Help!! i cant find the intruder...

[Petesnewjob]

please help

ive researched a bunch, tryed a few things, but i know its still here. virus/mbam checks dont finish, computer freezes, constant IP blocks and mbam errors in logs showing 12007 not able to update. i've removed mbam, reloaded mbam-setup with avast off, restarted, reloaded mbam w license, then comp froze.

im sorry if this is all jumbled up, i'm a bit frustrated. its been 3 days of research...

ive gotta hand it to you pros! i dont know how you can do this everyday......

i was gonna remove avast and install Avira, but at this point, i dont think anything i do is gonna work without some pro help. did NOT do combofix as instructed on many sites.

i think i watched as i was being attacked. 2 days ago when running Avast, it kept stopping/freezing/acting up. i run it everyday so it shouldnt be different. but after a number of attempts i ended up with a bunch of password protected files, but they were NOT there previously. my internet turned off but modem adn router were showing active. then it turned on again. my wireless signal reduces drastically as well.

at one point i got the BSOD with a window that read "logon process has failed to create the security options dialog" along the top and in the middle was a Red X Failure - Security options. i did not hit ok(the only option) but clicked x on top r corner and instantly blue screen went away and my normal desktop opened.

i tryed to google the IP addresses that i found in my log. i found the first, but the other 2 were directed to some car sales sites. obviously nothing to do w IP address..... oh man, please tell me i can fix this......

hp laptop w Vista, wireless router, malwarebytes adn Avast, MS firewall

i will patiently wait for your response.

Thank you so much!!!!

Pete

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• GMER log
  

[Petesnewjob]

thank you Elise! and yes, i desperately need help!

i will start on those tasks now and will post when done.

so far i've only uninstalled and reinstalled malwarebytes. inmy current searches of past logs i found threats from a few weeks ago but i was never warned. just said my system is clean. but i got suspisous when i started getting pop ups in my google searches. also. malwarebytes found a Registry issue a few days ago, but i cant track it down. plus all my avast checks say clean, but then i end up with password protected files which were not there before.

i hope i didnt leave anything out. as i remember other odd events, i'll let you know

thank you soooo much!

[Elise]

Don't worry, we'll try to sort it all out.

Please take your time to get the logs. If you encounter any problems, just let me know.

[Petesnewjob]

here is both otl files. i will now log off, run gmer and post results

OTL logfile created on: 8/13/2010 1:16:42 PM - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\BedigandMary\Downloads

64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 221.65 Gb Total Space | 148.13 Gb Free Space | 66.83% Space Free | Partition Type: NTFS

Drive D: | 11.24 Gb Total Space | 1.83 Gb Free Space | 16.25% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: BEDIGANDMARY-PC

Current User Name: BedigandMary

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/13 13:15:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\BedigandMary\Downloads\OTL.exe

PRC - [2010/07/24 23:36:54 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe

PRC - [2010/06/28 13:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe

PRC - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/04/29 15:39:32 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2008/04/25 16:15:26 | 000,361,808 | ---- | M] () -- C:\WINDOWS\SMINST\BLService.exe

PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe

========== Modules (SafeList) ==========

MOD - [2010/08/13 13:15:07 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Users\BedigandMary\Downloads\OTL.exe

MOD - [2008/01/20 19:50:01 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)

SRV:64bit: - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)

SRV:64bit: - [2010/06/28 13:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)

SRV:64bit: - [2009/06/03 20:43:18 | 000,239,104 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_6ef279c8\STacSV64.exe -- (STacSV)

SRV:64bit: - [2008/03/18 16:25:40 | 000,023,040 | ---- | M] (Hewlett-Packard Corporation) [Auto | Running] -- C:\Windows\SysNative\Hpservice.exe -- (hpsrv)

SRV:64bit: - [2008/02/12 13:05:54 | 000,086,016 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_3c6572ef\AESTSr64.exe -- (AESTFilters)

SRV:64bit: - [2008/01/20 19:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2007/12/11 12:11:30 | 000,015,872 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\SysNative\agr64svc.exe -- (AgereModemAudio)

SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/04/16 08:33:40 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2008/04/25 16:15:26 | 000,361,808 | ---- | M] () [Auto | Running] -- C:\WINDOWS\SMINST\BLService.exe -- (Recovery Service for Windows)

SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ipinip.sys -- (IpInIp)

DRV:64bit: - [2010/06/28 13:33:00 | 000,061,008 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)

DRV:64bit: - [2010/04/29 15:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2009/06/03 20:43:18 | 000,486,400 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)

DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2008/10/23 02:16:34 | 001,526,776 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys -- (BCM43XX)

DRV:64bit: - [2008/10/23 02:16:34 | 001,526,776 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\bcmwl664.sys -- (BCM43XV)

DRV:64bit: - [2008/06/12 11:51:36 | 007,911,840 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)

DRV:64bit: - [2008/06/04 10:55:16 | 000,129,536 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®

DRV:64bit: - [2008/04/16 14:49:34 | 000,028,416 | ---- | M] (Research In Motion Limited) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\RimUsb_AMD64.sys -- (RimUsb)

DRV:64bit: - [2008/04/15 03:05:42 | 000,161,792 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)

DRV:64bit: - [2008/04/11 10:56:28 | 000,125,328 | ---- | M] (JMicron Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\jmcr.sys -- (JMCR)

DRV:64bit: - [2008/03/27 12:10:56 | 000,026,984 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\hpdskflt.sys -- (hpdskflt)

DRV:64bit: - [2008/03/27 12:10:14 | 000,040,296 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Accelerometer.sys -- (Accelerometer)

DRV:64bit: - [2008/02/29 15:59:32 | 001,252,352 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\agrsm64.sys -- (AgereSoftModem)

DRV:64bit: - [2008/02/13 08:20:16 | 000,017,920 | ---- | M] (A4Tech Co.,Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Amusbx64.sys -- (Amusbprt)

DRV:64bit: - [2008/01/31 16:23:14 | 000,195,120 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Apfiltr.sys -- (ApfiltrService)

DRV:64bit: - [2008/01/24 06:24:24 | 000,060,928 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\enecir.sys -- (enecir)

DRV:64bit: - [2008/01/20 19:46:57 | 001,523,712 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTDPV6.SYS -- (HSF_DPV)

DRV:64bit: - [2008/01/20 19:46:57 | 000,724,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTCNXT6.SYS -- (winachsf)

DRV:64bit: - [2008/01/20 19:46:57 | 000,286,720 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\VSTAZL6.SYS -- (HSFHWAZL)

DRV:64bit: - [2008/01/20 19:46:55 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)

DRV:64bit: - [2007/10/15 03:37:22 | 000,012,288 | ---- | M] ((Standard mouse types)) [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\Amfltx64.sys -- (Amfilter)

