslfeeef98d) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F814F7FC-9794-40B4-82B5-31C885B0CFE4}\MpKslfeeef98d.sys File not found

DRV - (MpKslcfdd02b5) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63944471-EB60-4FC0-B4DF-C82C4BB7CD18}\MpKslcfdd02b5.sys File not found

DRV - (MpKsl87a4b570) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63944471-EB60-4FC0-B4DF-C82C4BB7CD18}\MpKsl87a4b570.sys File not found

DRV - (MpKsl7822d4ae) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4A683FD5-BF58-43C0-9297-A737121C30AF}\MpKsl7822d4ae.sys File not found

DRV - (MpKsl60112352) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2ABA641D-25A7-4764-89C7-381D2C4D11B8}\MpKsl60112352.sys File not found

DRV - (MpKsl5699652f) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5489BF18-738E-4984-84E6-4905A03FB040}\MpKsl5699652f.sys File not found

DRV - (MpKsl3aff7631) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D9AB1C-A2F8-4E13-9C73-29450A54A765}\MpKsl3aff7631.sys File not found

DRV - (MpKsl0cba7c5d) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8285B75C-890B-4747-8165-26CF0DFF5395}\MpKsl0cba7c5d.sys File not found

DRV - (MpKsl0b5bfdbb) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{077FF1BE-D17E-421B-9CEC-F748555BE244}\MpKsl0b5bfdbb.sys File not found

DRV - (MpKsl0aef8e47) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1D179CC0-5036-43F4-B9AC-2EEEAE774FD9}\MpKsl0aef8e47.sys File not found

DRV - (MpKsl06f78e51) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D9AB1C-A2F8-4E13-9C73-29450A54A765}\MpKsl06f78e51.sys File not found

DRV - (kgloapow) -- C:\Users\Owner\AppData\Local\Temp\kgloapow.sys File not found

DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found

DRV - (garee) -- System32\drivers\uamddits.sys File not found

DRV - (eslvbdj) -- System32\drivers\jucfh.sys File not found

DRV - (catchme) -- C:\ComboFix\catchme.sys File not found

DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found

DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Company)

DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)

DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)

DRV - (ZTEusbser6k) -- C:\Windows\System32\drivers\ZTEusbser6k.sys (ZTE Incorporated)

DRV - (ZTEusbnmeaext) -- C:\Windows\System32\drivers\ZTEusbnmeaext.sys (ZTE Incorporated)

DRV - (ZTEusbnmea) -- C:\Windows\System32\drivers\ZTEusbnmea.sys (ZTE Incorporated)

DRV - (ZTEusbmdm6k) -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated)

DRV - (ZTEusbgps) -- C:\Windows\System32\drivers\ZTEusbgps.sys (ZTE Incorporated)

DRV - (massfilter) -- C:\Windows\System32\drivers\massfilter.sys (MBB Incorporated)

DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)

DRV - (RMCAST) RMCAST (Pgm) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation)

DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)

DRV - (NWUSBCDFIL) -- C:\Windows\System32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)

DRV - (NWADI) -- C:\Windows\System32\drivers\NWADIenum.sys (Novatel Wireless Inc)

DRV - (NWUSBPort2) -- C:\Windows\System32\drivers\nwusbser2.sys (Novatel Wireless Inc.)

DRV - (NWUSBPort) -- C:\Windows\System32\drivers\nwusbser.sys (Novatel Wireless Inc.)

DRV - (NWUSBModem) -- C:\Windows\System32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)

DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)

DRV - (HdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.)

DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)

DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)

DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)

DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)

DRV - (WinPhlash) -- C:\SwSetup\SP42853\SWinFlash\PhlashNT.sys ()

DRV - (eabfiltr) -- C:\Windows\System32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE - HKLM\..\SearchScopes,DefaultScope = {8E8176CF-3C72-4F29-B0AF-5E670D763FBD}

IE - HKLM\..\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKLM\..\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKLM\..\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKCU\..\SearchScopes,DefaultScope = {8E8176CF-3C72-4F29-B0AF-5E670D763FBD}

IE - HKCU\..\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKCU\..\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKCU\..\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/12/19 09:28:06 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/03/16 00:31:56 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [OPSE reminder] C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)

O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3}: DhcpNameServer = 192.168.1.254

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/08/04 04:08:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2005/09/11 08:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]

O33 - MountPoints2\{bab5aa97-8580-11df-8545-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{bab5aa97-8580-11df-8545-001a73ca750c}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}\Shell\AutoRun\command - "" = G:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Autorun.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found

NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)

NetSvcs: Nla - File not found

NetSvcs: Ntmssvc - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: SRService - File not found

NetSvcs: U81xbus - %systemroot%\system32\vsapint.dll File not found

NetSvcs: hpdskflt - %systemroot%\system32\basic2.dll File not found

NetSvcs: LwUsbHid - %systemroot%\system32\vhidmini.dll File not found

NetSvcs: mi-raysat_3dsMax2008_32 - %systemroot%\system32\mi-raysat_3dsmax8.dll File not found

NetSvcs: cpqdmi - %systemroot%\system32\avgio.dll File not found

NetSvcs: sdcoreservice - %systemroot%\system32\areschatserver.dll File not found

NetSvcs: WaveFDE - %systemroot%\system32\pdlnemap.dll File not found

NetSvcs: btwavdt - %systemroot%\system32\se58mdm.dll File not found

NetSvcs: usbio - %systemroot%\system32\WUSB54Gv4SVC.dll File not found

NetSvcs: abiosdsk - %systemroot%\system32\diskperf.dll File not found

NetSvcs: update - %systemroot%\system32\RadProbe.dll File not found

NetSvcs: roxmediadb - %systemroot%\system32\flpydisk.dll File not found

NetSvcs: forcewarewebinterface - %systemroot%\system32\TPPWRIF.dll File not found

NetSvcs: db2ntsecserver - %systemroot%\system32\lxbu_device.dll File not found

NetSvcs: houdinilicenseserver - \.\globalroot\C:\Windows\system32\svchost.exe File not found

NetSvcs: ypcservice - %systemroot%\system32\mrvw245.dll File not found

NetSvcs: cdudf_xp - %systemroot%\system32\radclock.dll File not found

NetSvcs: symmpi - %systemroot%\system32\mcredirector.dll File not found

NetSvcs: mqdmbus - %systemroot%\system32\nv4.dll File not found

NetSvcs: Wtcls2k - %systemroot%\system32\cpqrcmc.dll File not found

NetSvcs: netcfgsvr - \.\globalroot\C:\Windows\system32\svchost.exe File not found

NetSvcs: NetTcpActivator - \.\globalroot\C:\Windows\system32\svchost.exe File not found

NetSvcs: bwmservice - %systemroot%\system32\hclinetd.dll File not found

NetSvcs: CDRPDACC - %systemroot%\system32\SlNtHal.dll File not found

NetSvcs: tosrfusb - %systemroot%\system32\pdlndqll.dll File not found

NetSvcs: w810bus - %systemroot%\system32\sthda.dll File not found

NetSvcs: mail2ec - %systemroot%\system32\bb-run.dll File not found

NetSvcs: alerter - File not found

NetSvcs: lxcf_device - %systemroot%\system32\netrcacm.dll File not found

NetSvcs: acmservice - %systemroot%\system32\DellAMBrokerService.dll File not found

NetSvcs: Spsmqvsm - %systemroot%\system32\PAC7302.dll File not found

NetSvcs: dmprimer - %systemroot%\system32\FreeTdi.dll File not found

NetSvcs: WcesComm - %systemroot%\system32\iam.dll File not found

NetSvcs: pcx1unic - %systemroot%\system32\Nmea.dll File not found

NetSvcs: WmdmPmSp - File not found

NetSvcs: LogonHours - File not found

NetSvcs: PCAudit - File not found

NetSvcs: helpsvc - File not found

NetSvcs: uploadmgr - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)

Drivers32: msacm.l3codecp - File not found

Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)

Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT

Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/03/16 00:50:20 | 000,000,000 | --SD | C] -- C:\ComboFix

[2012/03/16 00:39:35 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/03/16 00:39:34 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\temp

[2012/03/16 00:32:25 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/03/13 21:38:19 | 000,000,000 | ---D | C] -- C:\ieexplore

[2012/03/12 21:10:39 | 000,000,000 | -H-D | C] -- C:\Windows\PIF

[2012/03/08 00:29:58 | 004,432,147 | R--- | C] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe

[2012/03/08 00:08:12 | 000,607,260 | ---- | C] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2012/03/07 14:52:05 | 002,923,248 | ---- | C] (Microsoft Corporation) -- C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

[2012/03/06 20:02:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/03/06 20:02:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/03/06 20:02:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/03/06 20:01:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/03/06 17:18:09 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/03/05 18:52:57 | 000,389,024 | ---- | C] (Bleeping Computer, LLC) -- C:\Windows\unhide.exe

[2012/03/05 17:04:11 | 000,607,260 | R--- | C] (Swearware) -- C:\Program Files\dds.scr

[2012/02/28 17:13:21 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\Trading

[2012/02/26 16:22:31 | 000,000,000 | ---D | C] -- C:\Users\Owner\Documents\BW

[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

[1 C:\Users\Owner\Documents\*.tmp files -> C:\Users\Owner\Documents\*.tmp -> ]

[1 C:\Users\Owner\Desktop\*.tmp files -> C:\Users\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/03/20 19:25:23 | 000,003,296 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/03/20 19:25:23 | 000,003,296 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/03/20 19:04:48 | 000,002,229 | ---- | M] () -- C:\Windows\epplauncher.mif

[2012/03/19 17:58:43 | 000,089,448 | ---- | M] () -- C:\Users\Owner\Desktop\DiskMgmt screen shot.png

[2012/03/16 14:49:45 | 000,631,762 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/03/16 14:49:45 | 000,114,930 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/03/16 01:30:25 | 000,000,258 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini

