19 replies to this topic

[KMB]

Hi,
I first started having a problem yesterday. My computer was acting slow and funny so I restarted it. Since then it will not load my personal settings. It says it cannot load the user profiles and loads a temporary one. I then downloaded malwarebites where it found this virus hijack.startmenu. I deleted it and restarted as instructed. It did not fix the user profile problem and after scanning again it found the same virus. I have done this numerous times and it will not go away. So in following another thread here I downloaded the Trend Micro Hijack and did a scan. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:22 PM, on 10/9/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\vsnp2uvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
c:\Program Files\MSN\Toolbar\3.0.0541.0\msntask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.n...yerAX_Win32.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view...View22RTEv4.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Google Update Service (gupdate1c9f9bbb2908c41) (gupdate1c9f9bbb2908c41) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9425 bytes

And here is the log for the last scan with malwarebites:

Malwarebytes' Anti-Malware 1.41
Database version: 2928
Windows 6.0.6001 Service Pack 1

10/9/2009 11:37:42 PM
mbam-log-2009-10-09 (23-37-42).txt

Scan type: Quick Scan
Objects scanned: 98744
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Please help!
Kristy

[Maurice Naggar]

Hello Kristy,
I suggest you start with the following:
Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Step 2: Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 3: Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=
Step 4
This system has an old version of Java Run-time.
See this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/vie...hp?f=26&t=41698

Step 5: Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
  
• Enable (check) the Remove found threats option, and run the scan.
  
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/...c4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=
Step 6
Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe

• Close all open windows on the Task Bar. Click the icon (for Vista, right click the icon and Run as Administrator) to start the program.
  
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.

Download Security Check by screen317 and save it to your Desktop: here or here

• Run Security Check
  
• Follow the onscreen instructions inside of the command window.
  
• A Notepad document should open automatically called checkup.txt; close Notepad. We will need this log, too, so remember where you've saved it!

If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.

Then copy/paste the following into your post (in order):

• the contents of ESET LOG.txt
  
• the contents of OTL.txt
  
• the contents of Extras.txt
  
• the contents of checkup.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You may have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

[KMB]

Okay, I've posted here all the scans and it looks like they all fit. Thanks for your help!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=a364ece9dbbb014f9d931efdafb2ac78
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-12 05:52:19
# local_time=2009-10-11 11:52:19 (-0700, Mountain Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=3588 61 100 96 28203334985725
# compatibility_mode=5889 61 66 100 544445263005212
# scanned=158482
# found=0
# cleaned=0
# scan_time=4250