DRV:64bit: - [2007/06/18 17:13:12 | 000,018,432 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr)

DRV:64bit: - [2006/10/09 19:09:03 | 000,742,696 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\nvm60x64.sys -- (NVENETFD)

DRV:64bit: - [2006/09/18 14:36:24 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\Wbem\ntfs.mof -- (Ntfs)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1

IE - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2008/08/04 03:12:30 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/07/24 23:36:54 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/07/24 23:36:54 | 000,000,000 | ---D | M]

[2010/03/20 20:08:13 | 000,000,000 | ---D | M] -- C:\Users\BedigandMary\AppData\Roaming\Mozilla\Extensions

[2010/08/13 10:56:34 | 000,000,000 | ---D | M] -- C:\Users\BedigandMary\AppData\Roaming\Mozilla\Firefox\Profiles\a11mwgv3.default\extensions

[2010/04/28 14:48:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\BedigandMary\AppData\Roaming\Mozilla\Firefox\Profiles\a11mwgv3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/08/04 08:19:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2010/05/04 16:22:58 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

[2010/08/04 08:19:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/09/18 14:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [igfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)

O4:64bit: - HKLM..\Run: [symLnch] C:\Program Files (x86)\Common Files\Symantec Shared\SymSetup\{C1C185CA-C531-49F5-A6FA-B838405A049D}_15_5_0_23\Support\SymLnch\SymLnch.exe File not found

O4:64bit: - HKLM..\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)

O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)

O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [uCam_Menu] C:\Program Files (x86)\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)

O4 - HKU\S-1-5-19..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)

O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)

O13 - gopher Prefix: missing

O13 - gopher Prefix: missing

O15 - HKU\.DEFAULT\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Ranges: Range1 ([http] in Local intranet)

O15 - HKU\S-1-5-21-1819561654-1787420719-1570195635-1000\..Trusted Ranges: Range1 ([http] in Local intranet)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)

O24 - Desktop WallPaper: C:\Users\BedigandMary\Pictures\dogs pics blackberry 7-28-2010\IMG00169.jpg

O24 - Desktop BackupWallPaper: C:\Users\BedigandMary\Pictures\dogs pics blackberry 7-28-2010\IMG00169.jpg

O32 - HKLM CDRom: AutoRun - 1

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/13 11:07:42 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010/08/13 11:07:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2010/08/11 11:14:23 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\SRSLabs

[2010/08/11 10:40:26 | 004,697,992 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2010/08/11 10:40:19 | 000,081,920 | ---- | C] (Radius Inc.) -- C:\Windows\SysWow64\iccvid.dll

[2010/08/11 10:40:04 | 000,050,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\rtutils.dll

[2010/08/11 10:40:04 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\rtutils.dll

[2010/08/11 10:39:51 | 000,758,272 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll

[2010/08/11 10:39:51 | 000,249,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll

[2010/08/11 10:39:50 | 000,477,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll

[2010/08/11 10:39:50 | 000,193,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll

[2010/08/11 10:39:50 | 000,086,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieencode.dll

[2010/08/11 10:39:50 | 000,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieencode.dll

[2010/08/11 10:39:49 | 000,422,400 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieapfltr.dll

[2010/08/11 10:39:49 | 000,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieapfltr.dll

[2010/08/10 14:28:21 | 000,000,000 | ---D | C] -- C:\Windows\Minidump

[2010/08/04 19:38:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Silverlight

[2010/08/04 08:19:34 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe

[2010/08/04 08:19:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe

[2010/08/04 08:19:34 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe

[2010/08/03 20:17:47 | 000,000,000 | ---D | C] -- C:\Users\BedigandMary\AppData\Roaming\Template

========== Files - Modified Within 30 Days ==========

[2010/08/13 13:18:46 | 002,097,152 | -HS- | M] () -- C:\Users\BedigandMary\NTUSER.DAT

[2010/08/13 11:29:40 | 000,000,290 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini

[2010/08/13 11:27:49 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/08/13 11:27:49 | 000,003,216 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/08/13 11:27:46 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/08/13 11:27:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/08/13 11:27:33 | 4256,133,120 | -HS- | M] () -- C:\hiberfil.sys

[2010/08/13 11:13:52 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat

[2010/08/13 11:13:50 | 000,524,288 | -HS- | M] () -- C:\Users\BedigandMary\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TMContainer00000000000000000001.regtrans-ms

[2010/08/13 11:13:50 | 000,065,536 | -HS- | M] () -- C:\Users\BedigandMary\NTUSER.DAT{c328fef1-6a85-11db-9fbd-cf3689cba3de}.TM.blf

[2010/08/13 11:13:44 | 001,160,891 | -H-- | M] () -- C:\Users\BedigandMary\AppData\Local\IconCache.db

[2010/08/13 11:07:45 | 000,000,808 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/08/12 16:14:23 | 000,000,432 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{4F54C0B5-B365-4AD8-9FC0-6DCF103A51F6}.job

[2010/08/12 11:53:39 | 000,000,732 | ---- | M] () -- C:\Users\BedigandMary\AppData\Local\d3d9caps64.dat

[2010/08/11 11:15:46 | 000,698,690 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/08/11 11:15:46 | 000,599,826 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/08/11 11:15:46 | 000,103,294 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/08/11 11:13:17 | 000,873,310 | ---- | M] () -- C:\Windows\SysNative\oem24.inf

[2010/08/11 10:52:14 | 000,314,736 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2010/08/10 14:28:17 | 463,717,739 | ---- | M] () -- C:\Windows\MEMORY.DMP

[2010/08/05 09:27:48 | 000,075,456 | ---- | M] () -- C:\Users\BedigandMary\AppData\Local\GDIPFONTCACHEV1.DAT

[2010/08/03 20:17:45 | 000,000,000 | ---- | M] () -- C:\Users\BedigandMary\AppData\Roaming\wklnhst.dat

[2010/08/03 20:17:04 | 000,019,456 | ---- | M] () -- C:\Users\BedigandMary\Documents\Label3.doc

[2010/08/03 20:16:48 | 000,061,440 | ---- | M] () -- C:\Users\BedigandMary\Documents\PAULS WATCH REPAIR.doc

[2010/08/03 20:16:42 | 000,043,008 | ---- | M] () -- C:\Users\BedigandMary\Documents\Pauls watch repair big.doc

[2010/07/17 05:00:12 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe

[2010/07/17 05:00:12 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe

[2010/07/17 05:00:10 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe

[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll

========== Files Created - No Company Name ==========

[2010/08/13 11:07:45 | 000,000,808 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/08/13 09:32:54 | 4256,133,120 | -HS- | C] () -- C:\hiberfil.sys