[2012/03/16 01:25:05 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.001

[2012/03/16 01:25:02 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/03/16 00:31:56 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2012/03/15 18:10:41 | 000,007,620 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat

[2012/03/15 10:48:02 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2012/03/14 17:36:18 | 000,026,785 | ---- | M] () -- C:\logfile

[2012/03/13 11:42:52 | 000,441,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2012/03/13 11:28:26 | 000,000,129 | ---- | M] () -- C:\Windows\System32\MRT.INI

[2012/03/12 23:42:59 | 000,000,112 | ---- | M] () -- C:\ProgramData\1VjM2R.dat

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe_.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/11 20:36:03 | 000,000,667 | ---- | M] () -- C:\Windows\winpoint.ini

[2012/03/09 19:00:23 | 004,432,147 | R--- | M] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe

[2012/03/08 22:17:52 | 000,000,809 | ---- | M] () -- C:\Users\Owner\Documents\15.gif

[2012/03/08 00:08:04 | 000,607,260 | ---- | M] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2012/03/06 17:03:00 | 000,000,456 | ---- | M] () -- C:\ProgramData\JGLCtmoyv2sFma

[2012/03/06 17:02:40 | 000,000,288 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2012/03/06 17:02:40 | 000,000,200 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFmar

[2012/03/05 18:51:47 | 000,389,024 | ---- | M] (Bleeping Computer, LLC) -- C:\Windows\unhide.exe

[2012/03/05 17:03:59 | 000,607,260 | R--- | M] (Swearware) -- C:\Program Files\dds.scr

[2012/03/04 18:18:27 | 000,000,629 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[2012/02/28 11:32:14 | 003,670,019 | ---- | M] () -- C:\Users\Owner\Desktop\Introduction%20to%20Flag-Trading_FT.pdf

[2012/02/27 19:07:00 | 000,199,680 | ---- | M] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/02/23 04:18:48 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job

[2012/02/22 10:41:48 | 000,002,153 | ---- | M] () -- C:\Windows\System32\requestBody.xml

[2012/02/22 10:41:48 | 000,000,858 | ---- | M] () -- C:\Windows\System32\request.gzip

[2012/02/22 10:41:47 | 000,003,121 | ---- | M] () -- C:\Windows\System32\responseBody.xml

[2012/02/22 05:05:19 | 044,827,091 | ---- | M] () -- C:\Users\Owner\Desktop\01-elevate-1-29-12.mp3

[2012/02/22 04:50:27 | 023,111,416 | ---- | M] () -- C:\Users\Owner\Desktop\2--his-touch-in-your-situation.mp3

[2012/02/22 04:43:43 | 024,799,366 | ---- | M] () -- C:\Users\Owner\Desktop\1--his-touch-in-your-situation.mp3

[2012/02/22 04:35:16 | 033,293,341 | ---- | M] () -- C:\Users\Owner\Desktop\6--understanding-the-end.mp3

[2012/02/21 04:18:15 | 000,184,250 | ---- | M] () -- C:\Users\Owner\Desktop\FUTURESINDUSTRYlawpaperKurtisWard.pdf

[2012/02/21 01:50:10 | 000,002,633 | ---- | M] () -- C:\Users\Owner\Desktop\Microsoft Office Outlook 2003.lnk

[2012/02/20 15:15:14 | 000,000,938 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2012/02/20 15:06:01 | 000,000,058 | ---- | M] () -- C:\Windows\mchguid.ini

[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

[1 C:\Users\Owner\Documents\*.tmp files -> C:\Users\Owner\Documents\*.tmp -> ]

[1 C:\Users\Owner\Desktop\*.tmp files -> C:\Users\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/19 17:58:43 | 000,089,448 | ---- | C] () -- C:\Users\Owner\Desktop\DiskMgmt screen shot.png

[2012/03/13 11:28:26 | 000,000,129 | ---- | C] () -- C:\Windows\System32\MRT.INI

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe_.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/08 22:17:35 | 000,000,809 | ---- | C] () -- C:\Users\Owner\Documents\15.gif

[2012/03/06 20:02:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/03/06 20:02:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/03/06 20:02:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/03/06 20:02:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/03/06 18:03:55 | 000,000,859 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2012/03/06 18:03:55 | 000,000,659 | ---- | C] () -- C:\Users\Public\Desktop\Manual CanoScan LiDE 60.lnk

[2012/03/05 19:58:06 | 000,001,568 | ---- | C] () -- C:\Users\Public\Desktop\PowerChurch Plus Version 10.lnk

[2012/03/05 19:58:06 | 000,001,153 | ---- | C] () -- C:\Users\Public\Desktop\VZAccess Manager.lnk

[2012/03/05 19:58:06 | 000,000,847 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk

[2012/03/05 19:58:05 | 000,002,070 | ---- | C] () -- C:\Users\Public\Desktop\iP1700 On-screen Manual.lnk

[2012/03/05 19:58:05 | 000,001,975 | ---- | C] () -- C:\Users\Public\Desktop\Kodak EasyShare.lnk

[2012/03/05 19:58:05 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\HP Help and Support.lnk

[2012/03/05 19:58:05 | 000,001,887 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk

[2012/03/05 19:58:05 | 000,001,860 | ---- | C] () -- C:\Users\Public\Desktop\Movie Magic Screenwriter.lnk

[2012/03/05 19:58:05 | 000,001,803 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

[2012/03/05 19:58:05 | 000,001,768 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Movie Maker.lnk

[2012/03/05 19:58:05 | 000,001,737 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk

[2012/03/05 19:58:05 | 000,001,400 | ---- | C] () -- C:\Users\Public\Desktop\Point.lnk

[2012/03/05 19:58:05 | 000,001,227 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk

[2012/03/05 19:58:05 | 000,001,158 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk

[2012/03/05 19:58:05 | 000,001,079 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2012/03/05 19:58:05 | 000,000,963 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\EasyWorship 2007.lnk

[2012/03/05 19:58:05 | 000,000,948 | ---- | C] () -- C:\Users\Public\Desktop\Easy-PhotoPrint.lnk

[2012/03/05 19:58:05 | 000,000,938 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk

[2012/03/05 19:58:05 | 000,000,938 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2012/03/05 19:58:05 | 000,000,915 | ---- | C] () -- C:\Users\Public\Desktop\Canon iP1700 User Registration.LNK

[2012/03/05 19:58:05 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\My Printer.lnk

[2012/03/05 19:58:05 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2012/03/05 19:58:05 | 000,000,777 | ---- | C] () -- C:\Users\Public\Desktop\CanoScan Toolbox 4.9.lnk

[2012/03/05 19:58:05 | 000,000,258 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

[2012/03/05 19:58:05 | 000,000,240 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

[2012/03/05 19:58:05 | 000,000,162 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\The Mary Miracle Part II.url

[2012/03/05 19:58:05 | 000,000,104 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\The Internet - Shortcut.lnk

[2012/03/05 19:58:04 | 000,002,001 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

[2012/03/05 19:58:04 | 000,001,764 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Calendar.lnk

[2012/03/05 19:58:04 | 000,001,757 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Defender.lnk

[2012/03/05 19:58:04 | 000,001,165 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VZAccess Manager.lnk

[2012/03/05 19:58:03 | 000,001,769 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPlay Manager.lnk

[2012/03/05 19:58:03 | 000,001,728 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPlay.lnk

[2012/03/05 19:58:01 | 000,001,789 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk

[2012/03/05 19:58:00 | 000,001,881 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2003.lnk

[2012/03/05 19:58:00 | 000,001,808 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk

[2012/03/05 19:57:56 | 000,001,630 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk

[2012/03/05 19:57:55 | 000,002,097 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Home movies made easy!.lnk

[2012/03/05 19:57:53 | 000,002,425 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 8.lnk

[2012/03/05 19:57:53 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk

[2012/03/05 16:19:29 | 000,000,200 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFmar

[2012/03/05 16:19:28 | 000,000,288 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2012/03/04 20:14:01 | 000,000,629 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[2012/03/04 18:18:21 | 000,000,456 | ---- | C] () -- C:\ProgramData\JGLCtmoyv2sFma

[2012/02/28 11:32:08 | 003,670,019 | ---- | C] () -- C:\Users\Owner\Desktop\Introduction%20to%20Flag-Trading_FT.pdf

[2012/02/22 10:42:30 | 000,000,322 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job

[2012/02/22 04:51:45 | 044,827,091 | ---- | C] () -- C:\Users\Owner\Desktop\01-elevate-1-29-12.mp3

[2012/02/22 04:44:02 | 023,111,416 | ---- | C] () -- C:\Users\Owner\Desktop\2--his-touch-in-your-situation.mp3

[2012/02/22 04:37:28 | 024,799,366 | ---- | C] () -- C:\Users\Owner\Desktop\1--his-touch-in-your-situation.mp3

[2012/02/22 04:27:36 | 033,293,341 | ---- | C] () -- C:\Users\Owner\Desktop\6--understanding-the-end.mp3

[2012/02/21 04:18:15 | 000,184,250 | ---- | C] () -- C:\Users\Owner\Desktop\FUTURESINDUSTRYlawpaperKurtisWard.pdf

[2012/02/20 15:06:01 | 000,000,058 | ---- | C] () -- C:\Windows\mchguid.ini

[2012/01/29 19:26:19 | 000,000,027 | ---- | C] () -- C:\Windows\SmAudio.INI

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\Users\Owner\AppData\Local\m5klyyaimx332xcj

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\ProgramData\m5klyyaimx332xcj

[2011/12/26 20:06:28 | 000,010,742 | -HS- | C] () -- C:\Users\Owner\AppData\Local\33tc3173v44sqee43uclq23c54s20c2j

[2011/12/26 20:06:28 | 000,010,742 | -HS- | C] () -- C:\ProgramData\33tc3173v44sqee43uclq23c54s20c2j

