Infections I haven't been able to remove

[Gunslinger]

Rats, the copy/paste format didn't go through. You're back on, LD, please tell me you're not working from home on a Friday night.

[Gunslinger]

When you say "boot into recovery environment", you simply mean safe mode?

[LDTate]

No. Thats from the USB

FRST (Farbar Recovery Scanner Tool) is a tool created by Farbar to run from a flash drive whilst booted into Recovery Environment (only) on Windows 7 and Vista computers.

Yes and I should have logged off 2 hrs ago...LOL I'm logging off now.

[Gunslinger]

Ignore that last q, I understand now.

[Gunslinger]

Fix result of Farbar Recovery Tool (FRST written by farbar) Version: 14-03-2012

Ran by Owner at 2012-03-23 19:12:14 R:1

Running from G:\

==============================================

C:\Windows\$NtUninstallKB62280$ moved successfully.

==== End of Fixlog ====

[LDTate]

Now try Combofix

[Gunslinger]

Sorry about the delay in responding, LD, thanks for your patience.

Ok, ComboFix went farther than ever this time. I got to the point where it said "Window will close shortly" and that a Log will pop up.

Then I got a pop up saying "Cannot find the C:\Users\Owner\Appdata\Local\Temp\log.txt file."

"Do you want to create a new file?"

I hit "yes". Nothing happened, just stayed a blank txt window. I went to the location on my pc and the log file there was blank.

I will try again.

[LDTate]

Look for: C:\combofix.txt

[Gunslinger]

ComboFix 12-03-22.01 - Owner 03/28/2012 0:44.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1104 [GMT -7:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-28 )))))))))))))))))))))))))))))))

.

.

2012-03-28 07:46 . 2012-03-28 07:46 -------- d-----w- c:\users\Owner\AppData\Local\temp

2012-03-28 07:46 . 2012-03-28 07:46 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-27 19:19 . 2012-03-14 02:15 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6C0F5923-35DC-4790-BE16-86D9E70F6335}\mpengine.dll

2012-03-24 00:04 . 2012-03-24 00:05 -------- d-----w- C:\FRST

2012-03-14 04:38 . 2012-03-23 23:16 -------- d-----w- C:\ieexplore

2012-03-13 18:22 . 2012-02-02 15:16 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-03-13 18:22 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll

2012-03-13 18:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-13 18:22 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-03-13 18:22 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-03-13 18:22 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-03-13 18:22 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-03-13 18:22 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-03-13 18:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2012-03-13 04:10 . 2012-03-13 04:10 -------- d--h--w- c:\windows\PIF

2012-03-07 21:52 . 2012-03-07 21:52 2923248 ----a-w- c:\users\Owner\WindowsXP-KB914882-x86-ENU.exe

2012-03-06 01:52 . 2012-03-06 01:51 389024 ----a-w- c:\windows\unhide.exe

2012-03-06 00:04 . 2012-03-06 00:03 607260 ------r- c:\program files\dds.scr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-13 18:50 . 2011-05-17 08:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-23 16:18 . 2010-01-31 09:43 237072 ------w- c:\windows\system32\MpSigStub.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-01 2295080]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-19 296056]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

U81xbus

hpdskflt

LwUsbHid

mi-raysat_3dsMax2008_32

cpqdmi

sdcoreservice

WaveFDE

btwavdt

usbio

abiosdsk

update

roxmediadb

forcewarewebinterface

db2ntsecserver

houdinilicenseserver

ypcservice

cdudf_xp

symmpi

mqdmbus

Wtcls2k

netcfgsvr

NetTcpActivator

bwmservice

CDRPDACC

tosrfusb

w810bus

mail2ec

alerter

lxcf_device

acmservice

Spsmqvsm

dmprimer

WcesComm

pcx1unic

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\shell\AutoRun\command - E:\Autorun.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bab5aa97-8580-11df-8545-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - G:\VZAccess_Manager.exe /z detect

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-23 c:\windows\Tasks\HPCeeScheduleForOwner.job

- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-04 21:23]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: DhcpNameServer = 192.168.1.254

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-28 00:48

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

c:\users\Owner\AppData\Local\Temp\catchme.dll 53248 bytes executable

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2b,6f,

36,3f,a7,59,09,d5,8b,53,ec,9e,f5,e0,78

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,

02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7

"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,

57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b

"{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}"=hex:51,66,7a,6c,4c,1d,38,12,70,56,ea,

6c,23,4a,8a,0d,e5,b9,08,84,2f,34,02,aa

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{03C1C47F-0538-4645-8372-D3109B9FC636}"=hex:51,66,7a,6c,4c,1d,38,12,11,c7,d2,

07,0a,4b,2b,03,fc,64,90,50,9e,c1,82,22

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:da,fd,33,c1,1e,bc,cc,01

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3012)

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

.