[2010/08/13 09:32:54 | 4256,133,120 | -HS- | C] () --

[2010/08/11 21:08:05 | 000,000,732 | ---- | C] () -- C:\Users\BedigandMary\AppData\Local\d3d9caps64.dat

[2010/08/11 11:13:36 | 000,873,310 | ---- | C] () -- C:\Windows\SysNative\oem24.inf

[2010/08/10 14:28:17 | 463,717,739 | ---- | C] () -- C:\Windows\MEMORY.DMP

[2010/08/03 20:17:45 | 000,000,000 | ---- | C] () -- C:\Users\BedigandMary\AppData\Roaming\wklnhst.dat

[2010/08/03 20:17:04 | 000,019,456 | ---- | C] () -- C:\Users\BedigandMary\Documents\Label3.doc

[2010/08/03 20:16:47 | 000,061,440 | ---- | C] () -- C:\Users\BedigandMary\Documents\PAULS WATCH REPAIR.doc

[2010/08/03 20:16:41 | 000,043,008 | ---- | C] () -- C:\Users\BedigandMary\Documents\Pauls watch repair big.doc

[2010/03/26 04:08:26 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll

[2010/03/26 04:07:12 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2008/01/20 19:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini

< End of report >

OTL Extras logfile created on: 8/13/2010 1:16:42 PM - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Users\BedigandMary\Downloads

64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 61.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 79.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 221.65 Gb Total Space | 148.13 Gb Free Space | 66.83% Space Free | Partition Type: NTFS

Drive D: | 11.24 Gb Total Space | 1.83 Gb Free Space | 16.25% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: BEDIGANDMARY-PC

Current User Name: BedigandMary

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1819561654-1787420719-1570195635-1000\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

"UacDisableNotify" = 0

"InternetSettingsDisableNotify" = 0

"AutoUpdateDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 0

"AntiSpywareOverride" = 0

"FirewallOverride" = 0

"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

"VistaSp2" = 91 99 91 00 E2 CE CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"EnableFirewall" = 1

"DisableNotifications" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{051B2E27-F3DB-4C21-8588-5FB1E1E545C7}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

"{16B8EF00-51E3-4B7D-B1B6-4EACBD9B9C39}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |

"{9B1941F8-FC16-4280-B3AD-E4FCCFC055BA}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{B59918C9-75CC-4D6C-AF59-84B8E6BF72E7}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{C3E4CD56-C016-4F7A-B7CD-026BE64661AD}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |

"{DCF88A7A-3F7C-4F7E-A2D9-2E8C242E4CFD}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{E5FC5981-5EAF-4505-AA34-20D9871B1664}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |

"{EA73955E-076F-46AD-BA2B-1B14FD7D2F6F}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{15348FFF-91CE-4D1C-BB13-D0543A64E09D}" = dir=in | app=c:\program files (x86)\hp\quickplay\qp.exe |

"{42E9F7C2-2876-4B54-AF74-E6101B255DB7}" = dir=in | app=c:\program files (x86)\hp\quickplay\qpservice.exe |

"{77821A37-B4C4-4A07-A65A-7397BD87DB85}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{84B2EBE9-8FE0-4595-BA75-C9CF4CFA42E4}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{8B932AB5-6C7D-48BB-9003-0147CED749D4}" = dir=in | app=c:\program files (x86)\cyberlink\powerdirector\pdr.exe |

"{904D5141-70E4-4124-B910-C2A486DD40EB}" = protocol=6 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |

"{9833144C-9FF7-4126-A366-6150FC60852A}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\aol\loader\aolload.exe |

"{C4BAB921-F516-4D51-BB9B-17CA139C905C}" = protocol=17 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |

"{F1270AD9-125E-459A-A8D5-2FCDD0FDE56B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |

"{F8E8CC60-5CF3-4278-B033-796D921E3309}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\aol\loader\aolload.exe |

"{F922DF0E-49CD-43AB-AD61-C4FA6B9C2866}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |

"{FADE0128-E285-4D7F-9D9D-B64BA6AC1FB1}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{1AD2F8FE-A357-4728-BDF8-B92D794CE793}" = HP QuickTouch 1.00 D2

"{2F97CE84-9C33-4631-821B-85EA371EA254}" = ProtectSmart Hard Drive Protection

"{404BB1FF-A84F-432F-B77B-301E88E8D1C7}" = Apple Mobile Device Support

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{96D5EB02-DE18-4DCD-A713-929B4461CA8D}" = iTunes

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver

"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

"{C19D4D8F-4433-4F6D-9F0C-79589FD0B973}" = Bonjour

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"Agere Systems Soft Modem" = Agere Systems HDA Modem

"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter

"HDMI" = Intel® Graphics Media Accelerator Driver

"HP Photosmart Essential" = HP Photosmart Essential 2.5

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1

"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer

"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1

"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works

"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite

"{22712FAD-DE04-4D50-82A6-3C7AC5D55AA2}" = HP User Guides 0101

"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check for Health Check

"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller

"{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java 6 Update 21

"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{340F521E-3576-4E1A-B75C-EB0ACF751379}" = HP Wireless Assistant

"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE

"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 D3

"{35F83303-C0C0-46B7-B8A8-ADA7C2AC5645}" = muvee autoProducer 6.1

"{380357CA-29F4-4B3C-B401-32C057E6B59B}" = HP Smart Web Printing

"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go

"{45A136EC-88BF-4B95-99F5-C45D3930E1CC}" = HP MULTIPLE MODEM INSTALLER for VISTA

"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP QuickPlay 3.7

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout

"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support

"{582287DA-0806-4AC0-BF19-C15E3A466034}" = LightScribe System Software 1.12.33.2

"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites

"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver

"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8DF92D68-F8EE-4F9C-89A2-26254C1C4B6B}" = HP Help and Support

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)

"{9E2CCD5E-1990-4EF2-9B61-32F0BBACC29B}" = HP Active Support Library

"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel

"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.3

"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1

"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin

"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc

"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5

"{C27C82E4-9C53-4D76-9ED3-A01A3D5EE679}" = HP Customer Experience Enhancements

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint

"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update

"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker

"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1

"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01

"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio

"{f32502b5-5b64-4882-bf61-77f23edcac4f}" = HP Total Care Advisor

"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo

"{FA3B34BE-4246-4062-90A3-34CBBEA12B72}" = HPTCSSetup

"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"avast5" = avast! Free Antivirus

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"HP Smart Web Printing" = HP Smart Web Printing

"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam

"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)

"PokerStars" = PokerStars

"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)

"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6

"ViewpointMediaPlayer" = Viewpoint Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 8/11/2010 11:40:55 AM | Computer Name = BedigandMary-PC | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 34886051