OTL logfile created on: 10/12/2009 12:14:05 AM - Run 1
OTL by OldTimer - Version 3.0.20.0 Folder = C:\Users\Owner\Documents\My Dropbox\Public
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 84.46% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.21 Gb Total Space | 253.08 Gb Free Space | 88.12% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.82 Gb Free Space | 16.70% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/12 00:12:45 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Users\Owner\Documents\My Dropbox\Public\OTL.exe
PRC - [2009/08/22 01:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PRC - [2009/06/30 09:55:40 | 02,329,224 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/06/26 18:02:23 | 00,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/06/26 18:02:21 | 00,068,592 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2009/03/02 20:16:04 | 00,247,296 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\wmiprvse.exe
PRC - [2008/10/29 00:29:41 | 02,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Explorer.EXE
PRC - [2008/10/09 08:56:48 | 00,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
PRC - [2008/10/06 10:54:52 | 00,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe
PRC - [2008/09/30 17:56:04 | 00,972,080 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
PRC - [2008/09/23 18:21:52 | 00,468,264 | ---- | M] (CyberLink Corp.) -- C:\Program Files\HP\QuickPlay\QPService.exe
PRC - [2008/09/15 08:13:38 | 00,241,734 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe
PRC - [2008/08/01 20:10:54 | 00,675,840 | ---- | M] (Sonix) -- C:\Windows\vsnp2uvc.exe
PRC - [2008/08/01 17:14:02 | 00,202,032 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2008/07/10 16:27:58 | 00,150,040 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2008/07/10 16:27:54 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/07/10 16:27:52 | 00,145,944 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/07/10 16:27:40 | 00,170,520 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/06/19 19:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
PRC - [2008/06/10 05:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 05:27:03 | 00,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2008/06/09 11:21:58 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe
PRC - [2008/06/09 11:16:32 | 02,363,392 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
PRC - [2008/05/01 17:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2008/04/17 12:05:20 | 00,103,720 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2008/04/17 12:05:10 | 01,049,896 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/04/15 15:51:00 | 00,488,752 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
PRC - [2008/04/11 10:04:54 | 00,685,360 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
PRC - [2008/04/03 12:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
PRC - [2008/01/20 20:23:52 | 00,037,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wbem\unsecapp.exe
PRC - [2007/10/17 17:37:04 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe
PRC - [2007/09/26 08:34:40 | 00,316,720 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
PRC - [2007/05/08 17:24:20 | 00,054,840 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/08/22 01:21:19 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe -- (Norton Internet Security [Auto | Running])
SRV - [2009/06/30 13:48:00 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9f9bbb2908c41 [Auto | Stopped])
SRV - [2009/06/30 13:47:19 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2008/10/09 08:56:48 | 00,094,208 | ---- | M] (Hewlett-Packard) -- c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe -- (HP Health Check Service [Auto | Running])
SRV - [2008/10/06 10:54:52 | 00,365,952 | ---- | M] () -- C:\Program Files\SMINST\BLService.exe -- (Recovery Service for Windows [Auto | Running])
SRV - [2008/09/15 08:13:38 | 00,241,734 | ---- | M] () -- C:\Program Files\CyberLink\Shared files\RichVideo.exe -- (RichVideo [Auto | Running])
SRV - [2008/07/27 12:03:13 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/06/19 19:14:44 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Running])
SRV - [2008/06/19 19:14:31 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/06/19 19:14:31 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/06/09 11:21:58 | 00,073,728 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Common Files\LightScribe\LSSrvc.exe -- (LightScribeService [Auto | Running])
SRV - [2008/05/01 17:25:56 | 00,165,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex [On_Demand | Running])
SRV - [2008/04/03 12:33:26 | 00,193,840 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe -- (Com4QLBEx [On_Demand | Running])
SRV - [2008/01/20 20:25:33 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2008/01/20 20:25:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehRecvr.exe -- (ehRecvr [On_Demand | Stopped])
SRV - [2008/01/20 20:23:49 | 01,013,760 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wevtsvc.dll -- (Eventlog [Auto | Running])
SRV - [2008/01/20 20:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\mpsvc.dll -- (WinDefend [Auto | Stopped])
SRV - [2007/10/17 17:37:04 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.exe -- (XAudioService [Auto | Running])
SRV - [2006/11/02 06:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched [On_Demand | Stopped])
SRV - [2006/11/02 06:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart [Auto | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/09/10 20:37:06 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009/09/10 14:10:19 | 00,342,576 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090916.003\IDSvix86.sys -- (IDSVix86 [System | Running])
DRV - [2009/09/09 08:26:45 | 00,482,432 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\ccHPx86.sys -- (ccHP [System | Running])
DRV - [2009/08/26 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/08/26 02:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2009/08/25 02:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091011.020\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2009/08/25 02:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091011.020\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/08/22 01:21:19 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NIS\1007020.00B\SYMEFA.SYS -- (SymEFA [Boot | Running])
DRV - [2009/08/22 01:21:19 | 00,308,272 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\SRTSP.SYS -- (SRTSP [On_Demand | Running])
DRV - [2009/08/22 01:21:19 | 00,259,632 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys -- (BHDrvx86 [System | Running])
DRV - [2009/08/22 01:21:19 | 00,217,136 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2009/08/22 01:21:19 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009/08/22 01:21:19 | 00,048,688 | ---- | M] (Symantec Corporation) -- C:\Windows\System32\Drivers\NIS\1007020.00B\SYMNDISV.SYS -- (SYMNDISV [On_Demand | Running])
DRV - [2009/08/22 01:21:19 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\Windows\system32\drivers\NIS\1007020.00B\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/08/22 01:21:06 | 00,025,648 | R--- | M] (Symantec Corporation) -- C:\Windows\System32\DRIVERS\SymIMv.sys -- (SymIM [System | Running])
DRV - [2009/06/09 17:16:42 | 03,482,240 | ---- | M] () -- C:\Windows\System32\DRIVERS\snp2uvc.sys -- (SNP2UVC [On_Demand | Running])
DRV - [2008/10/23 04:05:13 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide [Boot | Running])
DRV - [2008/10/23 04:05:13 | 00,019,000 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide [Boot | Running])
DRV - [2008/10/23 04:05:13 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide [Boot | Running])
DRV - [2008/09/19 18:43:50 | 00,061,952 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Windows\System32\drivers\RTSTOR.SYS -- (RTSTOR [On_Demand | Running])
DRV - [2008/07/06 14:15:24 | 02,378,752 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\igdkmd32.sys -- (igfx [On_Demand | Running])
DRV - [2008/06/29 08:52:26 | 00,112,128 | ---- | M] (Intel® Corporation) -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService [On_Demand | Running])
DRV - [2008/06/10 12:54:36 | 00,123,904 | ---- | M] (Realtek Corporation ) -- C:\Windows\System32\DRIVERS\Rtlh86.sys -- (RTL8169 [On_Demand | Running])
DRV - [2008/06/05 10:58:42 | 00,222,208 | ---- | M] (Conexant Systems Inc.) -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService [On_Demand | Running])
DRV - [2008/04/27 12:07:44 | 00,909,824 | ---- | M] (Atheros Communications, Inc.) -- C:\Windows\System32\DRIVERS\athr.sys -- (athr [On_Demand | Running])
DRV - [2008/04/17 12:05:16 | 00,199,344 | ---- | M] (Synaptics, Inc.) -- C:\Windows\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2008/01/20 20:23:27 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR [Boot | Running])
DRV - [2008/01/20 20:23:27 | 00,149,560 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320 [Boot | Running])
DRV - [2008/01/20 20:23:27 | 00,031,288 | ---- | M] (LSI Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas [Boot | Running])
DRV - [2008/01/20 20:23:26 | 00,101,432 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m [Boot | Running])
DRV - [2008/01/20 20:23:26 | 00,074,808 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4 [Boot | Running])
DRV - [2008/01/20 20:23:26 | 00,040,504 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs [Boot | Running])
DRV - [2008/01/20 20:23:25 | 00,300,600 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci [Boot | Running])
DRV - [2008/01/20 20:23:25 | 00,089,656 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS [Boot | Running])
DRV - [2008/01/20 20:23:24 | 01,122,360 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300 [Boot | Running])
DRV - [2008/01/20 20:23:24 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\E1G60I32.sys -- (E1G60 [On_Demand | Stopped])
DRV - [2008/01/20 20:23:24 | 00,079,928 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,235,064 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2 [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,096,312 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC [Boot | Running])
DRV - [2008/01/20 20:23:23 | 00,079,416 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc [Boot | Running])
DRV - [2008/01/20 20:23:22 | 00,342,584 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor [Boot | Running])
DRV - [2008/01/20 20:23:21 | 00,422,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx [Boot | Running])
DRV - [2008/01/20 20:23:21 | 00,102,968 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid [Boot | Running])
DRV - [2008/01/20 20:23:21 | 00,045,112 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor [Boot | Running])
DRV - [2008/01/20 20:23:20 | 02,225,664 | ---- | M] (Intel Corporation) -- C:\Windows\System32\DRIVERS\NETw3v32.sys -- (NETw3v32 [On_Demand | Stopped])
DRV - [2008/01/20 20:23:20 | 00,238,648 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci [Boot | Running])
DRV - [2007/10/31 19:51:26 | 00,985,600 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\HSX_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2007/10/31 19:47:54 | 00,208,896 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Running])
DRV - [2007/10/31 19:47:08 | 00,661,504 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\HSX_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2007/10/17 17:36:54 | 00,008,704 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\DRIVERS\xaudio.sys -- (XAudio [Auto | Running])
DRV - [2007/06/18 18:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Windows\System32\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr [On_Demand | Running])
DRV - [2006/11/02 03:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx [Boot | Running])
DRV - [2006/11/02 03:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata [Boot | Running])
DRV - [2006/11/02 03:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960 [Boot | Running])
DRV - [2006/11/02 03:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp [Boot | Running])
DRV - [2006/11/02 03:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx [Boot | Running])
DRV - [2006/11/02 03:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid [Boot | Running])
DRV - [2006/11/02 03:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi [Boot | Running])
DRV - [2006/11/02 03:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx [Boot | Running])
DRV - [2006/11/02 03:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3 [Boot | Running])
DRV - [2006/11/02 03:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x [Boot | Running])
DRV - [2006/11/02 03:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi [Boot | Running])
DRV - [2006/11/02 02:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid [On_Demand | Stopped])
DRV - [2006/11/02 02:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer [On_Demand | Stopped])
DRV - [2006/11/02 02:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp [On_Demand | Stopped])
DRV - [2006/11/02 02:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo [On_Demand | Stopped])
DRV - [2006/11/02 02:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm [On_Demand | Stopped])
DRV - [2006/11/02 02:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm [On_Demand | Stopped])
DRV - [2006/11/02 01:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi [On_Demand | Stopped])
DRV - [2006/11/02 01:30:56 | 00,194,048 | ---- | M] (Marvell) -- C:\Windows\System32\DRIVERS\yk60x86.sys -- (yukonwlh [On_Demand | Stopped])
DRV - [2006/11/02 00:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv [Auto | Running])
DRV - [2006/06/18 16:26:58 | 00,012,672 | ---- | M] (Conexant) -- C:\Windows\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 08:10:06 | 00,000,000 | ---D | M]


O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QPService] C:\Program Files\HP\QuickPlay\QPService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe (Sonix)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe (Hewlett-Packard)
O4 - HKCU..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Windows\System32\napinsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Windows\System32\pnrpnsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} https://lowes.2020.n...yerAX_Win32.cab (20-20 3D Viewer)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} http://merillat.view...View22RTEv4.cab (View22RTEv4 Class)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.85.102 68.87.69.150 0.0.0.0
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\microsoft shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/08 23:52:39 | 00,000,049 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/10/09 00:54:45 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/10/09 01:34:28 | 00,000,000 | ---D | C] -- C:\ProgramData\WindowsSearch
[2009/10/11 22:17:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming
[2009/10/11 22:28:45 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Adobe
[2009/10/11 22:28:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Google
[2009/10/11 22:21:08 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Hewlett-Packard
[2009/10/11 22:18:24 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Identities
[2009/10/11 22:20:17 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Intuit
[2009/10/11 22:18:12 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\IObit
[2009/10/11 22:28:46 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Macromedia
[2009/10/11 22:17:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Media Center Programs
[2009/10/11 22:17:38 | 00,000,000 | --SD | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Microsoft
[2009/10/11 22:17:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Application Data
[2009/10/11 22:19:44 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Google
[2009/10/11 22:21:10 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Hewlett-Packard
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\History
[2009/10/11 22:17:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Microsoft
[2009/10/11 22:17:38 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Temp
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\Temporary Internet Files
[2009/10/11 22:17:54 | 00,000,000 | ---D | C] -- C:\Users\TEMP.Owner-PC.006\AppData\Local\VirtualStore
[2009/10/11 21:03:16 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/10/11 22:32:43 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/10/09 14:13:08 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/10/09 00:54:45 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/08 23:28:50 | 00,000,000 | ---D | C] -- C:\Program Files\Registry Patrol
[2009/10/09 23:04:55 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/12 00:08:27 | 00,521,216 | ---- | C] (OldTimer Tools) -- C:\Users\TEMP.Owner-PC.006\Desktop\OTL.exe
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\Documents\My Videos
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\Documents\My Pictures
[2009/10/11 22:17:40 | 00,000,000 | -HSD | C] -- C:\Users\TEMP.Owner-PC.006\Documents\My Music
[2009/10/11 22:05:40 | 00,000,000 | ---D | C] -- C:\Sun
[2009/10/11 21:04:00 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/10/09 00:54:47 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/10/09 00:54:45 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/10/08 23:29:08 | 00,000,000 | ---D | C] -- C:\Windows\System32\Registry Patrol
[2009/10/08 23:28:59 | 00,086,016 | ---- | C] (MindVision Software) -- C:\Windows\unvise32.exe
[2009/10/07 09:30:37 | 00,044,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups2.dll
[2009/10/07 09:30:36 | 02,421,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wucltux.dll
[2009/10/07 09:30:36 | 01,929,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuaueng.dll
[2009/10/07 09:30:36 | 00,053,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuauclt.exe
[2009/10/07 09:30:12 | 00,575,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapi.dll
[2009/10/07 09:30:12 | 00,087,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wudriver.dll
[2009/10/07 09:30:12 | 00,035,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wups.dll
[2009/10/07 09:29:47 | 00,171,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuwebv.dll
[2009/10/07 09:29:47 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wuapp.exe
[2007/07/04 21:28:52 | 00,176,128 | ---- | C] ( ) -- C:\Windows\System32\csnp2uvc.dll