Completion time: 2012-03-28 00:50:04

ComboFix-quarantined-files.txt 2012-03-28 07:49

ComboFix2.txt 2012-03-16 07:39

ComboFix3.txt 2012-03-15 22:41

.

Pre-Run: 77,571,334,144 bytes free

Post-Run: 77,547,782,144 bytes free

.

- - End Of File - - C71F2A8435C04113AB5815633596C7C9

[LDTate]

Did you try running it in Normal Mode?

[Gunslinger]

I'm pretty sure that was in Normal Mode. Here is another scan.

It does give me a pop up saying: Current date is 3/31/12. ComboFix is expired. Click Yes to run ComboFix in reduced functionality. To which I have been clicking Yes. Is that goofing it up?

ComboFix 12-03-22.01 - Owner 03/31/2012 20:07:44.4.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1167 [GMT -7:00]

Running from: G:\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}

SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

- REDUCED FUNCTIONALITY MODE -

.

.

((((((((((((((((((((((((( Files Created from 2012-03-01 to 2012-04-01 )))))))))))))))))))))))))))))))

.

.

2012-04-01 03:10 . 2012-04-01 03:14 -------- d-----w- c:\users\Owner\AppData\Local\temp

2012-04-01 03:10 . 2012-04-01 03:10 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-03-30 18:05 . 2012-03-30 18:05 -------- d-----w- C:\found.000

2012-03-24 00:04 . 2012-03-24 00:05 -------- d-----w- C:\FRST

2012-03-14 04:38 . 2012-03-23 23:16 -------- d-----w- C:\ieexplore

2012-03-13 18:22 . 2012-01-09 13:58 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-03-13 18:22 . 2012-02-14 15:45 219648 ----a-w- c:\windows\system32\d3d10_1core.dll

2012-03-13 18:22 . 2012-02-13 13:44 1068544 ----a-w- c:\windows\system32\DWrite.dll

2012-03-13 18:22 . 2012-02-14 15:45 160768 ----a-w- c:\windows\system32\d3d10_1.dll

2012-03-13 18:22 . 2012-02-13 14:12 1172480 ----a-w- c:\windows\system32\d3d10warp.dll

2012-03-13 18:22 . 2012-02-13 13:47 683008 ----a-w- c:\windows\system32\d2d1.dll

2012-03-13 18:22 . 2012-01-31 10:59 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2012-03-13 04:10 . 2012-03-13 04:10 -------- d--h--w- c:\windows\PIF

2012-03-07 21:52 . 2012-03-07 21:52 2923248 ----a-w- c:\users\Owner\WindowsXP-KB914882-x86-ENU.exe

2012-03-06 01:52 . 2012-03-06 01:51 389024 ----a-w- c:\windows\unhide.exe

2012-03-06 00:04 . 2012-03-06 00:03 607260 ------r- c:\program files\dds.scr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-14 02:15 . 2012-03-30 08:56 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{08A38AB7-683E-4431-8949-5A07316E09DE}\mpengine.dll

2012-03-13 18:50 . 2011-05-17 08:25 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-02-23 16:18 . 2010-01-31 09:43 237072 ------w- c:\windows\system32\MpSigStub.exe

2012-02-02 15:16 . 2012-03-13 18:22 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-01-09 15:54 . 2012-03-13 18:22 613376 ----a-w- c:\windows\system32\rdpencom.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-10-01 2295080]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]

"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"OPSE reminder"="c:\program files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 729088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-19 296056]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe [2007-9-19 282624]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

U81xbus

hpdskflt

LwUsbHid

mi-raysat_3dsMax2008_32

cpqdmi

sdcoreservice

WaveFDE

btwavdt

usbio

abiosdsk

update

roxmediadb

forcewarewebinterface

db2ntsecserver

houdinilicenseserver

ypcservice

cdudf_xp

symmpi

mqdmbus

Wtcls2k

netcfgsvr

NetTcpActivator

bwmservice

CDRPDACC

tosrfusb

w810bus

mail2ec

alerter

lxcf_device

acmservice

Spsmqvsm

dmprimer

WcesComm

pcx1unic

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\shell\AutoRun\command - E:\Autorun.exe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bab5aa97-8580-11df-8545-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - F:\VZAccess_Manager.exe /z detect

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}]

\shell\AutoRun\command - G:\VZAccess_Manager.exe /z detect

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-23 c:\windows\Tasks\HPCeeScheduleForOwner.job

- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-04 21:23]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

TCP: DhcpNameServer = 192.168.1.254

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-31 20:16

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]

@Denied: (2) (LocalSystem)

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}"=hex:51,66,7a,6c,4c,1d,38,12,1d,2b,6f,

36,3f,a7,59,09,d5,8b,53,ec,9e,f5,e0,78

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,

02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7

"{53707962-6F74-2D53-2644-206D7942484F}"=hex:51,66,7a,6c,4c,1d,38,12,0c,7a,63,

57,46,21,3d,68,59,52,63,2d,7c,1c,0c,5b

"{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}"=hex:51,66,7a,6c,4c,1d,38,12,70,56,ea,