Error - 8/11/2010 1:52:51 PM | Computer Name = BedigandMary-PC | Source = WinMgmt | ID = 10

Description =

Error - 8/11/2010 2:14:55 PM | Computer Name = BedigandMary-PC | Source = STacSV | ID = 268435455

Description =

Error - 8/11/2010 2:29:13 PM | Computer Name = BedigandMary-PC | Source = WinMgmt | ID = 10

Description =

Error - 8/11/2010 2:55:09 PM | Computer Name = BedigandMary-PC | Source = Perflib | ID = 1017

Description =

Error - 8/11/2010 11:57:56 PM | Computer Name = BedigandMary-PC | Source = EventSystem | ID = 4609

Description =

Error - 8/11/2010 11:58:06 PM | Computer Name = BedigandMary-PC | Source = WinMgmt | ID = 10

Description =

Error - 8/12/2010 12:17:15 AM | Computer Name = BedigandMary-PC | Source = WinMgmt | ID = 10

Description =

Error - 8/12/2010 1:14:58 AM | Computer Name = BedigandMary-PC | Source = EventSystem | ID = 4609

Description =

Error - 8/12/2010 1:15:29 AM | Computer Name = BedigandMary-PC | Source = WinMgmt | ID = 10

Description =

[ System Events ]

Error - 5/25/2010 11:07:57 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7011

Description =

Error - 5/30/2010 12:13:36 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7022

Description =

Error - 5/30/2010 12:13:36 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7022

Description =

Error - 5/30/2010 6:20:06 PM | Computer Name = BedigandMary-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 3:18:12 PM on 5/30/2010 was unexpected.

Error - 5/30/2010 6:22:01 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7022

Description =

Error - 5/30/2010 7:25:36 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7011

Description =

Error - 5/30/2010 8:29:42 PM | Computer Name = BedigandMary-PC | Source = EventLog | ID = 6008

Description = The previous system shutdown at 5:27:51 PM on 5/30/2010 was unexpected.

Error - 5/30/2010 8:31:37 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7022

Description =

Error - 5/31/2010 7:58:30 AM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7011

Description =

Error - 5/31/2010 7:29:28 PM | Computer Name = BedigandMary-PC | Source = Service Control Manager | ID = 7022

Description =

< End of report >

[Petesnewjob]

is this right?? i used the copy button when gmer scan was done. to exit i hit ok rather than cancel(don't know if that matters) i turned avast off and disconnected from the internet before i ran the scan.

i just tryed to open my documents and access was denied?.. that normal?

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-13 14:04:42

Windows 6.0.6002 Service Pack 2

Running: oxkxnpip.exe

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186312a50

Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002186312a50 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

[Elise]

Hello again,

POKER WARNING

--------------------

Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these programs on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.

There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:

1. Go to Start > Control Panel > Add or Remove Programs.
   
2. Remove the following poker programs (if they are present):
   Full Tilt Poker
   Poker Stars
   

If you are unsure of how to use Add or Remove Programs, the please see this tutorial

At this point I have a few questions:

How are you connected to the internet? I see some signs of a proxy; can you confirm you ought to use a proxy?

What files exactly you have no access to and what is the exact error message?

[Petesnewjob]

Hello Elise

ive spent the last 3 hours manually copying logs of avast to post. when finally done, i couldnt. comp froze. security warnings, black screen, i had to manually hold the power button down to restart. im posting with my other laptop, which i think also has this infection somehow.

i will post them again tonight

i will remove those poker sites, and whatever else you think will help

thanks for your help

[Elise]

At this point I have a few questions:

How are you connected to the internet? I see some signs of a proxy; can you confirm you ought to use a proxy?

What files exactly you have no access to and what is the exact error message?

Can you please answer these questions.

If it is so much work, no need to copy all those logs, just note down a few of the filenames as an example and post them in your next reply.

[Petesnewjob]

hello, thsi is the message i typed out yesterday, somehow today it works........

please help,

thank you!!!

hello Elise

thank you for your help! i do play poker online at times, but i only use the 2 mentioned above, full tilt adn poker stars, both of which are very well known(and i assumed trusted) sites. i have been playing for about 3 years, about a year ago i made a HUGE mistake when doing a google search for poker hand odds, i clicked on a link called Aced . com. when the page loaded i had a window pop up, and in my rush, i clicked allow(stupid) i knew right away i just made a huge mistake. after months of reading forums and trying just about everything i knew, i did a system restore, purchased malwarebytes and downloaded avast. everything was find until i started noticing popups in my firefox browser, but avast was updating everyday and telling my my system is updated/secure. when i checked the logs, this is what i found.... and i watched this happen before my eyes... note that i did not have any locked files before this happened.

well, i cant cut paste so i'll do my best to type them out

7-15-2010 virus found.

scan results

C:\HP\BIN\EndProcess.exe Severity= low Status=PUP:Win32:KillApp-W[PUP]

c:programdata\windows defender\defenition updates\{059ca3ef-fa80-42b9-93be-53aecb3050f5}\mpengine.dll Severity=(blank) Status= Error:The system cannot find the path specified (3)

both are in the scan logs from 7-15

from 7-15 to 7-21, only have the 1st C:\HP\BIN\EndProcess.exe

7-22-2010

C:\HP\BIN\EndProcess.exe Severity= low Status=PUP:Win32:KillApp-W[PUP]

c:programdata\windows defender\definition updates\{ae55312f-e017-a4e9-94fc21076464}\mpengine.dll Severity=(blank) Status= Error:The system cannot find the path specified (3)

from 7-23 until 8-10 i logged this only

C:\HP\BIN\EndProcess.exe Severity= low Status=PUP:Win32:KillApp-W[PUP]

but 8-11 is when things got really strange. i ran my normal scan but it acted up. thats when i decided to check the logs.

this is what i got.

8-11 5:00am, first scan log

C:\HP\BIN\EndProcess.exe Severity= low Status=PUP:Win32:KillApp-W[PUP]

8-11 8:43 am some files could not be scanned.

log, E:\ Status= Error: The device is not ready(21)

8-11 9:20 am some files could not be scanned.

log, E:\ Status= Error: The device is not ready(21)

8-11 11:42am no virus found

8-11 11:43am some files cannot be scanned

checked log,

C:\SwSetup|SPFS\Setup.exe|>slingplayer\Library\us.spl|> ........ over and over and over, all start w this, but end after the us.spl| with abc.png. bet.png, biography.png, a few .xml and one .tif, all have nothing under Severity but all have the same Status Error:archive is password protected.

E:\ Status Error:the device is not ready.

8-11 1:03 pm no virus found

8-11 1:55 pm no virus found

8-11 2:06 pm some files could not be scanned

log= the same as above.