========== Files - Modified Within 30 Days ==========

[2009/10/12 00:15:36 | 00,000,418 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{7C8FFEE4-B8AC-446C-B4C6-3253404B39A5}.job
[2009/10/12 00:15:26 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/10/12 00:15:26 | 00,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/10/12 00:08:33 | 00,521,216 | ---- | M] (OldTimer Tools) -- C:\Users\TEMP.Owner-PC.006\Desktop\OTL.exe
[2009/10/11 23:33:01 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/10/11 22:28:49 | 00,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2009/10/11 22:23:46 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/10/11 22:23:46 | 00,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/10/11 22:23:46 | 00,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/10/11 22:19:48 | 00,000,284 | ---- | M] () -- C:\ProgramData\hpqp.ini
[2009/10/11 22:19:33 | 00,075,656 | ---- | M] () -- C:\Users\TEMP.Owner-PC.006\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/10/11 22:18:12 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/10/11 22:18:10 | 00,000,370 | ---- | M] () -- C:\Windows\tasks\AWC Startup.job
[2009/10/11 22:15:34 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/10/11 22:15:20 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/10/11 22:15:17 | 31,490,78528 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/10 17:15:04 | 00,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2009/10/09 14:13:18 | 00,000,974 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2009/10/09 00:54:51 | 00,000,778 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/09 00:39:12 | 00,000,042 | ---- | M] () -- C:\Windows\System32\RegistryPatrolUpdates.ini
[2009/10/08 23:57:17 | 00,311,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/10/08 23:52:39 | 00,000,049 | ---- | M] () -- C:\autoexec.bat
[2009/10/06 15:34:01 | 00,001,931 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2009/09/25 09:04:38 | 00,000,165 | ---- | M] () -- C:\Windows\QUICKEN.INI
[2009/09/24 21:45:10 | 00,001,583 | ---- | M] () -- C:\Users\Public\Desktop\Quicken Deluxe 2008.lnk
[2009/09/24 21:45:09 | 00,001,587 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Billminder.lnk
[2009/09/23 12:13:01 | 00,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job

========== Files - No Company Name ==========
[2009/10/11 22:20:06 | 00,000,000 | ---- | C] () -- C:\Users\TEMP.Owner-PC.006\AppData\Local\QSwitch.txt
[2009/10/11 22:20:06 | 00,000,000 | ---- | C] () -- C:\Users\TEMP.Owner-PC.006\AppData\Local\DSwitch.txt
[2009/10/11 22:20:06 | 00,000,000 | ---- | C] () -- C:\Users\TEMP.Owner-PC.006\AppData\Local\AtStart.txt
[2009/10/11 22:19:33 | 00,075,656 | ---- | C] () -- C:\Users\TEMP.Owner-PC.006\AppData\Local\GDIPFONTCACHEV1.DAT
[2009/10/09 14:13:26 | 00,000,370 | ---- | C] () -- C:\Windows\tasks\AWC Startup.job
[2009/10/09 14:13:18 | 00,000,974 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2009/10/09 00:54:51 | 00,000,778 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/08 23:48:58 | 00,000,042 | ---- | C] () -- C:\Windows\System32\RegistryPatrolUpdates.ini
[2009/09/24 21:45:09 | 00,001,587 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Billminder.lnk
[2009/08/31 14:00:22 | 00,021,504 | ---- | C] () -- C:\Windows\System32\WBCustomizer.dll
[2009/08/31 14:00:21 | 00,185,344 | ---- | C] () -- C:\Windows\System32\MemWarp.dll
[2009/07/23 22:33:25 | 00,000,165 | ---- | C] () -- C:\Windows\QUICKEN.INI
[2009/06/28 21:56:00 | 00,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/06/26 17:45:58 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/06/09 17:16:42 | 03,482,240 | ---- | C] () -- C:\Windows\System32\drivers\snp2uvc.sys
[2009/04/22 06:16:27 | 00,000,105 | ---- | C] () -- C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
[2009/04/22 06:16:18 | 00,000,032 | ---- | C] () -- C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
[2009/04/22 06:15:54 | 00,000,032 | ---- | C] () -- C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
[2009/04/22 06:15:22 | 00,000,032 | ---- | C] () -- C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
[2009/04/22 06:13:36 | 00,000,032 | ---- | C] () -- C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
[2009/04/22 06:13:10 | 00,000,284 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2009/02/11 17:45:02 | 00,027,264 | ---- | C] () -- C:\Windows\System32\drivers\sncduvc.sys
[2008/10/23 04:50:32 | 00,000,109 | ---- | C] () -- C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
[2008/10/23 04:46:14 | 00,000,110 | ---- | C] () -- C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
[2008/10/23 04:44:45 | 00,000,105 | ---- | C] () -- C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
[2008/10/23 04:43:42 | 00,000,107 | ---- | C] () -- C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
[2008/07/06 14:29:46 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1518.dll
[2008/06/29 08:52:14 | 00,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2006/11/02 06:50:50 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 06:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 04:23:31 | 00,000,240 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 04:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 01:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/05/19 15:39:58 | 00,015,497 | ---- | C] () -- C:\Windows\snp2uvc.ini
[2006/03/09 03:58:00 | 01,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/10/11 22:28:46 | 00,000,000 | ---D | M] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming
[2009/10/11 22:20:17 | 00,000,000 | ---D | M] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Intuit
[2009/10/11 22:18:12 | 00,000,000 | ---D | M] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\IObit
[2006/11/02 06:37:34 | 00,000,000 | ---D | M] -- C:\Users\TEMP.Owner-PC.006\AppData\Roaming\Media Center Programs
[2009/10/11 22:18:10 | 00,000,370 | ---- | M] () -- C:\Windows\Tasks\AWC Startup.job
[2009/10/11 22:28:49 | 00,000,868 | ---- | M] () -- C:\Windows\Tasks\Google Software Updater.job
[2009/10/11 22:18:12 | 00,000,882 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
[2009/10/11 23:33:01 | 00,000,886 | ---- | M] () -- C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
[2009/09/23 12:13:01 | 00,000,322 | ---- | M] () -- C:\Windows\Tasks\HPCeeScheduleForOwner.job
[2009/10/11 22:15:34 | 00,000,006 | -H-- | M] () -- C:\Windows\Tasks\SA.DAT
[2009/10/11 22:12:51 | 00,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2009/10/12 00:15:36 | 00,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{7C8FFEE4-B8AC-446C-B4C6-3253404B39A5}.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:B26E984E
@Alternate Data Stream - 109 bytes -> C:\ProgramData\Temp:DFC5A2B2
< End of report >


OTL Extras logfile created on: 10/12/2009 12:14:05 AM - Run 1
OTL by OldTimer - Version 3.0.20.0 Folder = C:\Users\Owner\Documents\My Dropbox\Public
Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 84.46% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 287.21 Gb Total Space | 253.08 Gb Free Space | 88.12% Space Free | Partition Type: NTFS
Drive D: | 10.88 Gb Total Space | 1.82 Gb Free Space | 16.70% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OWNER-PC
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\Windows\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.reg [@ = regfile] --