6c,23,4a,8a,0d,e5,b9,08,84,2f,34,02,aa

"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,

94,30,02,d1,0f,f1,da,12,24,73,56,27,d2

"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,

df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd

"{03C1C47F-0538-4645-8372-D3109B9FC636}"=hex:51,66,7a,6c,4c,1d,38,12,11,c7,d2,

07,0a,4b,2b,03,fc,64,90,50,9e,c1,82,22

"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,

fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17

"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,

b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

@Denied: (2) (LocalSystem)

"Timestamp"=hex:da,fd,33,c1,1e,bc,cc,01

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,6a,24,96,a5,f9,aa,47,8b,65,f0,\

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1372)

c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\WLANExt.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe

c:\windows\system32\locator.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\windows\system32\DRIVERS\xaudio.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Spybot - Search & Destroy\SDWinSec.exe

c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe

c:\windows\System32\rundll32.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE

c:\program files\SYNAPTICS\SYNTP\SYNTPHELPER.EXE

c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2012-03-31 20:21:53 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-01 03:21

ComboFix2.txt 2012-03-28 07:50

ComboFix3.txt 2012-03-16 07:39

ComboFix4.txt 2012-03-15 22:41

.

Pre-Run: 99,912,736,768 bytes free

Post-Run: 99,685,531,648 bytes free

.

- - End Of File - - 95E78696F421A8CA2C5DB071A099FD4D

[LDTate]

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
    

  [*]Press "Scan".

  [*]It will create a log (FSS.txt) in the same directory the tool is run.

  [*]Please copy and paste the log to your reply.

[LDTate]

Also run a new OTL scan if you can.

[Gunslinger]

Farbar:

Farbar Service Scanner Version: 01-03-2012

Ran by Owner (administrator) on 02-04-2012 at 23:53:43

Running from "C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1234GB6D"

Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)

Boot Mode: Normal

****************************************************************

Internet Services:

============

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Yahoo IP is accessible.

Windows Firewall:

=============

Firewall Disabled Policy:

==================

System Restore:

============

System Restore Disabled Policy:

========================

Security Center:

============

Windows Update:

============

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

File Check:

========

C:\Windows\system32\nsisvc.dll => MD5 is legit

C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit

C:\Windows\system32\dhcpcsvc.dll => MD5 is legit

C:\Windows\system32\Drivers\afd.sys => MD5 is legit

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit

C:\Windows\system32\Drivers\tcpip.sys

[2011-11-27 02:57] - [2011-09-20 14:02] - 0913280 ____A (Microsoft Corporation)

C:\Windows\system32\dnsrslvr.dll => MD5 is legit

C:\Windows\system32\mpssvc.dll => MD5 is legit

C:\Windows\system32\bfe.dll => MD5 is legit

C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit

C:\Windows\system32\SDRSVC.dll => MD5 is legit

C:\Windows\system32\vssvc.exe => MD5 is legit

C:\Windows\system32\wscsvc.dll => MD5 is legit

C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit

C:\Windows\system32\wuaueng.dll => MD5 is legit

C:\Windows\system32\qmgr.dll => MD5 is legit

C:\Windows\system32\es.dll => MD5 is legit

C:\Windows\system32\cryptsvc.dll => MD5 is legit

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit

C:\Windows\system32\svchost.exe => MD5 is legit

C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

[Gunslinger]

OTL:

OTL logfile created on: 4/2/2012 11:56:04 PM - Run 2

OTL by OldTimer - Version 3.2.39.1 Folder = G:\

Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.94 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 54.44% Memory free

4.11 Gb Paging File | 2.96 Gb Available in Paging File | 72.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files

Drive C: | 140.62 Gb Total Space | 91.76 Gb Free Space | 65.25% Space Free | Partition Type: NTFS

Drive D: | 7.36 Gb Total Space | 0.74 Gb Free Space | 10.00% Space Free | Partition Type: NTFS

Drive F: | 1.07 Gb Total Space | 1.04 Gb Free Space | 96.98% Space Free | Partition Type: NTFS

Drive G: | 3.80 Gb Total Space | 3.79 Gb Free Space | 99.76% Space Free | Partition Type: FAT32

Computer Name: OWNER-PC | User Name: Owner | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - G:\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)

PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

PRC - C:\Windows\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)

PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

PRC - C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE (CANON INC.)