[2011/12/16 08:50:54 | 000,000,112 | ---- | C] () -- C:\ProgramData\1VjM2R.dat

[2011/12/14 01:24:54 | 000,012,836 | -HS- | C] () -- C:\Users\Owner\AppData\Local\502843u1s876d065e433s4int3x4

[2011/12/14 01:24:54 | 000,012,836 | -HS- | C] () -- C:\ProgramData\502843u1s876d065e433s4int3x4

[2011/12/13 05:13:29 | 000,000,290 | ---- | C] () -- C:\Windows\wininit.ini

[2011/09/15 01:11:16 | 001,048,576 | ---- | C] () -- C:\Windows\System32\syndata.bin

[2011/04/21 15:04:19 | 000,000,160 | ---- | C] () -- C:\ProgramData\~43900680

[2011/04/21 15:04:19 | 000,000,128 | ---- | C] () -- C:\ProgramData\~43900680r

[2011/04/21 15:04:10 | 000,000,392 | ---- | C] () -- C:\ProgramData\43900680

[2011/01/23 22:33:24 | 000,033,236 | ---- | C] () -- C:\Windows\System32\uninst_KOAIR.exe

[2011/01/15 14:28:01 | 000,000,532 | ---- | C] () -- C:\Windows\MAXLINK.INI

[2010/12/30 19:35:02 | 000,000,093 | ---- | C] () -- C:\Users\Owner\AppData\Local\fusioncache.dat

[2010/12/30 19:34:52 | 000,003,679 | ---- | C] () -- C:\Windows\GrAddrBk.ini

[2010/12/30 19:34:52 | 000,000,995 | ---- | C] () -- C:\Windows\GRACE.INI

[2010/12/30 19:34:52 | 000,000,053 | ---- | C] () -- C:\Windows\PRSRVDLL.INI

[2010/12/30 19:34:50 | 000,010,875 | ---- | C] () -- C:\Windows\ESOA.INI

[2010/12/30 19:33:27 | 000,000,667 | ---- | C] () -- C:\Windows\winpoint.ini

[2010/10/16 22:51:24 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat

[2010/06/28 11:07:16 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat

========== LOP Check ==========

[2008/02/15 22:07:51 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\acccore

[2011/01/16 23:34:38 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Canon

[2011/01/24 01:49:29 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\FinalTorrent

[2012/02/12 16:39:23 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\PeerNetworking

[2011/01/15 14:28:15 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\ScanSoft

[2010/12/31 13:18:09 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Smith Micro

[2008/04/02 18:52:28 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Softouch

[2010/06/28 11:21:32 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Template

[2010/12/31 01:53:36 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\Uniblue

[2012/03/16 00:29:37 | 000,032,656 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >

[2007/08/04 04:08:39 | 000,000,074 | ---- | M] () -- C:\autoexec.bat

[2009/04/10 23:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr

[2006/09/18 14:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys

[2011/12/13 05:30:39 | 000,000,000 | RHS- | M] () -- C:\IO.SYS

[2008/02/15 22:07:23 | 000,000,429 | ---- | M] () -- C:\IPH.PH

[2012/03/14 17:36:18 | 000,026,785 | ---- | M] () -- C:\logfile

[2011/12/13 05:30:39 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS

[2012/03/19 17:48:45 | 2811,834,368 | -HS- | M] () -- C:\pagefile.sys

[2012/03/14 18:37:08 | 000,156,482 | ---- | M] () -- C:\TDSSKiller.2.7.20.0_14.03.2012_18.00.53_log.txt

[2008/09/09 16:30:53 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %systemroot%\Fonts\*.com >

[2006/11/02 05:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont

[2006/11/02 05:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont

[2006/11/02 05:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont

[2010/02/03 14:26:56 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >

[2006/09/18 14:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

[2006/09/12 21:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPD7W.DLL

[2008/03/31 21:00:00 | 000,027,136 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPD9H.DLL

[2006/09/12 21:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPP7W.DLL

[2008/03/31 21:00:00 | 000,069,632 | ---- | M] (CANON INC.) -- C:\Windows\system32\spool\prtprocs\w32x86\CNMPP9H.DLL

[2006/11/02 05:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\jnwppr.dll

[2006/11/02 02:46:11 | 000,089,600 | ---- | M] (Lexmark International Inc.) -- C:\Windows\system32\spool\prtprocs\w32x86\LMPRTPRC.DLL

[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\mdippr.dll

[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

[2010/11/10 02:28:46 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

[2012/03/05 17:03:59 | 000,607,260 | R--- | M] (Swearware) -- C:\Program Files\dds.scr

[2009/02/22 22:56:40 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >

[2006/11/02 03:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV

[2006/11/02 03:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV

[2006/11/02 03:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV

[2006/11/02 03:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV

[2006/11/02 03:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >

[2011/04/10 10:50:10 | 000,000,286 | -HS- | M] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

[2010/12/27 23:26:33 | 000,000,162 | ---- | M] () -- C:\Users\Owner\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\The Mary Miracle Part II.url

< %USERPROFILE%\Desktop\*.exe >

[2012/03/09 19:00:23 | 004,432,147 | R--- | M] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe

[2011/10/02 20:59:12 | 000,347,920 | ---- | M] (Microsoft Corporation) -- C:\Users\Owner\Desktop\MicrosoftFixit.WinSecurity.Run.exe

[2011/12/27 10:57:15 | 002,923,248 | ---- | M] (Microsoft Corporation) -- C:\Users\Owner\Desktop\WindowsXP-KB914882-x86-ENU.exe

[1 C:\Users\Owner\Desktop\*.tmp files -> C:\Users\Owner\Desktop\*.tmp -> ]

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

[2012/03/07 14:52:18 | 002,923,248 | ---- | M] (Microsoft Corporation) -- C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

[2007/12/14 04:33:03 | 000,000,402 | -HS- | M] () -- C:\Users\Owner\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe_.b

[2011/12/26 20:08:42 | 000,010,742 | -HS- | M] () -- C:\ProgramData\33tc3173v44sqee43uclq23c54s20c2j

[2011/04/21 15:17:15 | 000,000,392 | ---- | M] () -- C:\ProgramData\43900680

[2011/12/14 11:26:34 | 000,012,836 | -HS- | M] () -- C:\ProgramData\502843u1s876d065e433s4int3x4

[2007/12/08 04:43:01 | 000,001,321 | ---- | M] () -- C:\ProgramData\hpzinstall.log

[2012/03/06 17:03:00 | 000,000,456 | ---- | M] () -- C:\ProgramData\JGLCtmoyv2sFma

[2011/12/27 01:37:00 | 000,011,188 | -HS- | M] () -- C:\ProgramData\m5klyyaimx332xcj

[2012/03/16 01:25:05 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.001

[2011/04/21 15:13:56 | 000,000,160 | ---- | M] () -- C:\ProgramData\~43900680

[2011/04/21 15:13:56 | 000,000,128 | ---- | M] () -- C:\ProgramData\~43900680r

[2012/03/06 17:02:40 | 000,000,288 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2012/03/06 17:02:40 | 000,000,200 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFmar

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-03-20 18:39:01

< >

< End of report >

Extras Results:

OTL Extras logfile created on: 3/20/2012 7:29:26 PM - Run 1

OTL by OldTimer - Version 3.2.39.1 Folder = G:\

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 0.61 Gb Available Physical Memory | 31.28% Memory free

4.50 Gb Paging File | 1.79 Gb Available in Paging File | 39.83% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 140.62 Gb Total Space | 77.28 Gb Free Space | 54.95% Space Free | Partition Type: NTFS

Drive D: | 7.36 Gb Total Space | 0.74 Gb Free Space | 10.00% Space Free | Partition Type: NTFS

Drive F: | 1.07 Gb Total Space | 1.04 Gb Free Space | 96.98% Space Free | Partition Type: NTFS

Drive G: | 3.80 Gb Total Space | 3.79 Gb Free Space | 99.79% Space Free | Partition Type: FAT32

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: Current user | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"FirewallDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = Reg Error: Unknown registry data type -- File not found

"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink -- (EarthLink, Inc.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{012DFC99-5194-4CF5-AEC1-82959254C8C7}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |

"{104EFEBD-D056-40F0-B45A-B73A1F8497D3}" = rport=445 | protocol=6 | dir=out | app=system |

"{1E7E0A0E-E3EC-4CD9-AD3A-77BF43B1AD01}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |

"{2C18969A-C5E7-439F-8125-241B78B7E713}" = rport=137 | protocol=17 | dir=out | app=system |

"{32FE6CDE-88D4-453B-9260-EC7AE2CFD86F}" = rport=138 | protocol=17 | dir=out | app=system |

"{35497F86-E489-4C76-84F4-4C2867FCE2AB}" = lport=138 | protocol=17 | dir=in | app=system |

"{437D35B9-CBEB-4B68-B845-9817F691E342}" = lport=445 | protocol=6 | dir=in | app=system |

"{6257DF1B-43BA-4E57-A532-341FA84CD380}" = rport=139 | protocol=6 | dir=out | app=system |

"{66C37144-CEAB-4C1A-A9FA-2551A231DBFC}" = lport=2869 | protocol=6 | dir=in | app=system |

"{6B0C6DC3-D1F1-433A-A2E6-D6C5948C9891}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

"{7E832CC0-F75D-4530-8B75-B174E303450C}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |

"{DAC6396E-DB59-4B89-B869-4DEDDAF13073}" = lport=137 | protocol=17 | dir=in | app=system |

"{E6164572-AC2D-442D-9446-BEF82CD078D5}" = lport=139 | protocol=6 | dir=in | app=system |

"{F4822A79-E344-49D0-8CD3-071315A0393D}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{05F6F3EF-B25C-4001-8372-FE26E6D1B328}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{0924373D-6E91-423E-9613-9B77E0173C9A}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |

"{097692B9-4521-4D1A-9F3E-8E0F924DCDB0}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{2B68C296-5B3C-4B68-BB67-5BE62E3CDF8D}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"{493A8D0B-03AE-4E2D-B1D6-629EA8CD5D3D}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

"{4FFA4E9C-B46D-471C-A6C9-AB9B9E2C770B}" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |

"{5C9AA018-9046-47BF-A9F4-340494562E15}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"{62DAD364-9054-4450-8B64-1E97F59A49D1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{6B76B961-7BC3-47C4-B12A-42CF381A1E0A}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{71D16E70-1D0C-4445-B3AD-5897F0189A2F}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |

"{72882C92-1DE2-44E0-94B8-FD472A2A1CF3}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

"{7DF37EC0-6A0A-4918-B3AD-15B189C2E2EC}" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yserver.exe |

"{87A0D74F-F719-4D0B-9A9D-EDC91DA7E7E8}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{9507442A-9BF7-41B3-8C29-A7AAAC5769F5}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{A4883429-F78B-4C68-8F5E-2809A19E95B2}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |

"{A5F7077A-4F2A-45C2-B5FC-306669BB474B}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |

"{A68F1CC1-D6FB-4CB4-BF96-818D25742BA4}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |

"{A80F8CCD-CC64-438D-9452-8C6B4DE6FB9B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{BF676154-EA80-4DEE-AD26-CB231B0F9F51}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |

"{C45F953C-C973-4D47-9B6F-8E3786D5C7A2}" = protocol=6 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{DC0FC365-581A-4047-BF5D-A68318C9D674}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |

"{DDB79537-BE1B-49D8-9E35-865252F6818E}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"{E88CFA62-4F3F-4800-A8C3-023F1E655F30}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |

"{EDF143D6-A936-48E1-98FC-A496E21AA438}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |

"{F16E450A-EFAD-4F24-858F-BD32E55CDFB9}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

"{F238082B-3978-480D-B122-CF2A1C1231A2}" = protocol=17 | dir=in | app=c:\program files\earthlink totalaccess\taskpanl.exe |

"{F2C2A900-F73A-444D-8366-C2028B08F3FE}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |

"{F7AEB929-B161-486C-A9FA-3C0F2CEC721D}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |

"TCP Query User{4EE022DA-74B7-46C0-BA66-FB407DA3A744}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=6 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

"UDP Query User{25400511-8C73-4B97-9E2E-C9A1893E4871}C:\program files\yahoo!\messenger\yahoomessenger.exe" = protocol=17 | dir=in | app=c:\program files\yahoo!\messenger\yahoomessenger.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support

"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools

"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware

"{073F22CE-9A5B-4A40-A604-C7270AC6BF34}" = ESSSONIC

"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer

"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer

"{0BFC200F-C45D-4271-AF34-4CA969225DEB}" = muvee autoProducer 6.0

"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1700" = Canon iP1700

"{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}" = Roxio Creator EasyArchive

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD

"{18A5DFF2-8A95-49F3-873F-743CB5549F3D}" = Canon ScanGear Starter

"{192A3445-56FC-47B3-B706-17D599E3B630}" = CalyxLoanBridge11

"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker

"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions

"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant

"{23B72D50-1C7E-491C-8086-9E060051D316}" = Manual CanoScan LiDE 60

"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library

"{26A24AE4-039D-4CA4-87B4-2F83216025FF}" = Java 6 Update 25

"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1

"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt

"{2D8A75A0-6097-41EC-AE41-AB5505DC3384}" = Movie Magic Screenwriter

"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine

"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery

"{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9

"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.20 B1

"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery

"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Roxio Activation Module

"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend

"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore

"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2

"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.6

"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform

"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001

"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client

"{54C8FE84-89C4-40E8-976C-439EB0729BD6}" = CardRd81

"{54F7A791-38DE-4439-AB3F-B3F7DDA89C75}" = ESU for Microsoft Vista

"{5C5BB2C4-54F9-4A17-8845-090C7BEC232C}" = ZTE USB Drivers

"{5CD4F991-BA3E-4EC4-A7A1-EFB61F4D7291}" = Setup

"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI

"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA

"{613F2884-08BD-4561-9934-111D80A2F30B}" = VZAccess Manager

"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy

"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant

"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library

"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE

"{68CC54AC-EFE5-4CE4-81F8-BE0C834E2D86}" = Mobile Broadband Generic Drivers

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack

"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works

"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime

"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0

"{81063354-9060-42B2-A000-1EBE96778AA9}" = iTunes

"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio

"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync

"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5

"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS

"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update

"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT

"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)

"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui

"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003

"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL

"{A0AF08BA-3630-4505-BFB2-A41F3837B0D0}" = SFR2

"{A2C82F57-F312-4525-A19C-40E228E09939}" = Setup

"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements

"{AC76BA86-7AD7-1033-7B44-A83000000003}" = Adobe Reader 8.3.1

"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK

"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI

"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore

"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9

"{CA9BCD4D-B782-4637-8F1F-F9A328D3C244}" = CanoScan Toolbox Ver4.9

"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library

"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform

"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software

"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common

"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform

"{D9B4D7EE-481C-4C36-86AB-A8F7417725FF}" = LightScribe 1.6.43.1

"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR

"{DDFD9BA2-8E26-4E49-92AE-882424DAB1BC}" = HP User Guides 0057

"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10

"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips

"{F05E2B98-DA04-4FFA-8D08-DA218E6A2B47}" = Point

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}" = kgcbase

"{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}" = Microsoft WSE 2.0 SP3 Runtime

"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5

"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK

"{F7F3B252-E772-48AA-93EB-7964BC326067}" = MSCU for Microsoft Vista

"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS

"{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = HP Active Support Library 32 bit components

"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock

"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials

"{FEE70C30-BAE5-4F0E-B1DF-202436C66953}_is1" = EasyWorship 2007

"7-Zip" = 7-Zip 9.20

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"AIM_6" = AIM 6

"Canon iP1700 User Registration" = Canon iP1700 User Registration

"CanonMyPrinter" = Canon My Printer

"CNXT_AUDIO_HDA" = Conexant HD Audio

"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7" = HDAUDIO Soft Data Fax Modem with SmartCP

"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint

"Easy-WebPrint" = Easy-WebPrint

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"InstallShield_{2D8A75A0-6097-41EC-AE41-AB5505DC3384}" = Movie Magic Screenwriter

"KOAIR - Áõ¸í¼ ¹ß±Þ ½Ã½ºÅÛ" = KOAIR - Áõ¸í¼ ¹ß±Þ ½Ã½ºÅÛ

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile

"Microsoft Security Client" = Microsoft Security Essentials

"NVIDIA Drivers" = NVIDIA Drivers

"PowerChurch Plus 10.4" = PowerChurch Plus 10.4

"PowerChurch Plus Version 10 Runtime Files" = PowerChurch Plus Version 10 Runtime Files

"RealPlayer 15.0" = RealPlayer

"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6

"SmartAudio" = SmartAudio

"SynTPDeinstKey" = Synaptics Pointing Device Driver

"ViewpointMediaPlayer" = Viewpoint Media Player

"VLC media player" = VLC media player 1.1.11

"WinLiveSuite" = Windows Live Essentials

"Yahoo! Messenger" = Yahoo! Messenger

"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 3/14/2012 12:41:20 AM | Computer Name = Owner-PC | Source = EventSystem | ID = 4609

Description =

Error - 3/14/2012 12:52:52 AM | Computer Name = Owner-PC | Source = VSS | ID = 18

Description =

Error - 3/14/2012 12:52:52 AM | Computer Name = Owner-PC | Source = VSS | ID = 8193

Description =

Error - 3/14/2012 12:52:52 AM | Computer Name = Owner-PC | Source = System Restore | ID = 8193

Description =

Error - 3/14/2012 9:41:16 PM | Computer Name = Owner-PC | Source = Microsoft Security Client Setup | ID = 100

Description = HRESULT:0x8004FF56 Description:Cannot complete the Security Essentials

installation. The Security Essentials Installation Wizard is missing a filter manager

rollup package needed to complete the installation. To continue installing Security

Essentials, you must first download the required package. <a>Download required

package.</a> Error code:0x8004FF56.

Error - 3/15/2012 8:58:00 PM | Computer Name = Owner-PC | Source = EventSystem | ID = 4609

Description =

Error - 3/15/2012 9:20:16 PM | Computer Name = Owner-PC | Source = EventSystem | ID = 4609

Description =

Error - 3/15/2012 10:27:46 PM | Computer Name = Owner-PC | Source = Application Error | ID = 1000

Description = Faulting application Explorer.EXE, version 6.0.6002.18005, time stamp

0x49e01da5, faulting module MSONSEXT.DLL, version 11.0.6715.60, time stamp 0x43306199,

exception code 0xc0000005, fault offset 0x00052bd7, process id 0xc24, application

start time 0x01cd031c4549abd1.

Error - 3/16/2012 5:57:22 PM | Computer Name = Owner-PC | Source = Perflib | ID = 1010

Description =

Error - 3/20/2012 10:04:49 PM | Computer Name = Owner-PC | Source = Microsoft Security Client Setup | ID = 100

Description = HRESULT:0x8004FF56 Description:Cannot complete the Security Essentials

installation. The Security Essentials Installation Wizard is missing a filter manager

rollup package needed to complete the installation. To continue installing Security

Essentials, you must first download the required package. <a>Download required

package.</a> Error code:0x8004FF56.

[ Media Center Events ]

Error - 5/3/2008 6:01:11 AM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0

Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed

due to an abandoned mutex.'.

Error - 10/28/2010 8:07:44 PM | Computer Name = Owner-PC | Source = MCUpdate | ID = 0

Description = Failed to wait on MCUpdate mutex with exception: 'The wait completed

due to an abandoned mutex.'.