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [open] --
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2C37747F-6211-4045-9F15-C37EC4F53685}" = lport=137 | protocol=17 | dir=in | app=system |
"{2D8409E8-6613-4894-A699-7427D495B5EE}" = rport=445 | protocol=6 | dir=out | app=system |
"{3397ECF9-8F67-4781-8D3C-4536BD514A90}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{762CB3EE-1AB1-4379-9328-599981180BBD}" = lport=139 | protocol=6 | dir=in | app=system |
"{931475E7-7DBF-4C0D-9A41-A1CA2EFD338A}" = lport=138 | protocol=17 | dir=in | app=system |
"{BEEB2DB9-61D9-4207-98ED-031A6FF433FA}" = rport=138 | protocol=17 | dir=out | app=system |
"{D9391476-C0D9-44BF-862C-BB8C9C39D74D}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{DFF425B6-A1E9-4B0F-8D42-B36E8CA13026}" = rport=137 | protocol=17 | dir=out | app=system |
"{E0950A7D-ACD6-4896-ADB8-2B8D6F12B717}" = rport=139 | protocol=6 | dir=out | app=system |
"{F524216E-1FC3-4993-B18C-03AEB040F8D7}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{17C62284-2077-422F-8D83-2F54C1D87822}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{27324AA5-6A32-4E71-B75D-AD3E4677FD19}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{3053D97C-241E-4AC5-9170-CB3FF8399023}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{54E655AB-2021-48C3-B896-FE25C42AE86F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{6488101D-70EA-4629-8042-C5282E5D84F6}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{83766235-776A-44E7-A9D3-8B63EA8C4A18}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{87946298-0A8C-460F-89C9-A516E9BA110C}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |
"{D313A60A-A28E-412B-9795-302113C31BFE}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{D68F53D0-0445-4809-B609-C17DC39B2201}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0054A0F6-00C9-4498-B821-B5C9578F433E}" = HP Help and Support
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}" = LightScribe System Software 1.14.17.1
"{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}" = HP Total Care Advisor
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{3877C901-7B90-4727-A639-B6ED2DD59D43}" = ESU for Microsoft Vista
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module
"{4532168B-140A-48D1-91F3-4F52EEE3DBA3}" = ArcSoft Collage Creator
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{57A5AEC1-97FC-474D-92C4-908FCC2253D4}" = HP Customer Experience Enhancements
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{7F1B3341-A94E-4F5C-B587-CA0EB964221E}" = Microsoft Money Shared Libraries
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{846DDADA-0239-4B67-A6B1-33658863793B}" = HPTCSSetup
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169 8168 8101E 8102E Ethernet Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96384578-C6A2-4EC6-92CD-B62A60713040}" = Microsoft Live Search Toolbar
"{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}" = HP Wireless Assistant
"{a56b707b-1e1e-4902-a3e2-1cce405d3c1f}" = NetLibrary Media Center
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}" = HP User Guides 0118
"{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}" = HP Active Support Library
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}" = muvee Reveal
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"asunnygarden_3122092" = asunnygarden_3122092 Screen Saver
"BookSmart® 2.0.1 2.0.1" = BookSmart® 2.0.1 2.0.1
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.865
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"doPDF 6 printer_is1" = doPDF 6.2 printer
"ERUNT_is1" = ERUNT 1.1j
"ESET Online Scanner" = ESET Online Scanner v3
"Google Chrome" = Google Chrome
"Google Updater" = Google Updater
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.64
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"Java Platform, Enterprise Edition 5 SDK" = Java Platform, Enterprise Edition 5 SDK
"jumpinaround_3054731" = jumpinaround_3054731 Screen Saver
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2008b" = Microsoft Money Plus
"NIS" = Norton Internet Security
"Scrapbook MAX!" = Scrapbook MAX!
"SynTPDeinstKey" = Synaptics Pointing Device Driver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/10/2009 9:11:40 AM | Computer Name = Owner-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 10/11/2009 11:08:02 AM | Computer Name = Owner-PC | Source = profsvc | ID = 1508
Description = Windows was unable to load the registry. This problem is often caused
by insufficient memory or insufficient security rights. DETAIL - Error performing
inpage operation. for C:\Users\Owner\ntuser.dat

Error - 10/11/2009 11:08:02 AM | Computer Name = Owner-PC | Source = profsvc | ID = 1502
Description = Windows cannot load the locally stored profile. Possible causes of
this error include insufficient security rights or a corrupt local profile. DETAIL
- Error performing inpage operation.

Error - 10/11/2009 11:08:08 AM | Computer Name = Owner-PC | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 10/10/2009 12:30:50 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 12:30:50 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:21:38 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:21:38 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:21:38 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:22:26 AM | Computer Name = Owner-PC | Source = HTTP | ID = 15016
Description =

Error - 10/10/2009 1:24:53 AM | Computer Name = Owner-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/10/2009 1:31:34 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:31:34 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 10/10/2009 1:31:34 AM | Computer Name = Owner-PC | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.