PRC - C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe (ScanSoft, Inc.)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Yahoo!\Messenger\yui.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLTinyDB.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapEngine.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSchMgr.dll ()

MOD - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvcps.dll ()

========== Win32 Services (SafeList) ==========

SRV - (ypcservice) -- %systemroot%\system32\mrvw245.dll File not found

SRV - (Wtcls2k) -- %systemroot%\system32\cpqrcmc.dll File not found

SRV - (WcesComm) -- %systemroot%\system32\iam.dll File not found

SRV - (WaveFDE) -- %systemroot%\system32\pdlnemap.dll File not found

SRV - (w810bus) -- %systemroot%\system32\sthda.dll File not found

SRV - (usbio) -- %systemroot%\system32\WUSB54Gv4SVC.dll File not found

SRV - (update) -- %systemroot%\system32\RadProbe.dll File not found

SRV - (U81xbus) -- %systemroot%\system32\vsapint.dll File not found

SRV - (tosrfusb) -- %systemroot%\system32\pdlndqll.dll File not found

SRV - (symmpi) -- %systemroot%\system32\mcredirector.dll File not found

SRV - (Spsmqvsm) -- %systemroot%\system32\PAC7302.dll File not found

SRV - (sdcoreservice) -- %systemroot%\system32\areschatserver.dll File not found

SRV - (SBSDWSCService) -- C:\Program Files\Spybot File not found

SRV - (roxmediadb) -- %systemroot%\system32\flpydisk.dll File not found

SRV - (pcx1unic) -- %systemroot%\system32\Nmea.dll File not found

SRV - (NetTcpActivator) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (netcfgsvr) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (mqdmbus) -- %systemroot%\system32\nv4.dll File not found

SRV - (mi-raysat_3dsMax2008_32) -- %systemroot%\system32\mi-raysat_3dsmax8.dll File not found

SRV - (mail2ec) -- %systemroot%\system32\bb-run.dll File not found

SRV - (lxcf_device) -- %systemroot%\system32\netrcacm.dll File not found

SRV - (LwUsbHid) -- %systemroot%\system32\vhidmini.dll File not found

SRV - (hpdskflt) -- %systemroot%\system32\basic2.dll File not found

SRV - (houdinilicenseserver) -- \.\globalroot\C:\Windows\system32\svchost.exe File not found

SRV - (forcewarewebinterface) -- %systemroot%\system32\TPPWRIF.dll File not found

SRV - (dmprimer) -- %systemroot%\system32\FreeTdi.dll File not found

SRV - (db2ntsecserver) -- %systemroot%\system32\lxbu_device.dll File not found

SRV - (cpqdmi) -- %systemroot%\system32\avgio.dll File not found

SRV - (cdudf_xp) -- %systemroot%\system32\radclock.dll File not found

SRV - (CDRPDACC) -- %systemroot%\system32\SlNtHal.dll File not found

SRV - (bwmservice) -- %systemroot%\system32\hclinetd.dll File not found

SRV - (btwavdt) -- %systemroot%\system32\se58mdm.dll File not found

SRV - (acmservice) -- %systemroot%\system32\DellAMBrokerService.dll File not found

SRV - (abiosdsk) -- %systemroot%\system32\diskperf.dll File not found

SRV - (NisSrv) -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe (Microsoft Corporation)

SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)

SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV - (Viewpoint Manager Service) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)

========== Driver Services (SafeList) ==========

DRV - (pgjpxip) -- System32\drivers\wucwo.sys File not found

DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found

DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found

DRV - (nirt) -- System32\drivers\voctbbry.sys File not found

DRV - (MpKslfeeef98d) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F814F7FC-9794-40B4-82B5-31C885B0CFE4}\MpKslfeeef98d.sys File not found

DRV - (MpKslcfdd02b5) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63944471-EB60-4FC0-B4DF-C82C4BB7CD18}\MpKslcfdd02b5.sys File not found

DRV - (MpKsl87a4b570) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63944471-EB60-4FC0-B4DF-C82C4BB7CD18}\MpKsl87a4b570.sys File not found

DRV - (MpKsl7822d4ae) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4A683FD5-BF58-43C0-9297-A737121C30AF}\MpKsl7822d4ae.sys File not found

DRV - (MpKsl60112352) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{2ABA641D-25A7-4764-89C7-381D2C4D11B8}\MpKsl60112352.sys File not found

DRV - (MpKsl5699652f) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5489BF18-738E-4984-84E6-4905A03FB040}\MpKsl5699652f.sys File not found

DRV - (MpKsl3aff7631) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D9AB1C-A2F8-4E13-9C73-29450A54A765}\MpKsl3aff7631.sys File not found

DRV - (MpKsl0cba7c5d) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8285B75C-890B-4747-8165-26CF0DFF5395}\MpKsl0cba7c5d.sys File not found

DRV - (MpKsl0b5bfdbb) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{077FF1BE-D17E-421B-9CEC-F748555BE244}\MpKsl0b5bfdbb.sys File not found

DRV - (MpKsl0aef8e47) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1D179CC0-5036-43F4-B9AC-2EEEAE774FD9}\MpKsl0aef8e47.sys File not found

DRV - (MpKsl06f78e51) -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{50D9AB1C-A2F8-4E13-9C73-29450A54A765}\MpKsl06f78e51.sys File not found

DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found

DRV - (garee) -- System32\drivers\uamddits.sys File not found

DRV - (eslvbdj) -- System32\drivers\jucfh.sys File not found

DRV - (catchme) -- C:\ComboFix\catchme.sys File not found

DRV - (blbdrive) -- C:\Windows\system32\drivers\blbdrive.sys File not found

DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Company)

DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)

DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)

DRV - (ZTEusbser6k) -- C:\Windows\System32\drivers\ZTEusbser6k.sys (ZTE Incorporated)

DRV - (ZTEusbnmeaext) -- C:\Windows\System32\drivers\ZTEusbnmeaext.sys (ZTE Incorporated)

DRV - (ZTEusbnmea) -- C:\Windows\System32\drivers\ZTEusbnmea.sys (ZTE Incorporated)

DRV - (ZTEusbmdm6k) -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys (ZTE Incorporated)

DRV - (ZTEusbgps) -- C:\Windows\System32\drivers\ZTEusbgps.sys (ZTE Incorporated)

DRV - (massfilter) -- C:\Windows\System32\drivers\massfilter.sys (MBB Incorporated)

DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)

DRV - (RMCAST) RMCAST (Pgm) -- C:\Windows\System32\drivers\rmcast.sys (Microsoft Corporation)

DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvmfdx32.sys (NVIDIA Corporation)

DRV - (NWUSBCDFIL) -- C:\Windows\System32\drivers\NwUsbCdFil.sys (Novatel Wireless Inc.)

DRV - (NWADI) -- C:\Windows\System32\drivers\NWADIenum.sys (Novatel Wireless Inc)

DRV - (NWUSBPort2) -- C:\Windows\System32\drivers\nwusbser2.sys (Novatel Wireless Inc.)

DRV - (NWUSBPort) -- C:\Windows\System32\drivers\nwusbser.sys (Novatel Wireless Inc.)

DRV - (NWUSBModem) -- C:\Windows\System32\drivers\nwusbmdm.sys (Novatel Wireless Inc.)

DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)

DRV - (HdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.)

DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)

DRV - (nvsmu) -- C:\Windows\System32\drivers\nvsmu.sys (NVIDIA Corporation)

DRV - (rismxdp) -- C:\Windows\System32\drivers\rixdptsk.sys (REDC)

DRV - (rimsptsk) -- C:\Windows\System32\drivers\rimsptsk.sys (REDC)

DRV - (WinPhlash) -- C:\SwSetup\SP42853\SWinFlash\PhlashNT.sys ()

DRV - (eabfiltr) -- C:\Windows\System32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)

DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop

IE - HKLM\..\SearchScopes,DefaultScope = {8E8176CF-3C72-4F29-B0AF-5E670D763FBD}

IE - HKLM\..\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKLM\..\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKLM\..\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\..\SearchScopes,DefaultScope = {8E8176CF-3C72-4F29-B0AF-5E670D763FBD}

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\..\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\..\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\..\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7

IE - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found

FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)

FF - HKLM\Software\MozillaPlugins\@viewpoint.com/VMP: C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/12/19 09:28:06 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2012/03/31 20:12:59 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()

O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)

O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)

O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)

O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)

O4 - HKLM..\Run: [OPSE reminder] C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)

O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)

O4 - HKU\S-1-5-21-1051714609-433273425-4273803940-1000..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1

O7 - HKU\S-1-5-21-1051714609-433273425-4273803940-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3C4C231C-BD71-4AC7-A165-5023550969D3}: DhcpNameServer = 192.168.1.254

O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg

O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\HPRadiance.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/08/04 04:08:39 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]

O32 - AutoRun File - [2005/09/11 08:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]

O33 - MountPoints2\{bab5aa97-8580-11df-8545-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{bab5aa97-8580-11df-8545-001a73ca750c}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{c5db9a4c-1513-11e0-9571-001a73ca750c}\Shell\AutoRun\command - "" = F:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}\Shell - "" = AutoRun

O33 - MountPoints2\{c5db9a52-1513-11e0-9571-001a73ca750c}\Shell\AutoRun\command - "" = G:\VZAccess_Manager.exe /z detect

O33 - MountPoints2\E\Shell - "" = AutoRun

O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\Autorun.exe

O34 - HKLM BootExecute: (autocheck autochk *)

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/03/31 20:21:56 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/03/31 20:21:55 | 000,000,000 | ---D | C] -- C:\Users\Owner\AppData\Local\temp

[2012/03/31 20:13:27 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN

[2012/03/31 20:05:43 | 000,000,000 | ---D | C] -- C:\ComboFix

[2012/03/30 11:05:52 | 000,000,000 | ---D | C] -- C:\found.000

[2012/03/23 17:04:33 | 000,000,000 | ---D | C] -- C:\FRST

[2012/03/13 21:38:19 | 000,000,000 | ---D | C] -- C:\ieexplore

[2012/03/13 11:22:34 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys

[2012/03/13 11:22:33 | 000,613,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpencom.dll