8-11 9:06 pm, no virus found

i did 4 more on 8-11, 3 said no virus, 1 said some files could not be scanned. all w avast.

thank you so much!

[Elise]

That looks perfectly fine, no malware detected there.

If you trust your poker apps, you can keep them, just keep in mind that many may be questionable.

The only thing that points at malware are those IP blocks. For that reason I want to know how you are connected to the internet and if you are aware of using a proxy.

[Petesnewjob]

internet connention via linksys broadband wireless router. linksys modem.

i dont use a proxy. although i found the box and did check it, i unchecked it right away.(sorry for my ignorance) i did it when the internet randomly quit during these issues.

this morning i turned on my computer, avast did the normal "system is secured" so i check the log, it hasnt ran in 3 days.?. also, is it normal for the avast icon in the llower right corner to have the yellow warning on it on startup? when i click and open it, active protection is turned off(and a few others) but then goes away on its own. i sit and watch the yellow warning box go away but the window open still says issues. if i click the Fix all button, nothing happens. i've done it while the warning icon is there, and when its gone away. nothing. when i click on a different tab and then return, all fixed. again, regardless of what i do. even if i do nothing. sometimes wont work/program shutdown/freeze or think for 5 minutes before navigating away from the page.

sorry gotta go again, there are more weird occurances and i cant wait to get your feedback. i will post again today.

thanks

[Elise]

First thing I want you to try, is to reset your router. It should have a reset button on the backside that can be pushed with small object.

Afterwards, let me know how things are.

[Petesnewjob]

i wish i could explain accurately what is happening....

i reset the router, gave it time to reboot and the computer only had 'local access' i opened the network center and clickeed the red X between the router adn internet for diagontic. came back fine and internet worked. i decided to run another malwarebytes full scan, results showed one IP BLOCK but didnt list the number(i have found 3 different ones before)

about 1 hour later i touched the mouse, computer screen lit, everything looks normal. i click moz to post my findings but the browser didnt open. wehn i moved the mouse down to the bottom of the page, arrow would be thinking, anywhere else just the normal arrow.

i ctrl alt del to see whats going on, blue page opens i click task manager, then nothing. it went back to the normal desktop, but the task window never opened. i wait another few minutes to allow the task page to open but nothing. still thinking when scrolled down to taskbar but nothing opening. i decide to open mozilla and immidiately got a window explorer not responding. ctrl atl del again, went to the blue page, i click open task manager again, and i got these warnings right away(but no task manager) Windows explorer not responding and "Microsoft Windows not responding" and my shortcuts and bottom bar disappeared, the Microsoft Windows warning box was still on screen, but only the frame. my gadgets were still on though. running, working, telling me the weather time and network meter. i even have the clock but the weird thing is the second hand is missing...but its keeping time. i turned off the wireless card by pressing the blue "i" on the laptop. the light turned orange(i thought disabled) but the weather is still there.....

i have removed both poker apps. i have no huge application and my pics are all on an ex hd. not on the infected comp. my gadget shows my memory at 47%. i can still move the mouse around on screen and have now watched the clock change time for about 30 minutes. i dont know if i should shut it down or leave it running. rock and a hard place i guess.

i'm no computer pro, but if a computer freezes and the Windows OP crashes, how do the gadgets keep running?....

sent from other computer. thanks again.

pete

[Elise]

Hi, explorer crashed, not the computer.

Please restart the computer (if you didn't do so already) and let me know if things are back to normal.

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

• Double-click on MBRCheck.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  
• It will open a black screen with some data on it...please do not fix anything (if it gives you an option).
  
• When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  
• A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will be created on the desktop.
  
• Copy and paste the contents of that log in your next reply.
  

[Petesnewjob]

i turned it on, 2 gadgets are not there but the other 3 are. turned on a bit slow but i expected that. clicked the 1st link, i had no option of right click to save on my desktop(probably my fault on this one) since not on my desktop, i opened it with the mozilla download. scan took about 3 minutes or less. never said Done, but did say

physical drive0 "unknown MRB Code"

found non-standard or infected MRB

enter 'Y' and hit ENTER for more options or 'N' to exit. what shall i do?

i have a feeling this one is user error(me) as i didnt follow your directions 100%. i would have posted the results but since i havent exited, there is no log and the black screen wont let me copy.

how shall i proceed?

[Petesnewjob]

opps, there is a log on my desktop, i saw it when i minimized the black mbr page.

whats the safest way to close down the black screen?

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Compal

BIOS Manufacturer: Hewlett-Packard

System Manufacturer: Hewlett-Packard

System Product Name: HP Pavilion dv4 Notebook PC

Logical Drives Mask: 0x0000001c

Kernel Drivers (total 199):

0x0265C000 \SystemRoot\system32\ntoskrnl.exe

0x02616000 \SystemRoot\system32\hal.dll

0x00608000 \SystemRoot\system32\kdcom.dll

0x00612000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x0064D000 \SystemRoot\system32\PSHED.dll

0x00661000 \SystemRoot\system32\CLFS.SYS

0x006BE000 \SystemRoot\system32\CI.dll

0x00808000 \SystemRoot\system32\drivers\Wdf01000.sys

0x008E2000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x008F0000 \SystemRoot\system32\drivers\acpi.sys

0x00946000 \SystemRoot\system32\drivers\WMILIB.SYS

0x0094F000 \SystemRoot\system32\drivers\msisadrv.sys

0x00959000 \SystemRoot\system32\drivers\pci.sys

0x00989000 \SystemRoot\system32\drivers\isapnp.sys

0x00992000 \SystemRoot\system32\drivers\mpio.sys

0x009B4000 \SystemRoot\System32\drivers\partmgr.sys

0x009C9000 \SystemRoot\system32\DRIVERS\compbatt.sys

0x009CD000 \SystemRoot\system32\DRIVERS\BATTC.SYS

0x009D9000 \SystemRoot\system32\drivers\volmgr.sys

0x00770000 \SystemRoot\System32\drivers\volmgrx.sys

0x009ED000 \SystemRoot\system32\drivers\intelide.sys

0x007D6000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x009F5000 \SystemRoot\system32\drivers\pciide.sys