< End of report >

Results of screen317's Security Check version 0.99.0
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Norton Internet Security
Norton Internet Security
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
HijackThis 2.0.2
Java Platform, Enterprise Edition 5 SDK
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1.3
``````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[Maurice Naggar]

When starting a reply, please only use the ADDReply button at bottom of forum screen.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then RIGHT-click the file within: Fix_Policies.cmd and select Run as Administrator.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Update MBAM and then do a new scan:
Do a RIGHT click on your MBAM MalwareBytes' Anti-Malware icon or shortcut and select Run as Administrator
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.
At this time of posting, the current definitions are # 2952.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with copy of the MBAM scan log.

[KMB]

I followed your instructions with the fixpolicies and then running the updated MBAM. MBAM found the same hijack.startmenu that won't go away. I removed it and I then restarted my computer. It is acting just the same and will not load up the user profile. Furthermore, the log in MBAM was empty and fixpolicies was not longer on my desktop. It's like it just wiped out everything out.

So then after the restart I ran through the fixpolicies and MBAM scan again. I did not restart the computer this time so here is the log from running MBAM.

Malwarebytes' Anti-Malware 1.41
Database version: 2955
Windows 6.0.6001 Service Pack 1

10/13/2009 12:08:31 PM
mbam-log-2009-10-13 (12-08-31).txt

Scan type: Quick Scan
Objects scanned: 100745
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks!!

[Maurice Naggar]

I'd like to have you run one other report.
SilentRunners is a report only.

Close all non-essential programs & windows that you have open.
Go here and download & SAVE Silent Runners.vbs (use IE to download it) to a new folder on your drive and run it. It generates a log too {name will start with "Startup Programs". It takes a minute or two and it will notify you with a popup when your log is ready (it will be in the new folder you created). Please post the information back in this thread. If your AV queries the script, allow it to run. It's not malicious. It simply generates a report on your system, and does not do any cleanup.

Post back with copy of the the log from SilentRunners.

[KMB]

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"HPADVISOR" = "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN" [null data]
"LightScribe Control Panel" = "C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden" ["Hewlett-Packard Company"]
"swg" = ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"IgfxTray" = "C:\Windows\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\Windows\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\Windows\system32\igfxpers.exe" ["Intel Corporation"]
"QPService" = ""C:\Program Files\HP\QuickPlay\QPService.exe"" ["CyberLink Corp."]
"UpdatePSTShortCut" = ""C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"" ["CyberLink Corp."]
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"QlbCtrl.exe" = "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start" [" Hewlett-Packard Development Company, L.P."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"HP Health Check Scheduler" = "c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [null data]
"HP Software Update" = "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard"]
"hpWirelessAssistant" = "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" ["Hewlett-Packard Development Company, L.P."]
"Google Quick Search Box" = ""C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun" ["Google Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"snp2uvc" = "C:\Windows\vsnp2uvc.exe" ["Sonix"]
"Malwarebytes Anti-Malware (reboot)" = ""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = "Symantec NCO BHO"
-> {HKLM...CLSID} = "Symantec NCO BHO"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll" ["Symantec Corporation"]
{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = "Symantec Intrusion Prevention"
-> {HKLM...CLSID} = "Symantec Intrusion Prevention"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL" ["Symantec Corporation"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll" ["Google Inc."]
{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}\(Default) = "Google Dictionary Compression sdch"
-> {HKLM...CLSID} = "Google Dictionary Compression sdch"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll" ["Google Inc."]
{d2ce3e00-f94a-4740-988e-03dc2f38c34f}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Microsoft Live Search Toolbar Helper"
\InProcServer32\(Default) = "c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{28803F59-3A75-4058-995F-4EE5503B023C}" = "Wireless Devices"
-> {HKLM...CLSID} = "Bluetooth Devices"
\InProcServer32\(Default) = "C:\Windows\system32\FunctionDiscoveryFolder.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "ShellViewRTF"
-> {HKLM...CLSID} = "ShellViewRTF"
\InProcServer32\(Default) = "C:\Program Files\Sminst\ShellvRTF.dll" ["XSS"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\Windows\System32\ieframe.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.7.2.11\NavShExt.dll"" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.7.2.11\NavShExt.dll"" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\web\wallpaper\Silhouette.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\windows\web\wallpaper\Silhouette.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

muveePicturesOnArrival\
"Provider" = "muvee Reveal"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithMuveeReveal"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithMuveeReveal\Command\(Default) = ""C:\Program Files\muvee Technologies\muvee Reveal - SE\muveereveal.exe" -mediaarrival=%L" [null data]

muveeVideoCameraArrivalCaptureWizard\
"Provider" = "muvee Reveal"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\muvee Technologies\muvee Reveal - SE\muveereveal.exe" -capture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

muveeVideoOnArrival\
"Provider" = "muvee Reveal"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithMuveeReveal"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithMuveeReveal\Command\(Default) = ""C:\Program Files\muvee Technologies\muvee Reveal - SE\muveereveal.exe" -mediaarrival=%L" [null data]

P2GCDBurningOnArrival\
"Provider" = "Power2Go"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithPower2Go"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe" "%L"" ["CyberLink Corp."]

P2GDVDBurningOnArrival\
"Provider" = "Power2Go"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithPower2Go"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe" "%L"" ["CyberLink Corp."]

PDirDVArrival\
"Provider" = "PowerDirector"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerDirector\PDR.exe" /DV"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

Power2GoPlayCDAudioOnArrival\
"Provider" = "Power2Go"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPower2Go"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPower2Go\Command\(Default) = ""C:\Program Files\CyberLink\Power2Go\Power2Go.exe" /AudioRipper "%L"" ["CyberLink Corp."]

PStarterBlankCDArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterDVDBurningOnArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterMixedCDArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "MixedContent"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterMusicFilesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "MusicFiles"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterPicturesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

PStarterVideoFilesArrival\
"Provider" = "DVD Suite"
"InvokeProgID" = "VideoFiles"
"InvokeVerb" = "OpenWithPowerStarter"
HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" ["CyberLink"]

QuickPlayPlayDVDMovieOnArrival\
"Provider" = "HP DVD Play"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

QuickPlayPlayVideoCDMovieOnArrival\
"Provider" = "HP DVD Play"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithQuickPlay"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithQuickPlay\Command\(Default) = ""C:\Program Files\HP\QuickPlay\QP.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."]

WIA_{A86CE40C-1B18-4caa-A58F-D0AD152FCEB0}\
"Provider" = "muvee Reveal"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;"C:\Program Files\muvee Technologies\muvee Reveal - SE\muveereveal.exe" /StiDevice:%1 /StiEvent:%2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Billminder" -> shortcut to: "C:\Program Files\Quicken\billmind.exe" ["Intuit Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 26


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"
-> {HKLM...CLSID} = "Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "Norton Toolbar"
-> {HKLM...CLSID} = "Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll" ["Symantec Corporation"]
"{1E61ED7C-7CB8-49D6-B9E9-AB4C880C8414}" = (no title provided)
-> {HKLM...CLSID} = "Microsoft Live Search Toolbar"
\InProcServer32\(Default) = "c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
<<H>> C:\WINDOWS\INF\IERESET.INF was not found!

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Com4QLBEx, Com4QLBEx, ""C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe"" ["Hewlett-Packard Development Company, L.P."]
Computer Browser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
HP Health Check Service, HP Health Check Service, ""c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe"" [null data]
hpqwmiex, hpqwmiex, ""C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe"" ["Hewlett-Packard Development Company, L.P."]
Human Interface Device Access, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Norton Internet Security, Norton Internet Security, ""C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll" /prefetch:1" ["Symantec Corporation"]
Recovery Service for Windows, Recovery Service for Windows, "C:\Program Files\SMINST\BLService.exe" [null data]
Secure Socket Tunneling Protocol Service, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}
Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows Presentation Foundation Font Cache 3.0.0.0, FontCache3.0.0.0, "C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe" [MS]
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Bullzip PDF Print Monitor\Driver = "bzpdf.dll" ["Bullzip"]
doPDF 6 Monitor\Driver = "dopdfmn6.dll" ["Softland"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2009-10-13 20:09:01)
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 68 seconds, including 18 seconds for message boxes)