[2012/03/13 11:22:32 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll

[2012/03/13 11:22:32 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll

[2012/03/13 11:22:31 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll

[2012/03/13 11:22:31 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll

[2012/03/13 11:22:31 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll

[2012/03/12 21:10:39 | 000,000,000 | -H-D | C] -- C:\Windows\PIF

[2012/03/08 00:29:58 | 004,443,082 | R--- | C] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe

[2012/03/08 00:08:12 | 000,607,260 | ---- | C] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2012/03/07 14:52:05 | 002,923,248 | ---- | C] (Microsoft Corporation) -- C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

[2012/03/06 20:02:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/03/06 20:02:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/03/06 20:02:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/03/06 20:01:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/03/06 17:18:09 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/03/05 18:52:57 | 000,389,024 | ---- | C] (Bleeping Computer, LLC) -- C:\Windows\unhide.exe

[2012/03/05 17:04:11 | 000,607,260 | R--- | C] (Swearware) -- C:\Program Files\dds.scr

[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

[1 C:\Users\Owner\Documents\*.tmp files -> C:\Users\Owner\Documents\*.tmp -> ]

[1 C:\Users\Owner\Desktop\*.tmp files -> C:\Users\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/02 23:53:02 | 000,631,762 | ---- | M] () -- C:\Windows\System32\perfh009.dat

[2012/04/02 23:53:02 | 000,114,930 | ---- | M] () -- C:\Windows\System32\perfc009.dat

[2012/04/02 23:37:17 | 000,000,258 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini

[2012/04/02 23:35:37 | 000,003,296 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/04/02 23:35:37 | 000,003,296 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/04/02 23:35:34 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.001

[2012/04/02 23:35:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/04/01 19:28:16 | 022,360,147 | ---- | M] () -- C:\Users\Owner\Desktop\He-Shall-Have-Dominion-FREE-eBook.pdf

[2012/04/01 14:52:09 | 000,000,938 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2012/04/01 14:52:03 | 000,002,633 | ---- | M] () -- C:\Users\Owner\Desktop\Microsoft Office Outlook 2003.lnk

[2012/03/31 20:44:39 | 000,002,229 | ---- | M] () -- C:\Windows\epplauncher.mif

[2012/03/31 20:12:59 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts

[2012/03/23 15:41:09 | 000,000,322 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForOwner.job

[2012/03/23 15:41:07 | 000,003,121 | ---- | M] () -- C:\Windows\System32\responseBody.xml

[2012/03/23 15:41:07 | 000,002,253 | ---- | M] () -- C:\Windows\System32\requestBody.xml

[2012/03/23 15:41:07 | 000,000,881 | ---- | M] () -- C:\Windows\System32\request.gzip

[2012/03/23 13:03:12 | 004,443,082 | R--- | M] (Swearware) -- C:\Users\Owner\Desktop\ComboFix.exe

[2012/03/23 01:04:25 | 000,000,035 | ---- | M] () -- C:\Users\Owner\Desktop\Bookmark

[2012/03/21 19:51:00 | 000,199,680 | ---- | M] () -- C:\Users\Owner\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2012/03/19 17:58:43 | 000,089,448 | ---- | M] () -- C:\Users\Owner\Desktop\DiskMgmt screen shot.png

[2012/03/15 18:10:41 | 000,007,620 | ---- | M] () -- C:\Users\Owner\AppData\Local\d3d9caps.dat

[2012/03/15 10:48:02 | 000,031,871 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2012/03/14 17:36:18 | 000,026,785 | ---- | M] () -- C:\logfile

[2012/03/13 11:50:08 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl

[2012/03/13 11:42:52 | 000,441,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

[2012/03/13 11:28:26 | 000,000,129 | ---- | M] () -- C:\Windows\System32\MRT.INI

[2012/03/12 23:42:59 | 000,000,112 | ---- | M] () -- C:\ProgramData\1VjM2R.dat

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe_.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | M] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/11 20:36:03 | 000,000,667 | ---- | M] () -- C:\Windows\winpoint.ini

[2012/03/08 22:17:52 | 000,000,809 | ---- | M] () -- C:\Users\Owner\Documents\15.gif

[2012/03/08 00:08:04 | 000,607,260 | ---- | M] (Swearware) -- C:\Users\Owner\Desktop\dds.com

[2012/03/07 14:52:18 | 002,923,248 | ---- | M] (Microsoft Corporation) -- C:\Users\Owner\WindowsXP-KB914882-x86-ENU.exe

[2012/03/06 17:03:00 | 000,000,456 | ---- | M] () -- C:\ProgramData\JGLCtmoyv2sFma

[2012/03/06 17:02:40 | 000,000,288 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2012/03/06 17:02:40 | 000,000,200 | ---- | M] () -- C:\ProgramData\~JGLCtmoyv2sFmar