0x00800000 \SystemRoot\system32\drivers\aliide.sys

0x007E6000 \SystemRoot\system32\drivers\amdide.sys

0x007ED000 \SystemRoot\system32\drivers\cmdide.sys

0x00A0E000 \SystemRoot\System32\drivers\mountmgr.sys

0x00A21000 \SystemRoot\system32\drivers\msdsm.sys

0x00A3F000 \SystemRoot\system32\drivers\nvraid.sys

0x00A62000 \SystemRoot\system32\drivers\CLASSPNP.SYS

0x00A8E000 \SystemRoot\system32\drivers\viaide.sys

0x00A96000 \SystemRoot\system32\drivers\iastorv.sys

0x00B5D000 \SystemRoot\system32\drivers\atapi.sys

0x00B65000 \SystemRoot\system32\drivers\ataport.SYS

0x00B89000 \SystemRoot\system32\drivers\lsi_scsi.sys

0x00C0A000 \SystemRoot\system32\drivers\storport.sys

0x00C67000 \SystemRoot\system32\drivers\nvstor.sys

0x00C77000 \SystemRoot\system32\drivers\msahci.sys

0x00C81000 \SystemRoot\system32\drivers\hpcisss.sys

0x00C8F000 \SystemRoot\system32\drivers\adp94xx.sys

0x00D08000 \SystemRoot\system32\drivers\adpahci.sys

0x00D5E000 \SystemRoot\system32\drivers\adpu160m.sys

0x00D7F000 \SystemRoot\system32\drivers\SCSIPORT.SYS

0x00DAD000 \SystemRoot\system32\drivers\adpu320.sys

0x00DDC000 \SystemRoot\system32\drivers\djsvs.sys

0x00BA7000 \SystemRoot\system32\drivers\arc.sys

0x00BC0000 \SystemRoot\system32\drivers\arcsas.sys

0x00E0C000 \SystemRoot\system32\drivers\elxstor.sys

0x00EAF000 \SystemRoot\system32\drivers\i2omp.sys

0x00EBA000 \SystemRoot\system32\drivers\iirsp.sys

0x00ECB000 \SystemRoot\system32\drivers\iteatapi.sys

0x00ED8000 \SystemRoot\system32\drivers\iteraid.sys

0x00EE5000 \SystemRoot\system32\drivers\lsi_fc.sys

0x00F03000 \SystemRoot\system32\drivers\lsi_sas.sys

0x00F1F000 \SystemRoot\system32\drivers\megasas.sys

0x00F2B000 \SystemRoot\system32\drivers\megasr.sys

0x00FF2000 \SystemRoot\system32\drivers\mraid35x.sys

0x00BD9000 \SystemRoot\system32\drivers\nfrd960.sys

0x0100F000 \SystemRoot\system32\drivers\ql2300.sys

0x01161000 \SystemRoot\system32\drivers\ql40xx.sys

0x011BF000 \SystemRoot\system32\drivers\sisraid2.sys

0x011CD000 \SystemRoot\system32\drivers\sisraid4.sys

0x011E3000 \SystemRoot\system32\drivers\symc8xx.sys

0x011F1000 \SystemRoot\system32\drivers\sym_hi.sys

0x01000000 \SystemRoot\system32\drivers\sym_u3.sys

0x01203000 \SystemRoot\system32\drivers\uliahci.sys

0x0124C000 \SystemRoot\system32\drivers\ulsata.sys

0x0127B000 \SystemRoot\system32\drivers\ulsata2.sys

0x012BD000 \SystemRoot\system32\drivers\vsmraid.sys

0x012E4000 \SystemRoot\system32\drivers\fltmgr.sys

0x0132B000 \SystemRoot\system32\drivers\fileinfo.sys

0x0133F000 \SystemRoot\System32\Drivers\ksecdd.sys

0x0140E000 \SystemRoot\system32\drivers\ndis.sys

0x01604000 \SystemRoot\system32\drivers\msrpc.sys

0x01654000 \SystemRoot\system32\drivers\NETIO.SYS

0x01806000 \SystemRoot\System32\drivers\tcpip.sys

0x0197C000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x01A04000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01B84000 \SystemRoot\system32\drivers\wd.sys

0x01B8C000 \SystemRoot\system32\drivers\volsnap.sys

0x01BD0000 \SystemRoot\System32\Drivers\spldr.sys

0x01BD8000 \SystemRoot\system32\drivers\sbp2port.sys

0x019A8000 \SystemRoot\System32\Drivers\mup.sys

0x019BA000 \SystemRoot\System32\drivers\ecache.sys

0x01BF1000 \SystemRoot\system32\DRIVERS\hpdskflt.sys

0x019E6000 \SystemRoot\system32\drivers\disk.sys

0x016AD000 \SystemRoot\system32\drivers\crcdisk.sys

0x016DB000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x016E8000 \SystemRoot\system32\DRIVERS\tunmp.sys

0x016F1000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x01BFB000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0x02A07000 \SystemRoot\system32\DRIVERS\igdkmd64.sys

0x01704000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03193000 \SystemRoot\System32\drivers\watchdog.sys

0x031A3000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0x031AF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x017E7000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x03207000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x03407000 \SystemRoot\system32\DRIVERS\bcmwl664.sys

0x0357F000 \SystemRoot\system32\DRIVERS\Rtlh64.sys

0x035AA000 \SystemRoot\system32\DRIVERS\jmcr.sys

0x035CD000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0x035E3000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys

0x035EF000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x032F4000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0x03328000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x03334000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x03350000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys

0x0335D000 \SystemRoot\system32\DRIVERS\Accelerometer.sys

0x03369000 \SystemRoot\system32\DRIVERS\enecir.sys

0x03385000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0x0338E000 \SystemRoot\system32\DRIVERS\msiscsi.sys

0x033C7000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x033D4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x015D1000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x013C6000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x015DD000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x0360A000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03628000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03640000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03653000 \SystemRoot\system32\DRIVERS\swenum.sys

0x03655000 \SystemRoot\system32\DRIVERS\ks.sys

0x03689000 \SystemRoot\system32\DRIVERS\circlass.sys

0x0369A000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x036A5000 \SystemRoot\system32\DRIVERS\umbus.sys

0x036B5000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x036FD000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x03711000 \SystemRoot\system32\DRIVERS\stwrt64.sys

0x0378C000 \SystemRoot\system32\DRIVERS\portcls.sys

0x037C7000 \SystemRoot\system32\DRIVERS\drmk.sys

0x037EA000 \SystemRoot\system32\drivers\ksthunk.sys

0x04C0A000 \SystemRoot\system32\DRIVERS\agrsm64.sys

0x04D46000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x04D48000 \SystemRoot\system32\drivers\modem.sys

0x04D57000 \SystemRoot\system32\drivers\IntcHdmi.sys

0x04D7C000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x04D85000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x04D97000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x04D9F000 \SystemRoot\system32\DRIVERS\hidir.sys

0x04DAA000 \SystemRoot\system32\DRIVERS\Amusbx64.sys

0x04DB3000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x04DBE000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x04DC9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0x04DD3000 \SystemRoot\System32\Drivers\Null.SYS