[ OSession Events ]

Error - 3/22/2011 5:23:22 PM | Computer Name = Owner-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 0, Application Name: Microsoft Office Word, Application Version:

12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 26

seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/16/2011 5:12:57 PM | Computer Name = Owner-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:

12.0.6654.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 6

seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/19/2011 11:42:24 PM | Computer Name = Owner-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application

Version: 12.0.6600.1000, Microsoft Office Version: 12.0.6612.1000. This session

lasted 5 seconds with 0 seconds of active time. This session ended with a crash.

Error - 12/20/2011 4:40:04 PM | Computer Name = Owner-PC | Source = Microsoft Office 12 Sessions | ID = 7001

Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application

Version: 12.0.6600.1000, Microsoft Office Version: 12.0.6612.1000. This session

lasted 4 seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]

Error - 3/16/2012 4:25:14 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 3/16/2012 4:25:14 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7023

Description =

Error - 3/16/2012 4:25:14 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7026

Description =

Error - 3/16/2012 4:25:59 AM | Computer Name = Owner-PC | Source = Ntfs | ID = 262199

Description = The file system structure on the disk is corrupt and unusable. Please

run the chkdsk utility on the volume .

Error - 3/16/2012 4:46:09 AM | Computer Name = Owner-PC | Source = Ntfs | ID = 262199

Description = The file system structure on the disk is corrupt and unusable. Please

run the chkdsk utility on the volume .

Error - 3/16/2012 5:54:59 PM | Computer Name = Owner-PC | Source = Ntfs | ID = 262199

Description = The file system structure on the disk is corrupt and unusable. Please

run the chkdsk utility on the volume .

Error - 3/19/2012 8:56:38 PM | Computer Name = Owner-PC | Source = DCOM | ID = 10005

Description =

Error - 3/19/2012 8:56:38 PM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7001

Description =

Error - 3/20/2012 10:20:12 PM | Computer Name = Owner-PC | Source = Print | ID = 6161

Description = The document file:///C:/Users/Owner/AppData/Local/Temp/Low/FYZ52XKW.htm,

owned by Owner, failed to print on printer Canon iP1700. Try to print the document

again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool

file in bytes: 103184. Number of bytes printed: 101344. Total number of pages in

the document: 1. Number of pages printed: 0. Client computer: \\OWNER-PC. Win32

error code returned by the print processor: 0. The operation completed successfully.

Error - 3/20/2012 10:22:08 PM | Computer Name = Owner-PC | Source = Print | ID = 6161

Description = The document file:///C:/Users/Owner/AppData/Local/Temp/Low/16Z7QIIX.htm,

owned by Owner, failed to print on printer Canon iP1700. Try to print the document

again, or restart the print spooler. Data type: NT EMF 1.008. Size of the spool

file in bytes: 131072. Number of bytes printed: 98800. Total number of pages in

the document: 1. Number of pages printed: 0. Client computer: \\OWNER-PC. Win32

error code returned by the print processor: 259. No more data is available.

< End of report >

LDTate · March 21, 2012

See if Combofix will run in Normal Mode now.

Gunslinger · March 23, 2012

Can't get ComboFix to work. Sometimes it just freezes my pc after 30 mins. Sometimes it simply makes the screen go blank. Last night I tried it again before turning in. This morning the blue box had changed. It was at the stage of preparing log.

Often when I start it, a MSE pop up happens, saying MSE is not on and giving me a start button. If I have explorer windows open, it takes 14 mins to get to the Infected with Rootkit pop up. If I have no windows open, it takes 4 mins to get to that point, then nothing happens.

LDTate · March 23, 2012

Can you tell me what these are?

C:\ieexplore

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe_.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/05 16:19:29 | 000,000,200 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFmar

[2012/03/05 16:19:28 | 000,000,288 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\Users\Owner\AppData\Local\m5klyyaimx332xcj

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\ProgramData\m5klyyaimx332xcj

LDTate · March 23, 2012

FRST (Farbar Recovery Scanner Tool) is a tool created by Farbar to run from a flash drive whilst booted into Recovery Environment (only) on Windows 7 and Vista computers.

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer

Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Gunslinger · March 23, 2012

Wow. Ok, the first item, "C:\ieexplore" has one folder and a few hundred files. Some names like "catchme" which is a 3XE file, "badclsid", "combo-fix.sys" from a year and a half ago.

Also, "FileKill" dated August 2000, though I bought this laptop new in 2007. "Dumphive" (3XE) and "embedded.sed" also from the same date in August 2000.

6 "Local" files: Appdata file, appdata folder, service.dat, servicenetworkrestricted.dat....etc...

Many cfx files.

Lots of junk in here. I can't figure out a way to copy and paste, do you want me to just take a bunch of screenshots? I'll just keep scrolling down and print the screens.

LDTate · March 23, 2012

If they are cfx, those are from Combofix so we won't worry about those.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

C:\ProgramData\m5klyyaimx332xcj

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Gunslinger · March 23, 2012

The file is not there when using the search/browse function. And virustotal will not allow me to paste nor type the file in. Same story with jotti.

LDTate · March 23, 2012

I don't know what you have going on so we're searcing to see if we can find anything.

Go ahead and do this when you have time.FRST (Farbar Recovery Scanner Tool)

I'll be going offline soon.

Gunslinger · March 24, 2012

Enjoy your weekend, LD. Here's the FRST

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 14-03-2012

Ran by Owner at 23-03-2012 17:04:37

Running from G:\

Service Pack 2 (X86) OS Language: English(US)

Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.

========================== Registry (Whitelisted) =============

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [x]

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [x]

HKLM\...\Winlogon: [userinit] [x]

HKLM\...\Winlogon: [shell]

================================ Services (Whitelisted) ==================

========================== Drivers (Whitelisted) =============

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-23 17:04 - 2012-03-23 17:04 - 0000000 ____D C:\FRST

2012-03-23 14:38 - 2012-03-23 14:44 - 0000000 ___SD C:\ComboFix

2012-03-23 12:50 - 2012-03-23 12:50 - 0000000 __SHD C:\$RECYCLE.BIN

2012-03-23 01:04 - 2012-03-23 01:04 - 0000035 ____A C:\Users\Owner\Desktop\Bookmark

2012-03-19 17:58 - 2012-03-19 17:58 - 0089448 ____A C:\Users\Owner\Desktop\DiskMgmt screen shot.png

2012-03-16 00:40 - 2012-03-16 00:40 - 0013013 ____A C:\Users\Owner\Desktop\CF Log 3-16-12.txt

2012-03-14 18:00 - 2012-03-14 18:37 - 0156482 ____A C:\TDSSKiller.2.7.20.0_14.03.2012_18.00.53_log.txt

2012-03-14 17:55 - 2012-03-14 17:55 - 0191488 ____A C:\Users\Owner\Desktop\TDSKiller.doc

2012-03-13 21:38 - 2012-03-23 16:16 - 0000000 ____D C:\ieexplore

2012-03-13 11:29 - 2012-03-13 11:30 - 0000822 ____A C:\Windows\setupact.log

2012-03-13 11:29 - 2012-03-13 11:29 - 0000000 ____A C:\Windows\setuperr.log

2012-03-13 11:28 - 2012-03-13 11:28 - 0000129 ____A C:\Windows\System32\MRT.INI

2012-03-13 11:22 - 2012-02-14 08:45 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2012-03-13 11:22 - 2012-02-14 08:45 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2012-03-13 11:22 - 2012-02-13 07:12 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2012-03-13 11:22 - 2012-02-13 06:47 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-03-13 11:22 - 2012-02-13 06:44 - 1068544 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-03-13 11:22 - 2012-02-02 08:16 - 2044416 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-03-13 11:22 - 2012-01-09 08:54 - 0613376 ____A (Microsoft Corporation) C:\Windows\System32\rdpencom.dll

2012-03-13 11:22 - 2012-01-09 06:58 - 0180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-03-12 21:10 - 2012-03-12 21:10 - 0000000 ___HD C:\Windows\PIF

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\Users\All Users\2jFf5J64.exe_.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\Users\All Users\2jFf5J64.exe.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\ProgramData\2jFf5J64.exe_.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\ProgramData\2jFf5J64.exe.b

2012-03-11 21:33 - 2012-03-11 21:33 - 0000162 ___AH C:\Users\Owner\Desktop\~$Quotes.doc

2012-03-08 22:17 - 2012-03-08 22:17 - 0000809 ____A C:\Users\Owner\Documents\15.gif

2012-03-08 00:29 - 2012-03-23 13:03 - 4443082 ___RA (Swearware) C:\Users\Owner\Desktop\ComboFix.exe

2012-03-08 00:08 - 2012-03-08 00:08 - 0607260 ____A (Swearware) C:\Users\Owner\Desktop\dds.com

2012-03-07 14:52 - 2012-03-07 14:52 - 2923248 ____A (Microsoft Corporation) C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

2012-03-06 22:08 - 2012-03-06 22:08 - 0001735 ____A C:\Users\Owner\mbam-log-2012-03-06 (21-08-13).txt

2012-03-06 20:02 - 2011-06-25 23:45 - 0256000 ____A C:\Windows\PEV.exe

2012-03-06 20:02 - 2010-11-07 10:20 - 0208896 ____A C:\Windows\MBR.exe

2012-03-06 20:02 - 2009-04-19 21:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe

2012-03-06 20:02 - 2000-08-30 17:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe

2012-03-06 20:02 - 2000-08-30 17:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe

2012-03-06 20:02 - 2000-08-30 17:00 - 0098816 ____A C:\Windows\sed.exe

2012-03-06 20:02 - 2000-08-30 17:00 - 0068096 ____A C:\Windows\zip.exe

2012-03-06 20:01 - 2012-03-15 15:38 - 0000000 ____D C:\Windows\ERDNT

2012-03-06 18:03 - 2012-01-18 22:27 - 0000859 ____A C:\Users\Public\Desktop\VLC media player.lnk

2012-03-06 18:03 - 2011-01-15 14:30 - 0000659 ____A C:\Users\Public\Desktop\Manual CanoScan LiDE 60.lnk