[2012/03/05 18:51:47 | 000,389,024 | ---- | M] (Bleeping Computer, LLC) -- C:\Windows\unhide.exe

[2012/03/05 17:03:59 | 000,607,260 | R--- | M] (Swearware) -- C:\Program Files\dds.scr

[2012/03/04 18:18:27 | 000,000,629 | ---- | M] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[1 C:\Windows\System32\drivers\*.tmp files -> C:\Windows\System32\drivers\*.tmp -> ]

[1 C:\Users\Owner\Documents\*.tmp files -> C:\Users\Owner\Documents\*.tmp -> ]

[1 C:\Users\Owner\Desktop\*.tmp files -> C:\Users\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/01 19:28:16 | 022,360,147 | ---- | C] () -- C:\Users\Owner\Desktop\He-Shall-Have-Dominion-FREE-eBook.pdf

[2012/03/23 01:04:47 | 000,000,035 | ---- | C] () -- C:\Users\Owner\Desktop\Bookmark

[2012/03/19 17:58:43 | 000,089,448 | ---- | C] () -- C:\Users\Owner\Desktop\DiskMgmt screen shot.png

[2012/03/13 11:28:26 | 000,000,129 | ---- | C] () -- C:\Windows\System32\MRT.INI

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe_.b

[2012/03/12 03:38:38 | 000,000,001 | ---- | C] () -- C:\ProgramData\2jFf5J64.exe.b

[2012/03/08 22:17:35 | 000,000,809 | ---- | C] () -- C:\Users\Owner\Documents\15.gif

[2012/03/06 20:02:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/03/06 20:02:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/03/06 20:02:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/03/06 20:02:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/03/06 18:03:55 | 000,000,859 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk

[2012/03/06 18:03:55 | 000,000,659 | ---- | C] () -- C:\Users\Public\Desktop\Manual CanoScan LiDE 60.lnk

[2012/03/05 19:58:06 | 000,001,568 | ---- | C] () -- C:\Users\Public\Desktop\PowerChurch Plus Version 10.lnk

[2012/03/05 19:58:06 | 000,001,153 | ---- | C] () -- C:\Users\Public\Desktop\VZAccess Manager.lnk

[2012/03/05 19:58:06 | 000,000,847 | ---- | C] () -- C:\Users\Public\Desktop\RealPlayer.lnk

[2012/03/05 19:58:05 | 000,002,070 | ---- | C] () -- C:\Users\Public\Desktop\iP1700 On-screen Manual.lnk

[2012/03/05 19:58:05 | 000,001,975 | ---- | C] () -- C:\Users\Public\Desktop\Kodak EasyShare.lnk

[2012/03/05 19:58:05 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\HP Help and Support.lnk

[2012/03/05 19:58:05 | 000,001,887 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 8.lnk

[2012/03/05 19:58:05 | 000,001,860 | ---- | C] () -- C:\Users\Public\Desktop\Movie Magic Screenwriter.lnk

[2012/03/05 19:58:05 | 000,001,803 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

[2012/03/05 19:58:05 | 000,001,768 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Movie Maker.lnk

[2012/03/05 19:58:05 | 000,001,737 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk

[2012/03/05 19:58:05 | 000,001,400 | ---- | C] () -- C:\Users\Public\Desktop\Point.lnk

[2012/03/05 19:58:05 | 000,001,227 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Photo Gallery.lnk

[2012/03/05 19:58:05 | 000,001,158 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Movie Maker.lnk

[2012/03/05 19:58:05 | 000,001,079 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk

[2012/03/05 19:58:05 | 000,000,963 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\EasyWorship 2007.lnk

[2012/03/05 19:58:05 | 000,000,948 | ---- | C] () -- C:\Users\Public\Desktop\Easy-PhotoPrint.lnk

[2012/03/05 19:58:05 | 000,000,938 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk

[2012/03/05 19:58:05 | 000,000,938 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk

[2012/03/05 19:58:05 | 000,000,915 | ---- | C] () -- C:\Users\Public\Desktop\Canon iP1700 User Registration.LNK

[2012/03/05 19:58:05 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\My Printer.lnk

[2012/03/05 19:58:05 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2012/03/05 19:58:05 | 000,000,777 | ---- | C] () -- C:\Users\Public\Desktop\CanoScan Toolbox 4.9.lnk

[2012/03/05 19:58:05 | 000,000,258 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk

[2012/03/05 19:58:05 | 000,000,240 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk

[2012/03/05 19:58:05 | 000,000,162 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\The Mary Miracle Part II.url

[2012/03/05 19:58:05 | 000,000,104 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\The Internet - Shortcut.lnk

[2012/03/05 19:58:04 | 000,002,001 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

[2012/03/05 19:58:04 | 000,001,764 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Calendar.lnk

[2012/03/05 19:58:04 | 000,001,757 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Defender.lnk

[2012/03/05 19:58:04 | 000,001,165 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VZAccess Manager.lnk