0x04DDC000 \SystemRoot\system32\DRIVERS\Amfltx64.sys

0x04DE5000 \SystemRoot\System32\drivers\vga.sys

0x04A06000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x04A2B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x04A34000 \SystemRoot\system32\drivers\rdpencdd.sys

0x04A3D000 \SystemRoot\System32\Drivers\Msfs.SYS

0x04A48000 \SystemRoot\System32\Drivers\Npfs.SYS

0x04A59000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x04A75000 \SystemRoot\System32\DRIVERS\rasacd.sys

0x04A7E000 \SystemRoot\system32\DRIVERS\tdx.sys

0x04A9B000 \SystemRoot\System32\Drivers\aswTdi.SYS

0x04AAB000 \SystemRoot\system32\DRIVERS\smb.sys

0x04AC6000 \SystemRoot\system32\drivers\afd.sys

0x04B31000 \SystemRoot\System32\Drivers\usbvideo.sys

0x04B5B000 \SystemRoot\System32\Drivers\aswRdr.SYS

0x04B65000 \SystemRoot\System32\DRIVERS\netbt.sys

0x04BA9000 \SystemRoot\system32\DRIVERS\pacer.sys

0x04BC7000 \SystemRoot\system32\DRIVERS\netbios.sys

0x04BD6000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x05007000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x05054000 \SystemRoot\system32\drivers\nsiproxy.sys

0x05060000 \SystemRoot\System32\Drivers\dfsc.sys

0x0507D000 \SystemRoot\System32\Drivers\aswSP.SYS

0x050A0000 \SystemRoot\System32\Drivers\crashdmp.sys

0x050AE000 \SystemRoot\System32\Drivers\dump_dumpata.sys

0x050BA000 \SystemRoot\System32\Drivers\dump_msahci.sys

0x000A0000 \SystemRoot\System32\win32k.sys

0x050C4000 \SystemRoot\System32\drivers\Dxapi.sys

0x050D0000 \SystemRoot\system32\DRIVERS\monitor.sys

0x00430000 \SystemRoot\System32\TSDDD.dll

0x00690000 \SystemRoot\System32\cdd.dll

0x050E3000 \SystemRoot\system32\drivers\luafv.sys

0x05105000 \??\C:\Windows\system32\drivers\aswMonFlt.sys

0x0511F000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0x05128000 \SystemRoot\system32\drivers\spsys.sys

0x051C2000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x16C05000 \SystemRoot\system32\DRIVERS\nwifi.sys

0x16C39000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0x16C44000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x16C5C000 \SystemRoot\system32\drivers\HTTP.sys

0x16CFF000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x16D28000 \SystemRoot\system32\DRIVERS\bowser.sys

0x16D46000 \SystemRoot\System32\drivers\mpsdrv.sys

0x16D60000 \SystemRoot\system32\drivers\mrxdav.sys

0x16D87000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x16DB0000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x051D6000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x17006000 \SystemRoot\System32\DRIVERS\srv2.sys

0x17038000 \SystemRoot\System32\DRIVERS\srv.sys

0x170CD000 \SystemRoot\system32\drivers\peauth.sys

0x17183000 \SystemRoot\System32\Drivers\secdrv.SYS

0x1718E000 \SystemRoot\System32\drivers\tcpipreg.sys

0x171A0000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x171BC000 \??\C:\Windows\system32\drivers\mbam.sys

0x77180000 \WINDOWS\System32\ntdll.dll

Processes (total 80):

0 System Idle Process

4 System

508 C:\WINDOWS\System32\smss.exe

576 csrss.exe

612 C:\WINDOWS\System32\wininit.exe

632 csrss.exe

668 C:\WINDOWS\System32\services.exe

680 C:\WINDOWS\System32\lsass.exe

688 C:\WINDOWS\System32\lsm.exe

784 C:\WINDOWS\System32\winlogon.exe

872 C:\WINDOWS\System32\svchost.exe

944 C:\WINDOWS\System32\svchost.exe

976 C:\WINDOWS\System32\svchost.exe

336 C:\WINDOWS\System32\svchost.exe

448 C:\WINDOWS\System32\svchost.exe

520 C:\WINDOWS\System32\svchost.exe

556 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_6ef279c8\stacsv64.exe

1076 C:\WINDOWS\System32\audiodg.exe

1128 C:\WINDOWS\System32\SLsvc.exe

1168 C:\WINDOWS\System32\svchost.exe

1320 C:\WINDOWS\System32\hpservice.exe

1424 C:\WINDOWS\System32\svchost.exe

1520 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1532 C:\WINDOWS\System32\wlanext.exe

1812 C:\WINDOWS\System32\spoolsv.exe

1836 C:\WINDOWS\System32\svchost.exe

2008 C:\WINDOWS\System32\DriverStore\FileRepository\stwrt64.inf_3c6572ef\AESTSr64.exe

2036 C:\WINDOWS\System32\agr64svc.exe

1036 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1240 C:\Program Files (x86)\Bonjour\mDNSResponder.exe

1184 C:\WINDOWS\System32\svchost.exe

1440 C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe

2124 C:\WINDOWS\System32\svchost.exe

2172 C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

2212 C:\Program Files (x86)\HP\QuickPlay\Kernel\TV\QPSched.exe

2228 C:\WINDOWS\SMINST\BLService.exe

2252 C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe

2280 C:\WINDOWS\System32\svchost.exe

2320 C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe

2344 C:\WINDOWS\System32\svchost.exe

2364 C:\WINDOWS\System32\SearchIndexer.exe

2492 WmiPrvSE.exe

2792 C:\WINDOWS\System32\dwm.exe

2840 C:\WINDOWS\System32\taskeng.exe

2856 C:\WINDOWS\explorer.exe

2988 C:\WINDOWS\System32\igfxtray.exe

3004 C:\WINDOWS\System32\hkcmd.exe

3020 C:\WINDOWS\System32\igfxpers.exe

3056 C:\Program Files\Apoint2K\Apoint.exe

1044 C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe

2536 C:\Program Files\Windows Defender\MSASCui.exe

1116 C:\Program Files\IDT\WDM\sttray64.exe

1196 C:\Program Files\Windows Sidebar\sidebar.exe

372 C:\Program Files (x86)\HP\QuickPlay\QPService.exe

3076 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

3084 C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe

3100 C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

3120 C:\WINDOWS\System32\igfxsrvc.exe

3276 C:\Program Files\Windows Sidebar\sidebar.exe

3508 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

3592 C:\Program Files\Alwil Software\Avast5\AvastUI.exe

3776 C:\Program Files (x86)\iTunes\iTunesHelper.exe

3784 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

3800 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

1176 C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe

2876 C:\Program Files\iPod\bin\iPodService.exe

3828 WmiPrvSE.exe

4196 C:\Program Files\Apoint2K\ApMsgFwd.exe

4224 C:\Program Files\Apoint2K\ApntEx.exe

4328 C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

4356 C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

4476 C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe

4892 C:\WINDOWS\System32\taskeng.exe

4532 C:\Program Files\Windows Media Player\wmpnscfg.exe

4268 C:\Program Files\Windows Media Player\wmpnetwk.exe

4320 C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe

1304 C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

4948 C:\Program Files (x86)\Mozilla Firefox\firefox.exe

4952 taskeng.exe

3208 C:\Users\BedigandMary\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`69700000 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500BEVS-60UST0, Rev: 01.01A01

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

[Elise]

Hi, this looks like a new kind of infection. Could you please answer a few questions:

Do you use disk encryption or do you have a Dell computer?