2012-03-06 17:18 - 2012-03-23 16:16 - 0000000 ____D C:\Qoobox

2012-03-06 00:56 - 2012-03-06 00:40 - 0607260 ____A (Swearware) C:\Users\Owner\Downloads\dds.scr

2012-03-05 23:39 - 2012-03-05 23:39 - 0001535 ____A C:\Users\Owner\Desktop\mbam-log-2012-03-05 (22-38-26).txt

2012-03-05 19:58 - 2012-01-02 23:09 - 0001887 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk

2012-03-05 19:58 - 2011-12-19 09:28 - 0000847 ____A C:\Users\Public\Desktop\RealPlayer.lnk

2012-03-05 19:58 - 2011-08-30 22:07 - 0001153 ____A C:\Users\Public\Desktop\VZAccess Manager.lnk

2012-03-05 19:58 - 2011-07-15 16:46 - 0000906 ____A C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

2012-03-05 19:58 - 2011-01-23 23:13 - 0000915 ____A C:\Users\Public\Desktop\Canon iP1700 User Registration.LNK

2012-03-05 19:58 - 2011-01-23 23:12 - 0000906 ____A C:\Users\Public\Desktop\My Printer.lnk

2012-03-05 19:58 - 2011-01-23 23:11 - 0000948 ____A C:\Users\Public\Desktop\Easy-PhotoPrint.lnk

2012-03-05 19:58 - 2011-01-23 23:05 - 0002070 ____A C:\Users\Public\Desktop\iP1700 On-screen Manual.lnk

2012-03-05 19:58 - 2011-01-15 14:29 - 0000777 ____A C:\Users\Public\Desktop\CanoScan Toolbox 4.9.lnk

2012-03-05 19:58 - 2010-12-30 19:35 - 0001400 ____A C:\Users\Public\Desktop\Point.lnk

2012-03-05 19:58 - 2010-09-01 11:23 - 0001965 ____A C:\Users\Public\Desktop\HP Help and Support.lnk

2012-03-05 19:58 - 2010-02-28 14:45 - 0001860 ____A C:\Users\Public\Desktop\Movie Magic Screenwriter.lnk

2012-03-05 19:58 - 2009-04-08 16:06 - 0001568 ____A C:\Users\Public\Desktop\PowerChurch Plus Version 10.lnk

2012-03-05 19:58 - 2009-02-22 22:56 - 0000174 __ASH C:\Users\All Users\Start Menu\Programs\Startup\desktop.ini

2012-03-05 19:58 - 2008-12-07 20:48 - 0002001 ____A C:\Users\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

2012-03-05 19:58 - 2008-12-07 20:48 - 0001975 ____A C:\Users\Public\Desktop\Kodak EasyShare.lnk

2012-03-05 18:53 - 2012-03-06 18:03 - 0007404 ____A C:\Users\Owner\Desktop\unhide.txt

2012-03-05 18:52 - 2012-03-05 18:51 - 0389024 ____A (Bleeping Computer, LLC) C:\Windows\unhide.exe

2012-03-05 17:04 - 2012-03-05 17:03 - 0607260 ____R (Swearware) C:\Program Files\dds.scr

2012-03-05 16:19 - 2012-03-06 17:02 - 0000288 ____A C:\Users\All Users\~JGLCtmoyv2sFma

2012-03-05 16:19 - 2012-03-06 17:02 - 0000288 ____A C:\ProgramData\~JGLCtmoyv2sFma

2012-03-05 16:19 - 2012-03-06 17:02 - 0000200 ____A C:\Users\All Users\~JGLCtmoyv2sFmar

2012-03-05 16:19 - 2012-03-06 17:02 - 0000200 ____A C:\ProgramData\~JGLCtmoyv2sFmar

2012-03-04 18:18 - 2012-03-06 17:03 - 0000456 ____A C:\Users\All Users\JGLCtmoyv2sFma

2012-03-04 18:18 - 2012-03-06 17:03 - 0000456 ____A C:\ProgramData\JGLCtmoyv2sFma

2012-03-01 15:36 - 2012-03-01 15:36 - 0012784 ____A C:\Windows\System32\hs_err_pid4056.log

2012-02-28 17:13 - 2012-03-01 23:58 - 0000000 ____D C:\Users\Owner\Documents\Trading

2012-02-28 11:32 - 2012-02-28 11:32 - 3670019 ____A C:\Users\Owner\Desktop\Introduction%20to%20Flag-Trading_FT.pdf

2012-02-26 16:25 - 2012-02-26 16:25 - 0000000 ____A C:\Windows\Sti_Trace.log

2012-02-26 16:22 - 2012-02-26 20:35 - 0000000 ____D C:\Users\Owner\Documents\BW

2012-02-24 12:58 - 2012-02-24 12:58 - 0048128 ____A C:\Users\Owner\Desktop\battery.doc

2012-02-24 10:16 - 2012-02-24 10:36 - 0040448 ____A C:\Users\Owner\AB.doc

2012-02-22 10:42 - 2012-03-23 15:41 - 0000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job

2012-02-22 04:51 - 2012-02-22 05:05 - 44827091 ____A C:\Users\Owner\Desktop\01-elevate-1-29-12.mp3

2012-02-22 04:44 - 2012-02-22 04:50 - 23111416 ____A C:\Users\Owner\Desktop\2--his-touch-in-your-situation.mp3

2012-02-22 04:37 - 2012-02-22 04:43 - 24799366 ____A C:\Users\Owner\Desktop\1--his-touch-in-your-situation.mp3

2012-02-22 04:27 - 2012-02-22 04:35 - 33293341 ____A C:\Users\Owner\Desktop\6--understanding-the-end.mp3

============ 3 Months Modified Files and Folders ===============

2012-03-23 17:04 - 2012-03-23 17:04 - 0000000 ____D C:\FRST

2012-03-23 17:01 - 2007-12-16 09:58 - 4740840 ____A C:\Windows\ntbtlog.txt

2012-03-23 16:58 - 2009-02-21 05:44 - 0031871 ____A C:\Users\All Users\nvModes.001

2012-03-23 16:58 - 2009-02-21 05:44 - 0031871 ____A C:\ProgramData\nvModes.001

2012-03-23 16:58 - 2006-11-02 06:01 - 0000006 ___AH C:\Windows\Tasks\SA.DAT

2012-03-23 16:58 - 2006-11-02 05:47 - 0003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-03-23 16:58 - 2006-11-02 05:47 - 0003296 ____A C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-03-23 16:57 - 2006-11-02 06:01 - 0032656 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-03-23 16:54 - 2007-11-06 03:11 - 1788442 ____A C:\Windows\WindowsUpdate.log

2012-03-23 16:33 - 2008-12-20 21:38 - 0742644 ____A C:\Windows\System32\PerfStringBackup.INI

2012-03-23 16:16 - 2012-03-13 21:38 - 0000000 ____D C:\ieexplore

2012-03-23 16:16 - 2012-03-06 17:18 - 0000000 ____D C:\Qoobox

2012-03-23 15:41 - 2012-02-22 10:42 - 0000322 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job

2012-03-23 15:41 - 2011-12-02 18:51 - 0003121 ____A C:\Windows\System32\responseBody.xml

2012-03-23 15:41 - 2011-12-02 18:51 - 0002253 ____A C:\Windows\System32\requestBody.xml

2012-03-23 15:41 - 2011-12-02 18:51 - 0000881 ____A C:\Windows\System32\request.gzip

2012-03-23 15:09 - 2007-08-04 03:40 - 0000258 ____A C:\Users\Public\Documents\hpqp.ini

2012-03-23 15:07 - 2007-08-04 03:25 - 0162160 ____A C:\Windows\PFRO.log

2012-03-23 14:44 - 2012-03-23 14:38 - 0000000 ___SD C:\ComboFix

2012-03-23 13:03 - 2012-03-08 00:29 - 4443082 ___RA (Swearware) C:\Users\Owner\Desktop\ComboFix.exe

2012-03-23 12:50 - 2012-03-23 12:50 - 0000000 __SHD C:\$RECYCLE.BIN

2012-03-23 01:04 - 2012-03-23 01:04 - 0000035 ____A C:\Users\Owner\Desktop\Bookmark

2012-03-21 19:51 - 2007-12-15 14:41 - 0199680 ____A C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-03-21 17:11 - 2010-06-19 08:27 - 0000000 ____D C:\Users\Owner\AppData\Local\ApplicationHistory

2012-03-21 12:02 - 2007-12-08 03:46 - 0000000 ____D C:\users\Owner

2012-03-21 09:21 - 2010-06-30 09:25 - 0000052 ____A C:\Windows\System32\DOErrors.log

2012-03-20 19:04 - 2011-01-28 17:11 - 0002229 ____A C:\Windows\epplauncher.mif

2012-03-19 18:31 - 2007-12-15 04:32 - 0000000 ____D C:\Windows\Minidump

2012-03-19 17:58 - 2012-03-19 17:58 - 0089448 ____A C:\Users\Owner\Desktop\DiskMgmt screen shot.png

2012-03-16 00:40 - 2012-03-16 00:40 - 0013013 ____A C:\Users\Owner\Desktop\CF Log 3-16-12.txt

2012-03-16 00:32 - 2006-11-02 03:23 - 0000215 ____A C:\Windows\system.ini

2012-03-16 00:31 - 2006-11-02 03:23 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts

2012-03-15 18:10 - 2008-02-15 22:20 - 0007620 ____A C:\Users\Owner\AppData\Local\d3d9caps.dat

2012-03-15 15:41 - 2006-11-02 04:18 - 0000000 ___RD C:\users\Public

2012-03-15 15:41 - 2006-11-02 04:18 - 0000000 ___RD C:\users\Default

2012-03-15 15:38 - 2012-03-06 20:01 - 0000000 ____D C:\Windows\ERDNT

2012-03-15 10:48 - 2009-02-21 05:44 - 0031871 ____A C:\Users\All Users\nvModes.dat