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for member KMB only. If you are a casual viewer, do NOT try this on your system!
If you are not KMB and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.


Show all files:

• Click the Start button, and then click Computer.
  
• On the Organize menu, click Folder and Search Options.
  
• Click the View tab.
  
• Locate and uncheck Hide file extensions for known file types.
  
• Locate and uncheck Hide protected operating system files (Recommended).
  
• Locate and click Show hidden files and folders.
  
• Click Apply > OK.

If you have a prior copy of Combofix, delete it now !

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe (red lion icon) on your Desktop and select "Run as Administrator".

• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt

[KMB]

Still has same problem with loading user profiles. Here is the combofix log. Thanks!!


ComboFix 09-10-14.09 - Owner 10/15/2009 9:58.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.1751 [GMT -6:00]
Running from: c:\users\TEMP.Owner-PC.008\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1746920256-1909227255-2816010487-500
c:\$recycle.bin\S-1-5-21-2819002435-850761837-2018973860-500
c:\windows\Installer\207c7.msi
c:\windows\Installer\207cb.msi
c:\windows\Installer\207cf.msi
c:\windows\Installer\207d3.msi
c:\windows\Installer\207d7.msi
c:\windows\Installer\207df.msi
c:\windows\Installer\292ae4.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 16:09 . 2009-10-15 16:09 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-10-15 16:09 . 2009-10-15 16:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-15 15:12 . 2009-10-15 15:12 -------- d-----w- c:\users\TEMP.Owner-PC.008\AppData\Local\Hewlett-Packard
2009-10-15 15:12 . 2009-10-15 15:12 -------- d-----w- c:\users\TEMP.Owner-PC.008\AppData\Roaming\Hewlett-Packard
2009-10-15 15:11 . 2009-10-15 15:11 -------- d-----w- c:\users\TEMP.Owner-PC.008\AppData\Roaming\Intuit
2009-10-15 15:11 . 2009-10-15 15:11 75656 ----a-w- c:\users\TEMP.Owner-PC.008\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-15 15:11 . 2009-10-15 15:13 -------- d-----w- c:\users\TEMP.Owner-PC.008\AppData\Local\Google
2009-10-14 20:15 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 20:15 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-13 17:35 . 2009-10-13 19:13 -------- d-----w- c:\users\TEMP.Owner-PC.007
2009-10-13 16:51 . 2009-10-13 17:32 -------- d-----w- c:\users\TEMP.Owner-PC.006
2009-10-12 04:32 . 2009-10-12 04:32 -------- d-----w- c:\program files\ESET
2009-10-12 04:05 . 2009-10-12 04:05 -------- d-----w- C:\Sun
2009-10-12 03:03 . 2009-10-12 03:03 -------- d-----w- c:\program files\ERUNT
2009-10-11 16:35 . 2009-10-12 04:12 -------- d-----w- c:\users\TEMP.Owner-PC.005
2009-10-11 15:08 . 2009-10-11 16:31 -------- d-----w- c:\users\TEMP.Owner-PC.004
2009-10-10 05:04 . 2009-10-10 05:04 -------- d-----w- c:\program files\Trend Micro
2009-10-10 04:21 . 2009-10-10 05:20 -------- d-----w- c:\users\TEMP.Owner-PC.003
2009-10-09 20:32 . 2009-10-09 20:38 -------- d-----w- c:\users\TEMP.Owner-PC.002
2009-10-09 20:13 . 2009-10-09 20:13 -------- d-----w- c:\program files\IObit
2009-10-09 17:44 . 2009-10-09 19:22 -------- d-----w- c:\users\TEMP.Owner-PC.001
2009-10-09 07:51 . 2009-10-09 08:03 -------- d-----w- c:\users\TEMP.Owner-PC.000
2009-10-09 07:34 . 2009-10-09 07:34 -------- d-----w- c:\programdata\WindowsSearch
2009-10-09 06:54 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 06:54 . 2009-10-13 17:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 06:54 . 2009-10-09 06:54 -------- d-----w- c:\programdata\Malwarebytes
2009-10-09 06:54 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 05:57 . 2009-10-09 06:02 -------- d-----w- c:\users\TEMP.Owner-PC
2009-10-09 05:43 . 2009-10-09 05:53 -------- d-----w- c:\users\TEMP
2009-10-09 05:29 . 2009-10-09 05:29 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-09 05:28 . 1999-12-17 16:13 86016 ----a-w- c:\windows\unvise32.exe
2009-10-09 05:28 . 2009-10-09 20:25 -------- d-----w- c:\program files\Registry Patrol
2009-10-07 15:30 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-07 15:30 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-07 15:30 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-07 15:30 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-07 15:30 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-07 15:30 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-07 15:30 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-07 15:29 . 2009-08-07 01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-07 15:29 . 2009-08-07 00:44 33792 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 15:09 . 2009-10-15 15:09 -------- d-----w- c:\users\TEMP.Owner-PC.008\AppData\Roaming\IObit
2009-10-09 04:44 . 2009-06-30 03:44 -------- d-----w- c:\users\Owner\AppData\Roaming\Dropbox
2009-09-25 15:04 . 2009-07-24 04:33 -------- d-----w- c:\program files\Quicken
2009-09-11 02:37 . 2009-06-28 05:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-11 02:37 . 2009-06-28 05:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-11 02:37 . 2009-06-28 05:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-11 02:37 . 2009-06-28 05:33 -------- d-----w- c:\program files\Symantec
2009-09-10 14:57 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 12:39 . 2009-09-02 23:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 23:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-22 07:21 . 2009-06-28 05:33 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-17 06:26 . 2009-08-11 06:11 -------- d-----w- c:\users\Owner\AppData\Roaming\Scrapbook MAX!
2009-08-14 23:20 . 2009-08-14 23:20 520192 ----a-w- c:\windows\system32\asunnygarden_3122092.scr
2009-08-14 17:07 . 2009-09-09 14:26 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 14:26 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 14:26 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 14:26 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 14:26 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 14:26 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 14:26 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 14:26 10240 ----a-w- c:\windows\system32\finger.exe
2009-07-21 21:52 . 2009-07-29 19:55 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 19:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 19:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 21:36 . 2009-07-21 21:36 520192 ----a-w- c:\windows\system32\jumpinaround_3054731.scr
2009-07-21 20:13 . 2009-07-29 19:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-10-23 10:05 . 2008-10-23 09:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-27 68592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2007-12-6 34080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6488101D-70EA-4629-8042-C5282E5D84F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{83766235-776A-44E7-A9D3-8B63EA8C4A18}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3053D97C-241E-4AC5-9170-CB3FF8399023}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{17C62284-2077-422F-8D83-2F54C1D87822}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{87946298-0A8C-460F-89C9-A516E9BA110C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1007020.00B\SymEFA.sys [9/8/2009 6:31 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/8/2009 6:31 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1007020.00B\cchpx86.sys [9/8/2009 6:31 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSvix86.sys [9/16/2009 4:20 PM 342576]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/8/2009 6:31 PM 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [10/23/2008 4:56 AM 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/23/2008 3:55 AM 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 2:00 AM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/29/2008 8:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1007020.00B\symndisv.sys [9/8/2009 6:31 PM 48688]
S2 gupdate1c9f9bbb2908c41;Google Update Service (gupdate1c9f9bbb2908c41);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2009 1:48 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-10-09 15:55]

2009-10-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-27 19:47]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-09-23 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]

2009-10-15 c:\windows\Tasks\User_Feed_Synchronization-{7C8FFEE4-B8AC-446C-B4C6-3253404B39A5}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} - hxxp://merillat.view22.com/release_3_9_177/View22RTEv4.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 10:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-15 10:13
ComboFix-quarantined-files.txt 2009-10-15 16:13

Pre-Run: 273,317,031,936 bytes free
Post-Run: 273,278,787,584 bytes free

210 --- E O F --- 2009-10-15 15:23

[Maurice Naggar]

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:

KILLALL::

Folder::
c:\$recycle.bin
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:

• :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.


Reply with copy of C:\Combofix.txt
and the latest MBAM scan log

[KMB]

I followed your directions as posted. The first time I attempted to run the combofix it started then I got a blue screen saying to restart if it was the first time...blah, blah, blah. So I restarted and did everything again. I don't know if that was normal to happen, but the second time it ran fine. The log is below. Also, I then ran MBAM as instructed and it said I am clean...which is the first time it has said that! I have not tried to restart it yet because I didn't want to lose to log as it has been doing every time I restart. It looks like both logs won't fit so here is combofix log and I will post the MBAM in a second. Then I will start and post again what happens. Thanks!

ComboFix 09-10-15.01 - Owner 10/15/2009 16:56.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.1931 [GMT -6:00]
Running from: c:\users\TEMP.Owner-PC.008\Desktop\ComboFix.exe
Command switches used :: c:\users\TEMP.Owner-PC.008\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin


And here is MBAM

Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 6.0.6001 Service Pack 1

10/15/2009 5:32:06 PM
mbam-log-2009-10-15 (17-32-06).txt

Scan type: Quick Scan
Objects scanned: 122759
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 23:08 . 2009-10-15 23:09 -------- d-----w- c:\users\TEMP.Owner-PC.009
2009-10-15 22:41 . 2009-10-15 23:05 -------- d-----w- c:\users\TEMP.Owner-PC.008
2009-10-13 17:35 . 2009-10-13 19:13 -------- d-----w- c:\users\TEMP.Owner-PC.007
2009-10-13 16:51 . 2009-10-13 17:32 -------- d-----w- c:\users\TEMP.Owner-PC.006
2009-10-12 04:32 . 2009-10-12 04:32 -------- d-----w- c:\program files\ESET
2009-10-12 04:05 . 2009-10-12 04:05 -------- d-----w- C:\Sun
2009-10-12 03:03 . 2009-10-12 03:03 -------- d-----w- c:\program files\ERUNT