What is on your D drive.

I am asking this, because this is a pretty severe infection and rarely seen on 64 bit computers.

For that reason I also want to run a rootkit scan (if it doesn't run, no worries, rootkit scanners usually are not 64 bit compatible).

Please download Rootkit Unhooker and save it to your Desktop

• Double-click on RKUnhookerLE to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth, and uncheck the rest
  
• Click OK
  
• Wait until it's finished and then go to File > Save Report
  
• Save the report to your Desktop
  

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

[Petesnewjob]

save to desktop but got this warning...

Error loading driver, NTSSTATUS code: 0xc00036B still there while typing this. i'll close it now. closed fine. still typing.

my laptop is an HP Pavilion dv4 Notebook PC

no encryption that i know of.

D drive: HP Recovery 1.82gb free of 11.2gb

thanks for all your help!

[Elise]

Your log indicates you have an infected Master Boot Record (MBR). To learn more about this infection please refer to:

• What is Whistler Bootkit
  
• Bootkit: Example of infected master boot record
  
• MBR Rootkit, A New Breed of Malware
  

Rerun MBRCheck.exe again by double-clicking on it. Vista/Windows 7 users right-click and select Run As Administrator.

• Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
• Enter 'Y' and then press Enter.
  
• When asked: 'Enter your choice:', select option [2] (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  
• Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  
• Enter [0] (for PhysicalDrive0) and press the Enter key.
  
• The program will show Available MBR codes followed by a list of operating systems as shown below.

  Available MBR codes:
  [ 0] Default (Windows XP)
  [ 1] Windows XP
  [ 2] Windows Server 2003
  [ 3] Windows Vista
  [ 4] Windows 2008
  [ 5] Windows 7
  [-1] Cancel
  Please select the MBR code to write to this drive:

• Please select your version of Windows from the list and enter the corresponding number (For example, type 0 or 1 for XP, type 3 for Vista, type 5 for Windows 7, etc) and then press Enter. Be careful...if the wrong OS is used, it will render the computer unbootable.
  
• When prompted for confirmation: 'Do you want to fix the MBR code?'. Type the full word Yes (not Y or the fix will not work) and press Enter.
  
• Left-click on the title bar (where program name and path is written).
  
• From the menu chose Edit -> Select All.
  
• Press the Enter key on your keyboard to copy selected text.
  
• Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  
• When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  
• Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  
• If your computer does not restart on its own, please restart it manually.
  

Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. Further, Vista does not always use the same MBR code as it depends on the type of install that was used. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console (XP) or Recovery Environment Startup Repair (Vista, Windows 7) in case of any problems, or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:

[*]How to use the Recovery Console

[*]How to fix MBR in Windows XP and Vista

[*]How to fix MBR in Windows 7

[*]How to Make a Windows Vista Repair Disk If You Don

[Petesnewjob]

hello again

any way of knowing how long this has been on my computer??

is it capable of infecting other computers?

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Compal

BIOS Manufacturer: Hewlett-Packard

System Manufacturer: Hewlett-Packard

System Product Name: HP Pavilion dv4 Notebook PC

Logical Drives Mask: 0x0000001c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`69700000 (NTFS)

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0

Available MBR codes:

[ 0] Default (Windows Vista)

[ 1] Windows XP

[ 2] Windows Server 2003

[ 3] Windows Vista

[ 4] Windows 2008

[ 5] Windows 7

[-1] Cancel

Please select the MBR code to write to this drive: 0

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Yes

Successfully wrote new MBR code!

Please reboot your computer to complete the fix.

Done!

Press ENTER to exit...

[Elise]

There is no way of telling for sure how long this has been on your computer, but usually, you can say that its been there as long as you have had the problems.

Please rerun MBRcheck with option 3 (exit) and post me the new log.

[Petesnewjob]

woke up this morning, found that my computer froze shutdown and retarted itself overnight. this is the message on screen(copied saved to notepad.

Problem signature:

Problem Event Name: BlueScreen

OS Version: 6.0.6002.2.2.0.768.3

Locale ID: 1033

Additional information about the problem:

BCCode: 9f

BCP1: 0000000000000003

BCP2: FFFFFA8004B84A30

BCP3: FFFFFA8006289050

BCP4: FFFFFA80068F0B60

OS Version: 6_0_6002

Service Pack: 2_0

Product: 768_1

Files that help describe the problem:

C:\WINDOWS\Minidump\Mini081810-01.dmp

C:\Users\BedigandMary\AppData\Local\Temp\WER-10347671-0.sysdata.xml

C:\Users\BedigandMary\AppData\Local\Temp\WER33FE.tmp.version.txt

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=501...mp;clcid=0x0409

MRB results w option 3. im hoping it was the right one, 'exit' rebooted computer then posted

results:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Compal

BIOS Manufacturer: Hewlett-Packard

System Manufacturer: Hewlett-Packard

System Product Name: HP Pavilion dv4 Notebook PC

Logical Drives Mask: 0x0000001c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000037`69700000 (NTFS)

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice: 3

Done!

Press ENTER to exit...

im baffled that i have such a severe infection.....

thank you thank you thank you

[Elise]

Please do the following:

Run MBRCheck again

When prompted, Enter 'Y' and hit ENTER for more options

When you see: "Enter your choice: Enter the physical disk number to dump (0-99, -1 to exit):"

Enter 0 to dump the MBR to the physical disk.

Name the dumped file as dump0.dat

Enter -1 to exit.

Please then locate the files and visit this site and follow the instructions for uploading the file.

[Petesnewjob]

sorry for the question, but do i enter -1 after it says 'Done! Press enter to exit...' on the others scans, i hit enter in my keypboard but i have a feeling you want me to type in -1 then hit enter? is that right? the program(mbr) is still open as i dont want to mess anything up.

i also ask since i remember seeing an option with my other scan(when i used option 2) and one of them was -1, and that meant 'no op system'

i have no idea if i'm right or wrong, please advise. thanks