2012-03-15 10:48 - 2009-02-21 05:44 - 0031871 ____A C:\ProgramData\nvModes.dat

2012-03-14 18:37 - 2012-03-14 18:00 - 0156482 ____A C:\TDSSKiller.2.7.20.0_14.03.2012_18.00.53_log.txt

2012-03-14 17:55 - 2012-03-14 17:55 - 0191488 ____A C:\Users\Owner\Desktop\TDSKiller.doc

2012-03-14 17:36 - 2011-12-19 20:42 - 0026785 ____A C:\logfile

2012-03-13 20:04 - 2011-01-06 23:17 - 0000000 ____D C:\Users\Owner\Documents\Folder

2012-03-13 11:50 - 2011-05-17 01:25 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

2012-03-13 11:42 - 2006-11-02 05:47 - 0441704 ____A C:\Windows\System32\FNTCACHE.DAT

2012-03-13 11:30 - 2012-03-13 11:29 - 0000822 ____A C:\Windows\setupact.log

2012-03-13 11:29 - 2012-03-13 11:29 - 0000000 ____A C:\Windows\setuperr.log

2012-03-13 11:28 - 2012-03-13 11:28 - 0000129 ____A C:\Windows\System32\MRT.INI

2012-03-13 11:25 - 2006-11-02 03:24 - 54215544 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe

2012-03-13 11:24 - 2006-11-02 03:23 - 0000240 ____A C:\Windows\win.ini

2012-03-12 23:45 - 2007-08-04 03:36 - 0000000 ____D C:\Windows\PCHEALTH

2012-03-12 23:42 - 2011-12-16 08:50 - 0000112 ____A C:\Users\All Users\1VjM2R.dat

2012-03-12 23:42 - 2011-12-16 08:50 - 0000112 ____A C:\ProgramData\1VjM2R.dat

2012-03-12 21:10 - 2012-03-12 21:10 - 0000000 ___HD C:\Windows\PIF

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\Users\All Users\2jFf5J64.exe_.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\Users\All Users\2jFf5J64.exe.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\ProgramData\2jFf5J64.exe_.b

2012-03-12 03:38 - 2012-03-12 03:38 - 0000001 ____A C:\ProgramData\2jFf5J64.exe.b

2012-03-11 21:34 - 2012-02-09 15:53 - 0033280 ____A C:\Users\Owner\Desktop\Quotes.doc

2012-03-11 21:33 - 2012-03-11 21:33 - 0000162 ___AH C:\Users\Owner\Desktop\~$Quotes.doc

2012-03-11 20:36 - 2010-12-30 19:33 - 0000667 ____A C:\Windows\winpoint.ini

2012-03-10 20:39 - 2006-11-02 04:18 - 0000000 _SHDC C:\Windows\$NtUninstallKB62280$

2012-03-10 02:11 - 2009-04-08 16:06 - 0000000 ____D C:\Windows\Crystal

2012-03-09 15:59 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Help

2012-03-09 00:27 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\security

2012-03-08 22:17 - 2012-03-08 22:17 - 0000809 ____A C:\Users\Owner\Documents\15.gif

2012-03-08 00:08 - 2012-03-08 00:08 - 0607260 ____A (Swearware) C:\Users\Owner\Desktop\dds.com

2012-03-07 15:02 - 2011-12-27 10:56 - 0009548 ____A C:\Windows\KB914882.log

2012-03-07 14:52 - 2012-03-07 14:52 - 2923248 ____A (Microsoft Corporation) C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

2012-03-06 22:08 - 2012-03-06 22:08 - 0001735 ____A C:\Users\Owner\mbam-log-2012-03-06 (21-08-13).txt

2012-03-06 18:03 - 2012-03-05 18:53 - 0007404 ____A C:\Users\Owner\Desktop\unhide.txt

2012-03-06 17:03 - 2012-03-04 18:18 - 0000456 ____A C:\Users\All Users\JGLCtmoyv2sFma

2012-03-06 17:03 - 2012-03-04 18:18 - 0000456 ____A C:\ProgramData\JGLCtmoyv2sFma

2012-03-06 17:02 - 2012-03-05 16:19 - 0000288 ____A C:\Users\All Users\~JGLCtmoyv2sFma

2012-03-06 17:02 - 2012-03-05 16:19 - 0000288 ____A C:\ProgramData\~JGLCtmoyv2sFma

2012-03-06 17:02 - 2012-03-05 16:19 - 0000200 ____A C:\Users\All Users\~JGLCtmoyv2sFmar

2012-03-06 17:02 - 2012-03-05 16:19 - 0000200 ____A C:\ProgramData\~JGLCtmoyv2sFmar

2012-03-06 00:40 - 2012-03-06 00:56 - 0607260 ____A (Swearware) C:\Users\Owner\Downloads\dds.scr

2012-03-05 23:39 - 2012-03-05 23:39 - 0001535 ____A C:\Users\Owner\Desktop\mbam-log-2012-03-05 (22-38-26).txt

2012-03-05 23:39 - 2006-11-02 05:42 - 0000000 ____D C:\Windows\WindowsMobile

2012-03-05 18:51 - 2012-03-05 18:52 - 0389024 ____A (Bleeping Computer, LLC) C:\Windows\unhide.exe

2012-03-05 17:08 - 2009-04-08 16:05 - 0000000 ____D C:\PowerChurch

2012-03-05 17:03 - 2012-03-05 17:04 - 0607260 ____R (Swearware) C:\Program Files\dds.scr

2012-03-04 21:16 - 2006-11-02 05:37 - 0000000 ____D C:\Windows\ShellNew

2012-03-04 20:37 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\tracing

2012-03-04 17:00 - 2011-11-02 20:11 - 0000000 ____D C:\Users\Owner\Documents\OB

2012-03-04 02:38 - 2008-12-11 12:46 - 0000000 ____D C:\Windows\pss

2012-03-02 11:14 - 2007-08-04 01:18 - 0000000 ____D C:\Windows\panther

2012-03-01 23:58 - 2012-02-28 17:13 - 0000000 ____D C:\Users\Owner\Documents\Trading

2012-03-01 22:45 - 2006-11-02 04:18 - 0000000 __RSD C:\Windows\Media

2012-03-01 20:24 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Branding

2012-03-01 15:36 - 2012-03-01 15:36 - 0012784 ____A C:\Windows\System32\hs_err_pid4056.log

2012-02-28 11:32 - 2012-02-28 11:32 - 3670019 ____A C:\Users\Owner\Desktop\Introduction%20to%20Flag-Trading_FT.pdf

2012-02-26 20:35 - 2012-02-26 16:22 - 0000000 ____D C:\Users\Owner\Documents\BW

2012-02-26 19:06 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\LiveKernelReports

2012-02-26 16:25 - 2012-02-26 16:25 - 0000000 ____A C:\Windows\Sti_Trace.log

2012-02-26 10:52 - 2011-09-03 13:57 - 0000000 ____D C:\Users\Owner\Documents\Lola

2012-02-24 13:22 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\ModemLogs

2012-02-24 12:58 - 2012-02-24 12:58 - 0048128 ____A C:\Users\Owner\Desktop\battery.doc

2012-02-24 10:36 - 2012-02-24 10:16 - 0040448 ____A C:\Users\Owner\AB.doc

2012-02-23 11:24 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\L2Schemas

2012-02-23 09:18 - 2010-01-31 02:43 - 0237072 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe

2012-02-22 05:05 - 2012-02-22 04:51 - 44827091 ____A C:\Users\Owner\Desktop\01-elevate-1-29-12.mp3

2012-02-22 04:50 - 2012-02-22 04:44 - 23111416 ____A C:\Users\Owner\Desktop\2--his-touch-in-your-situation.mp3

2012-02-22 04:43 - 2012-02-22 04:37 - 24799366 ____A C:\Users\Owner\Desktop\1--his-touch-in-your-situation.mp3

2012-02-22 04:35 - 2012-02-22 04:27 - 33293341 ____A C:\Users\Owner\Desktop\6--understanding-the-end.mp3

2012-02-21 04:18 - 2012-02-21 04:18 - 0184250 ____A C:\Users\Owner\Desktop\FUTURESINDUSTRYlawpaperKurtisWard.pdf

2012-02-21 01:50 - 2011-06-14 11:03 - 0002633 ____A C:\Users\Owner\Desktop\Microsoft Office Outlook 2003.lnk

2012-02-20 15:06 - 2012-02-20 15:06 - 0000058 ____A C:\Windows\mchguid.ini

2012-02-20 02:55 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Provisioning

2012-02-19 05:47 - 2012-02-19 05:47 - 0138761 ____A C:\Users\Owner\Desktop\Aames Claim 2.pdf

2012-02-19 03:44 - 2012-02-19 03:44 - 0121796 ____A C:\Users\Owner\Desktop\Beast Review - LA Times.pdf

2012-02-18 12:46 - 2012-02-18 12:46 - 0025600 ____A C:\Users\Owner\Desktop\Jihad.doc

2012-02-18 07:00 - 2006-11-02 04:18 - 0000000 ___SD C:\Windows\Downloaded Program Files

2012-02-17 03:40 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Microsoft.NET

2012-02-16 02:20 - 2006-11-02 05:37 - 0000000 ____D C:\Windows\DigitalLocker

2012-02-15 07:43 - 2010-02-05 01:19 - 0000000 ____D C:\Program Files\Microsoft Silverlight

2012-02-14 08:45 - 2012-03-13 11:22 - 0219648 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1core.dll

2012-02-14 08:45 - 2012-03-13 11:22 - 0160768 ____A (Microsoft Corporation) C:\Windows\System32\d3d10_1.dll

2012-02-13 07:12 - 2012-03-13 11:22 - 1172480 ____A (Microsoft Corporation) C:\Windows\System32\d3d10warp.dll