2009-10-11 16:35 . 2009-10-12 04:12 -------- d-----w- c:\users\TEMP.Owner-PC.005
2009-10-11 15:08 . 2009-10-11 16:31 -------- d-----w- c:\users\TEMP.Owner-PC.004
2009-10-10 05:04 . 2009-10-10 05:04 -------- d-----w- c:\program files\Trend Micro
2009-10-10 04:21 . 2009-10-10 05:20 -------- d-----w- c:\users\TEMP.Owner-PC.003
2009-10-09 20:32 . 2009-10-09 20:38 -------- d-----w- c:\users\TEMP.Owner-PC.002
2009-10-09 20:13 . 2009-10-09 20:13 -------- d-----w- c:\program files\IObit
2009-10-09 17:44 . 2009-10-09 19:22 -------- d-----w- c:\users\TEMP.Owner-PC.001
2009-10-09 07:51 . 2009-10-09 08:03 -------- d-----w- c:\users\TEMP.Owner-PC.000
2009-10-09 07:34 . 2009-10-09 07:34 -------- d-----w- c:\programdata\WindowsSearch
2009-10-09 06:54 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 06:54 . 2009-10-13 17:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 06:54 . 2009-10-09 06:54 -------- d-----w- c:\programdata\Malwarebytes
2009-10-09 06:54 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 05:57 . 2009-10-09 06:02 -------- d-----w- c:\users\TEMP.Owner-PC
2009-10-09 05:43 . 2009-10-09 05:53 -------- d-----w- c:\users\TEMP
2009-10-09 05:29 . 2009-10-09 05:29 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-09 05:28 . 1999-12-17 16:13 86016 ----a-w- c:\windows\unvise32.exe
2009-10-09 05:28 . 2009-10-09 20:25 -------- d-----w- c:\program files\Registry Patrol
2009-10-07 15:30 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-07 15:30 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-07 15:30 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-07 15:30 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-07 15:30 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-07 15:30 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-07 15:30 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-07 15:29 . 2009-08-07 01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-07 15:29 . 2009-08-07 00:44 33792 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 04:44 . 2009-06-30 03:44 -------- d-----w- c:\users\Owner\AppData\Roaming\Dropbox
2009-09-25 15:04 . 2009-07-24 04:33 -------- d-----w- c:\program files\Quicken
2009-09-14 09:44 . 2009-10-14 20:15 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-11 02:37 . 2009-06-28 05:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-11 02:37 . 2009-06-28 05:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-11 02:37 . 2009-06-28 05:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-11 02:37 . 2009-06-28 05:33 -------- d-----w- c:\program files\Symantec
2009-09-10 14:57 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 12:39 . 2009-09-02 23:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 23:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-22 07:21 . 2009-06-28 05:33 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-17 06:26 . 2009-08-11 06:11 -------- d-----w- c:\users\Owner\AppData\Roaming\Scrapbook MAX!
2009-08-14 23:20 . 2009-08-14 23:20 520192 ----a-w- c:\windows\system32\asunnygarden_3122092.scr
2009-08-14 17:07 . 2009-09-09 14:26 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 14:26 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 14:26 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 14:26 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 14:26 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 14:26 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 14:26 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 14:26 10240 ----a-w- c:\windows\system32\finger.exe
2009-07-21 21:52 . 2009-07-29 19:55 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 19:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 19:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 21:36 . 2009-07-21 21:36 520192 ----a-w- c:\windows\system32\jumpinaround_3054731.scr
2009-07-21 20:13 . 2009-07-29 19:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-10-23 10:05 . 2008-10-23 09:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_16.10.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-10-15 16:31 40448 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-15 22:43 88632 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-25 00:09 . 2009-10-15 22:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-25 00:09 . 2009-10-15 15:16 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-25 00:09 . 2009-10-15 22:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-25 00:09 . 2009-10-15 15:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-25 00:09 . 2009-10-15 22:57 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-25 00:09 . 2009-10-15 15:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-25 00:10 . 2009-10-15 22:43 9990 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1746920256-1909227255-2816010487-1000_UserData.bin
- 2009-10-15 15:07 . 2009-10-15 15:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-15 23:06 . 2009-10-15 23:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-15 15:07 . 2009-10-15 15:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-15 23:06 . 2009-10-15 23:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-25 03:28 . 2009-10-15 18:47 295488 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-10-15 15:30 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-15 22:44 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-15 15:30 101350 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-15 22:44 101350 c:\windows\System32\perfc009.dat
- 2009-06-25 01:56 . 2009-10-15 04:47 279536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-06-25 01:56 . 2009-10-15 23:05 279536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2006-11-02 10:22 . 2009-10-15 15:15 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2009-10-15 16:33 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-27 68592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2007-12-6 34080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6488101D-70EA-4629-8042-C5282E5D84F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{83766235-776A-44E7-A9D3-8B63EA8C4A18}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3053D97C-241E-4AC5-9170-CB3FF8399023}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{17C62284-2077-422F-8D83-2F54C1D87822}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{87946298-0A8C-460F-89C9-A516E9BA110C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1007020.00B\SymEFA.sys [9/8/2009 6:31 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/8/2009 6:31 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1007020.00B\cchpx86.sys [9/8/2009 6:31 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSvix86.sys [9/16/2009 4:20 PM 342576]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/8/2009 6:31 PM 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [10/23/2008 4:56 AM 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/23/2008 3:55 AM 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 2:00 AM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/29/2008 8:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1007020.00B\symndisv.sys [9/8/2009 6:31 PM 48688]
S2 gupdate1c9f9bbb2908c41;Google Update Service (gupdate1c9f9bbb2908c41);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2009 1:48 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-15 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-10-09 15:55]

2009-10-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-27 19:47]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-09-23 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]

2009-10-15 c:\windows\Tasks\User_Feed_Synchronization-{7C8FFEE4-B8AC-446C-B4C6-3253404B39A5}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} - hxxp://merillat.view22.com/release_3_9_177/View22RTEv4.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 17:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\dllhost.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\System32\consent.exe
.
**************************************************************************
.
Completion time: 2009-10-15 17:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 23:16
ComboFix2.txt 2009-10-15 16:13

Pre-Run: 271,073,787,904 bytes free
Post-Run: 270,962,585,600 bytes free

237 --- E O F --- 2009-10-15 15:23

[KMB]

And here is the MBAM log

Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 6.0.6001 Service Pack 1

10/15/2009 5:32:06 PM
mbam-log-2009-10-15 (17-32-06).txt

Scan type: Quick Scan
Objects scanned: 122759
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[KMB]

It still will not load my user profiles. For a minute it said it could not open a file from my hard drive either and that there was a problem with it, but now it is opening files okay.

I ran MBAM again and it found the hijack.startmenu again... *sigh*

Here is the log

Malwarebytes' Anti-Malware 1.41
Database version: 2969
Windows 6.0.6001 Service Pack 1

10/15/2009 7:17:36 PM
mbam-log-2009-10-15 (19-17-36).txt

Scan type: Quick Scan
Objects scanned: 124405
Time elapsed: 18 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Maurice Naggar]

If you are a casual viewer, do NOT try this on your system!
If you are not KMB and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.

Step 1
1. Close any open programs that you started.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open NOTEPAD and copy/paste the text in the quotebox below into it:

Quote

KILLALL::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowSearch"=-

Save this as CFScript.txt, in the same location as ComboFix.exe
IF prompted to overwrite any previous CFSCRIPT.TXT , answer YES to allow overwite.





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=
Step 2
Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Step 3
Start HijackThis. Do a Scan and Save log.

Reply with the latest C:\Combofix.txt
and the latest MBAM scan log
and the latest Hijackthis log
and tell me, How is your system now ?

[KMB]

Here is the combofix log

ComboFix 09-10-15.04 - Owner 10/16/2009 9:46.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3002.1781 [GMT -6:00]
Running from: c:\users\TEMP.Owner-PC.010\Desktop\ComboFix.exe
Command switches used :: c:\users\TEMP.Owner-PC.010\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 15:59 . 2009-10-16 15:59 -------- d-----w- c:\users\TEMP.Owner-PC.010\AppData\Local\VirtualStore
2009-10-16 15:54 . 2009-10-16 15:54 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2009-10-15 23:08 . 2009-10-15 23:45 -------- d-----w- c:\users\TEMP.Owner-PC.009
2009-10-15 22:41 . 2009-10-15 23:05 -------- d-----w- c:\users\TEMP.Owner-PC.008
2009-10-13 17:35 . 2009-10-13 19:13 -------- d-----w- c:\users\TEMP.Owner-PC.007
2009-10-13 16:51 . 2009-10-13 17:32 -------- d-----w- c:\users\TEMP.Owner-PC.006
2009-10-12 04:32 . 2009-10-12 04:32 -------- d-----w- c:\program files\ESET
2009-10-12 04:05 . 2009-10-12 04:05 -------- d-----w- C:\Sun