[2012/03/05 19:58:03 | 000,001,769 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPlay Manager.lnk

[2012/03/05 19:58:03 | 000,001,728 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickPlay.lnk

[2012/03/05 19:58:01 | 000,001,789 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works Task Launcher.lnk

[2012/03/05 19:58:00 | 000,001,881 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2003.lnk

[2012/03/05 19:58:00 | 000,001,808 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk

[2012/03/05 19:57:56 | 000,001,630 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk

[2012/03/05 19:57:55 | 000,002,097 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Home movies made easy!.lnk

[2012/03/05 19:57:53 | 000,002,425 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 8.lnk

[2012/03/05 19:57:53 | 000,001,830 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk

[2012/03/05 16:19:29 | 000,000,200 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFmar

[2012/03/05 16:19:28 | 000,000,288 | ---- | C] () -- C:\ProgramData\~JGLCtmoyv2sFma

[2012/03/04 20:14:01 | 000,000,629 | ---- | C] () -- C:\Users\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk

[2012/03/04 18:18:21 | 000,000,456 | ---- | C] () -- C:\ProgramData\JGLCtmoyv2sFma

[2012/02/20 15:06:01 | 000,000,058 | ---- | C] () -- C:\Windows\mchguid.ini

[2012/01/29 19:26:19 | 000,000,027 | ---- | C] () -- C:\Windows\SmAudio.INI

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\Users\Owner\AppData\Local\m5klyyaimx332xcj

[2011/12/26 23:36:04 | 000,011,188 | -HS- | C] () -- C:\ProgramData\m5klyyaimx332xcj

[2011/12/26 20:06:28 | 000,010,742 | -HS- | C] () -- C:\Users\Owner\AppData\Local\33tc3173v44sqee43uclq23c54s20c2j

[2011/12/26 20:06:28 | 000,010,742 | -HS- | C] () -- C:\ProgramData\33tc3173v44sqee43uclq23c54s20c2j

[2011/12/16 08:50:54 | 000,000,112 | ---- | C] () -- C:\ProgramData\1VjM2R.dat

[2011/12/14 01:24:54 | 000,012,836 | -HS- | C] () -- C:\Users\Owner\AppData\Local\502843u1s876d065e433s4int3x4

[2011/12/14 01:24:54 | 000,012,836 | -HS- | C] () -- C:\ProgramData\502843u1s876d065e433s4int3x4

[2011/12/13 05:13:29 | 000,000,290 | ---- | C] () -- C:\Windows\wininit.ini

[2011/09/15 01:11:16 | 001,048,576 | ---- | C] () -- C:\Windows\System32\syndata.bin

[2011/04/21 15:04:19 | 000,000,160 | ---- | C] () -- C:\ProgramData\~43900680

[2011/04/21 15:04:19 | 000,000,128 | ---- | C] () -- C:\ProgramData\~43900680r

[2011/04/21 15:04:10 | 000,000,392 | ---- | C] () -- C:\ProgramData\43900680

[2011/01/23 22:33:24 | 000,033,236 | ---- | C] () -- C:\Windows\System32\uninst_KOAIR.exe

[2011/01/15 14:28:01 | 000,000,532 | ---- | C] () -- C:\Windows\MAXLINK.INI

[2010/12/30 19:35:02 | 000,000,093 | ---- | C] () -- C:\Users\Owner\AppData\Local\fusioncache.dat

[2010/12/30 19:34:52 | 000,003,679 | ---- | C] () -- C:\Windows\GrAddrBk.ini

[2010/12/30 19:34:52 | 000,000,995 | ---- | C] () -- C:\Windows\GRACE.INI

[2010/12/30 19:34:52 | 000,000,053 | ---- | C] () -- C:\Windows\PRSRVDLL.INI

[2010/12/30 19:34:50 | 000,010,875 | ---- | C] () -- C:\Windows\ESOA.INI

[2010/12/30 19:33:27 | 000,000,667 | ---- | C] () -- C:\Windows\winpoint.ini

[2010/10/16 22:51:24 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat

[2010/06/28 11:07:16 | 000,000,000 | ---- | C] () -- C:\Users\Owner\AppData\Roaming\wklnhst.dat

< End of report >

[LDTate]

How's it running now?

[Gunslinger]

It's running sweet, LD, you rock! The step that finally re-enabled my firewall made a world of difference, keeping all the parasites from returning.

Many things got re-set and/or changed along the way, including the background color of my desktop, but I assume I should not be concerned, that some things went to different default settings and such?

The only major item that is still messed up is MS Essentials, which will not function - as well as not allowing me to uninstall it (it says I need some filter file and sends me off for an XP file even though my system is Vista). Is this simply something I'm going to have to work out on the Microsoft web site?

[LDTate]

Go here and you'll find MSE listed.

See if that will remove it so you can re-install it.

http://www.appremover.com/supported-applications

[LDTate]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.