2012-02-13 06:47 - 2012-03-13 11:22 - 0683008 ____A (Microsoft Corporation) C:\Windows\System32\d2d1.dll

2012-02-13 06:44 - 2012-03-13 11:22 - 1068544 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll

2012-02-12 16:39 - 2012-02-12 16:39 - 0000000 ____D C:\Users\Owner\AppData\Roaming\PeerNetworking

2012-02-10 16:40 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\nap

2012-02-09 15:53 - 2012-02-09 15:53 - 0024064 ____H C:\Users\Owner\Desktop\~WRL0003.tmp

2012-02-07 21:44 - 2012-02-07 21:44 - 0028672 ____A C:\Users\Owner\Slave Letter.doc

2012-02-04 23:34 - 2012-02-04 23:41 - 0010268 ____A C:\Users\Owner\pic_production.jpg

2012-02-04 11:58 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Speech

2012-02-02 08:16 - 2012-03-13 11:22 - 2044416 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys

2012-02-01 22:12 - 2008-12-06 01:40 - 0000000 ____D C:\Users\Owner\Documents\Resumes

2012-02-01 22:11 - 2010-02-03 14:27 - 0000000 ____D C:\Users\Owner\Documents\Resume

2012-02-01 03:33 - 2011-04-29 00:42 - 0000000 ____D C:\Users\Owner\Documents\TD

2012-02-01 02:31 - 2011-03-09 15:28 - 0000000 ____D C:\Users\Owner\Documents\Pasadena Parking Ticket

2012-02-01 02:29 - 2011-08-05 23:07 - 0000000 ____D C:\Users\Owner\Documents\Business

2012-01-29 19:26 - 2012-01-29 19:26 - 0000027 ____A C:\Windows\SmAudio.INI

2012-01-29 18:55 - 2012-01-29 19:01 - 0019571 ____A C:\Users\Owner\Desktop\DRHBacktotheNorm_012612.gif

2012-01-28 21:43 - 2012-01-18 22:28 - 0000000 ____D C:\Users\Owner\AppData\Roaming\vlc

2012-01-28 20:19 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Globalization

2012-01-28 20:18 - 2012-01-28 20:17 - 0000000 ____D C:\Users\Owner\Documents\Musings

2012-01-28 20:17 - 2010-02-04 22:55 - 0000000 ____D C:\Users\Owner\Documents\Hi Rise Inspections

2012-01-27 20:42 - 2006-11-02 04:18 - 0000000 ____D C:\Windows\Web

2012-01-27 20:15 - 2012-01-27 20:15 - 0000000 ____D C:\Users\Owner\AppData\Local\Apps\2.0

2012-01-27 19:54 - 2012-01-27 19:54 - 0000000 ____D C:\4f0dee4364b59611e048b29486d60a06

2012-01-19 22:41 - 2007-12-08 04:08 - 0000000 ____D C:\Users\Owner\AppData\LocalLow

2012-01-18 22:27 - 2012-03-06 18:03 - 0000859 ____A C:\Users\Public\Desktop\VLC media player.lnk

2012-01-18 22:26 - 2012-01-18 22:26 - 0000000 ____D C:\Program Files\VideoLAN

2012-01-18 22:22 - 2012-01-18 22:22 - 4337967 ____A C:\Users\Owner\Downloads\XviD_1.0alpha.dmg

2012-01-18 13:12 - 2011-06-14 11:03 - 0002609 ____A C:\Users\Owner\Desktop\Microsoft Office Word 2003.lnk

2012-01-16 03:16 - 2012-01-16 03:16 - 0000000 ____D C:\Users\Owner\Desktop\7-Zip

2012-01-09 08:54 - 2012-03-13 11:22 - 0613376 ____A (Microsoft Corporation) C:\Windows\System32\rdpencom.dll

2012-01-09 06:58 - 2012-03-13 11:22 - 0180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

2012-01-04 21:42 - 2012-01-04 21:42 - 0000000 ____D C:\Users\Owner\AppData\Local\{B1D4D78A-0A7C-408B-8A4C-AC19AA9BBE23}

2012-01-02 23:09 - 2012-03-05 19:58 - 0001887 ____A C:\Users\Public\Desktop\Adobe Reader 8.lnk

2011-12-29 14:54 - 2011-12-29 12:49 - 1526821587 ____A C:\Users\Owner\Picture Lock.wmv

2011-12-27 10:57 - 2011-12-27 10:57 - 2923248 ____A (Microsoft Corporation) C:\Users\Owner\Desktop\WindowsXP-KB914882-x86-ENU.exe

2011-12-27 02:05 - 2010-12-30 02:41 - 0000000 ____D C:\Windows\Sun

2011-12-27 01:37 - 2011-12-26 23:36 - 0011188 __ASH C:\Users\Owner\AppData\Local\m5klyyaimx332xcj

2011-12-27 01:37 - 2011-12-26 23:36 - 0011188 __ASH C:\Users\All Users\m5klyyaimx332xcj

2011-12-27 01:37 - 2011-12-26 23:36 - 0011188 __ASH C:\ProgramData\m5klyyaimx332xcj

2011-12-26 20:08 - 2011-12-26 20:06 - 0010742 __ASH C:\Users\Owner\AppData\Local\33tc3173v44sqee43uclq23c54s20c2j

2011-12-26 20:08 - 2011-12-26 20:06 - 0010742 __ASH C:\Users\All Users\33tc3173v44sqee43uclq23c54s20c2j

2011-12-26 20:08 - 2011-12-26 20:06 - 0010742 __ASH C:\ProgramData\33tc3173v44sqee43uclq23c54s20c2j

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 16%

Total physical RAM: 1982.18 MB

Available physical RAM: 1651.09 MB

Total Pagefile: 4202.86 MB

Available Pagefile: 4044.42 MB

Total Virtual: 2047.88 MB

Available Virtual: 1962.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:140.62 GB) (Free:73.74 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]

2 Drive d: (HP_RECOVERY) (Fixed) (Total:7.36 GB) (Free:0.74 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: () (Fixed) (Total:1.07 GB) (Free:1.04 GB) NTFS

5 Drive g: () (Removable) (Total:3.8 GB) (Free:3.79 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 149 GB 0 B

Disk 1 Online 3894 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 141 GB 32 KB

Partition 2 Primary 7534 MB 141 GB

Partition 3 Primary 1095 MB 148 GB

Partition 4 Primary 1872 KB 149 GB

======================================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 C NTFS Partition 141 GB Healthy System (partition with boot components)

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D HP_RECOVERY NTFS Partition 7534 MB Healthy

======================================================================================================

Disk: 0

Partition 3

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 3 F NTFS Partition 1095 MB Healthy

======================================================================================================

Disk: 0

Partition 4

Type : 17 (Suspicious Type)

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3894 MB 28 KB

======================================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 4 G FAT32 Removable 3894 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-23 15:14

======================= End Of Log ==========================

LDTate · March 24, 2012

I'll look at it tomorrow..

LDTate · March 24, 2012

How to run a fix

Click Start
Type notepad.exe in the search programs and files box and clcik Enter.
A blank Notepad page should open.
- Copy/Paste the contents of the code box below into Notepad.
```
C:\Windows\$NtUninstallKB62280$
```
- Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
- Press the Fix button once and wait.
- FRST will process fixlist.txt
- When finished, it will produce a log fixlog.txt on your USB flashdrive.
[*]Exit out of Recovery Environment and post the log.

Gunslinger · March 24, 2012

Ok, the file; "C:\ProgramData\m5klyyaimx332xcj" you requested five posts ago is not on my pc. So I don't know if it was a temp file or what. I'm assuming you saw it from one of the scans I previously sent. Perhaps it was related to some webpage I had open.

Some of the other files you asked me about are also no longer there. I'm searching for the ones that are and throwing them through the virustotal scan. Something confusing to me is the first one I submitted to virustotal said it had already been scanned earlier this afternoon, even though I hadn't put anything through prior to now.

Here are the results from "C:\ProgramData\JGLCtmoyv2sFma". 3 hits from McAfee and Sophos.

SHA256: 8d250d5787f1a1f4f704e4288fe8e3dbfd6bd7d9c57f686f55037a3a0d5960b8 SHA1: 4f1497981c24bb78dd9bb67521158dbacbf8a25c MD5: 96e927772fafeead8f7be465ae690195 File size: 456 bytes ( 456 bytes ) File name: C:\ProgramData\JGLCtmoyv2sFma File type: unknown Detection ratio: 3 / 43 Analysis date: 2012-03-24 01:49:30 UTC ( 0 minutes ago )

0

Antivirus Result Update AhnLab-V3 - 20120323 AntiVir - 20120323 Antiy-AVL - 20120323 Avast - 20120323 AVG - 20120323 BitDefender - 20120324 ByteHero - 20120319 CAT-QuickHeal - 20120323 ClamAV - 20120324 Commtouch - 20120323 Comodo - 20120324 DrWeb - 20120324 Emsisoft - 20120324 eSafe - 20120322 eTrust-Vet - 20120323 F-Prot - 20120323 F-Secure - 20120324 Fortinet - 20120323 GData - 20120324 Ikarus - 20120323 Jiangmin - 20120323 K7AntiVirus - 20120323 Kaspersky - 20120324 McAfee FakeAlert!grb 20120324 McAfee-GW-Edition FakeAlert!grb 20120323 Microsoft - 20120323 NOD32 - 20120324 Norman - 20120323 nProtect - 20120323 Panda - 20120323 PCTools - 20120323 Prevx - 20120324 Rising - 20120323 Sophos Mal/FakeAvCn-A 20120323 SUPERAntiSpyware - 20120323 Symantec - 20120323 TheHacker - 20120322 TrendMicro - 20120323 TrendMicro-HouseCall - 20120324 VBA32 - 20120323 VIPRE - 20120323 ViRobot - 20120323 VirusBuster - 20120323

Infections I haven't been able to remove

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information