2009-10-12 03:03 . 2009-10-12 03:03 -------- d-----w- c:\program files\ERUNT
2009-10-11 16:35 . 2009-10-12 04:12 -------- d-----w- c:\users\TEMP.Owner-PC.005
2009-10-11 15:08 . 2009-10-11 16:31 -------- d-----w- c:\users\TEMP.Owner-PC.004
2009-10-10 05:04 . 2009-10-10 05:04 -------- d-----w- c:\program files\Trend Micro
2009-10-10 04:21 . 2009-10-10 05:20 -------- d-----w- c:\users\TEMP.Owner-PC.003
2009-10-09 20:32 . 2009-10-09 20:38 -------- d-----w- c:\users\TEMP.Owner-PC.002
2009-10-09 20:13 . 2009-10-09 20:13 -------- d-----w- c:\program files\IObit
2009-10-09 17:44 . 2009-10-09 19:22 -------- d-----w- c:\users\TEMP.Owner-PC.001
2009-10-09 07:51 . 2009-10-09 08:03 -------- d-----w- c:\users\TEMP.Owner-PC.000
2009-10-09 07:34 . 2009-10-09 07:34 -------- d-----w- c:\programdata\WindowsSearch
2009-10-09 06:54 . 2009-09-10 20:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 06:54 . 2009-10-13 17:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 06:54 . 2009-10-09 06:54 -------- d-----w- c:\programdata\Malwarebytes
2009-10-09 06:54 . 2009-09-10 20:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 05:57 . 2009-10-09 06:02 -------- d-----w- c:\users\TEMP.Owner-PC
2009-10-09 05:43 . 2009-10-09 05:53 -------- d-----w- c:\users\TEMP
2009-10-09 05:29 . 2009-10-09 05:29 -------- d-----w- c:\windows\system32\Registry Patrol
2009-10-09 05:28 . 1999-12-17 16:13 86016 ----a-w- c:\windows\unvise32.exe
2009-10-09 05:28 . 2009-10-09 20:25 -------- d-----w- c:\program files\Registry Patrol
2009-10-07 15:30 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-07 15:30 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-07 15:30 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-07 15:30 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-07 15:30 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-07 15:30 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-07 15:30 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-07 15:29 . 2009-08-07 01:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-07 15:29 . 2009-08-07 00:44 33792 ----a-w- c:\windows\system32\wuapp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 15:58 . 2009-10-16 15:58 -------- d-----w- c:\users\TEMP.Owner-PC.010\AppData\Roaming\IObit
2009-10-09 04:44 . 2009-06-30 03:44 -------- d-----w- c:\users\Owner\AppData\Roaming\Dropbox
2009-09-25 15:04 . 2009-07-24 04:33 -------- d-----w- c:\program files\Quicken
2009-09-14 09:44 . 2009-10-14 20:15 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-11 02:37 . 2009-06-28 05:33 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-11 02:37 . 2009-06-28 05:33 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-11 02:37 . 2009-06-28 05:33 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-11 02:37 . 2009-06-28 05:33 -------- d-----w- c:\program files\Symantec
2009-09-10 14:57 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-28 12:39 . 2009-09-02 23:12 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 23:12 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-22 07:21 . 2009-06-28 05:33 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-14 23:20 . 2009-08-14 23:20 520192 ----a-w- c:\windows\system32\asunnygarden_3122092.scr
2009-08-14 17:07 . 2009-09-09 14:26 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 14:26 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 14:26 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 14:26 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 14:26 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 14:26 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 14:26 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 14:26 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 14:26 10240 ----a-w- c:\windows\system32\finger.exe
2009-07-21 21:52 . 2009-07-29 19:55 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 19:55 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 19:55 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 21:36 . 2009-07-21 21:36 520192 ----a-w- c:\windows\system32\jumpinaround_3054731.scr
2009-07-21 20:13 . 2009-07-29 19:55 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2008-10-23 10:05 . 2008-10-23 09:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_16.10.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-10-16 15:15 40872 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-16 15:15 88760 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-25 00:10 . 2009-10-16 15:15 10322 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1746920256-1909227255-2816010487-1000_UserData.bin
- 2009-06-25 00:09 . 2009-10-15 15:16 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-25 00:09 . 2009-10-16 15:20 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-25 00:09 . 2009-10-16 15:20 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-25 00:09 . 2009-10-15 15:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-25 00:09 . 2009-10-16 15:20 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-25 00:09 . 2009-10-15 15:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-26 23:45 . 2009-10-16 00:52 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-10-16 15:56 . 2009-10-16 15:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-15 15:07 . 2009-10-15 15:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-10-15 15:07 . 2009-10-15 15:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-10-16 15:56 . 2009-10-16 15:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-06-26 23:45 . 2009-10-15 15:32 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-06-25 03:28 . 2009-10-15 18:47 295488 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2009-10-15 15:30 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-16 15:18 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-10-16 15:18 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-10-15 15:30 101350 c:\windows\System32\perfc009.dat
- 2009-06-25 01:56 . 2009-10-15 04:47 279536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-06-25 01:56 . 2009-10-16 15:55 279536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-06-26 23:45 . 2009-10-16 00:52 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-06-26 23:45 . 2009-10-15 15:32 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-06-26 23:45 . 2009-10-16 00:52 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-11-02 10:22 . 2009-10-16 15:55 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-10-15 15:15 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-10-16 15:40 . 2009-10-16 15:40 6365184 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
- 2009-10-15 15:52 . 2009-10-15 15:52 6365184 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-27 68592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2007-12-6 34080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6488101D-70EA-4629-8042-C5282E5D84F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{83766235-776A-44E7-A9D3-8B63EA8C4A18}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3053D97C-241E-4AC5-9170-CB3FF8399023}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{17C62284-2077-422F-8D83-2F54C1D87822}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{87946298-0A8C-460F-89C9-A516E9BA110C}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1007020.00B\SymEFA.sys [9/8/2009 6:31 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1007020.00B\BHDrvx86.sys [9/8/2009 6:31 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1007020.00B\cchpx86.sys [9/8/2009 6:31 PM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSvix86.sys [9/16/2009 4:20 PM 342576]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [9/8/2009 6:31 PM 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [10/23/2008 4:56 AM 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [10/23/2008 3:55 AM 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 2:00 AM 102448]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/29/2008 8:52 AM 112128]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1007020.00B\symndisv.sys [9/8/2009 6:31 PM 48688]
S2 gupdate1c9f9bbb2908c41;Google Update Service (gupdate1c9f9bbb2908c41);c:\program files\Google\Update\GoogleUpdate.exe [6/30/2009 1:48 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-10-09 15:55]

2009-10-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-27 19:47]

2009-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-30 19:48]

2009-09-23 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]

2009-10-16 c:\windows\Tasks\User_Feed_Synchronization-{7C8FFEE4-B8AC-446C-B4C6-3253404B39A5}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxps://lowes.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} - hxxp://merillat.view22.com/release_3_9_177/View22RTEv4.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\dllhost.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2009-10-16 10:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 16:04
ComboFix2.txt 2009-10-15 23:16
ComboFix3.txt 2009-10-15 16:13

Pre-Run: 272,781,737,984 bytes free
Post-Run: 272,769,634,304 bytes free

254 --- E O F --- 2009-10-15 15:23

[KMB]

Here is the MBAM

Malwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 6.0.6001 Service Pack 1

10/16/2009 10:16:36 AM
mbam-log-2009-10-16 (10-16-36).txt

Scan type: Quick Scan
Objects scanned: 125102
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And here is hijackthis. Note: I wasn't sure if I was supposed to do anything else with hijackthis except run it and get the log--I didn't have it fix or delete anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:10 AM, on 10/16/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\Explorer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} (20-20 3D Viewer) - https://lowes.2020.n...yerAX_Win32.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://merillat.view...View22RTEv4.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Google Update Service (gupdate1c9f9bbb2908c41) (gupdate1c9f9bbb2908c41) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8283 bytes


I will restart it right now and then post again with how it works. Thanks

[KMB]

Nope, still not loading user profiles

[KMB]

It worked in the temporary login mode for the last few days, but suddenly today the screen just went black. Since then, after a few restarts it still will not fully load anything. It simply says it can't load the User Profile Service can not load. Then it says "logging off," goes black then starts again and just says "Please wait" while it thinks until the screen saver comes on and we start all over again.

[Maurice Naggar]

Restart the system and as soon as it begins the restart, press and hold the F8 function key. On the Advanced Boot Options screen, use the arrow keys to highlight Last Known Good Configuration, and then press ENTER.
See if that allows a start of your Vista system.

[Maurice Naggar]

This topic is closed due to lack of response.