Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Several Spyware Problems! -- Trojans, PersistWndName, google redirects..(w/ HJT file)


(!)

Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
21-May-2010, 09:01 PM #1
Unhappy Several Spyware Problems! -- Trojans, PersistWndName, google redirects..(w/ HJT file)
Hi all,
I have starting having a number of spymare issues this past week. Spybot S&D doesn't come up with any problems and nor does my virus checker. I downloaded Malware Sweeper and it picked up some problems, but still nothing seems to be fixed. Here are the problems I have been having. If you would like more information, please let me know, and thanks very much for your help!

Problems:

1. Several times a day my virus checker automatically catches and deletes a virus as I'm surfing the net. It's usually identified as Trojan:W32/Dursg.D or as TrojanW32/Agent.DJIS. As soon as this happens, a dialogue box pops up saying that "windows defender" is ready to install an update. I click cancel and then the User Account Control box comes up saying windows needs permission to continue (mentioning a Rundll file), I click cancel and it seems to be gone until another virus gets picked up by the checker a few hours later.

2. PersistWndName - this application just started running in the corner of my screen. I have no idea what it is or how it got there. I've just seen it once while problem #1 has been occuring for several days.

3. Google redirects - lots of times when I click on links from google searches I get random fake shopping sites. This has been occuring for several days.

4. Everytime I start the computer, there is a "procudure entry point" error regarding PowerReadACvalue and something about a Powrprofdll file.


Here is the HJT scan:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:07 PM, on 12/05/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\Ross\AppData\Roaming\SystemProc\lsass.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {00B96881-D6D6-4927-B439-FA262B998508} - C:\Windows\system32\dmdskres32.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [RTHDBPL] C:\Users\Ross\AppData\Roaming\SystemProc\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\dmcompos32.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: Google Update Service (gupdate1c985844c7b3510) (gupdate1c985844c7b3510) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9511 bytes



Thanks for your help!
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
22-May-2010, 10:07 AM #2
My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. I'd be grateful if you would note the following:
  • Logs from malware removal programs (DDS is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message on here.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


OTL Custom Scan
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /180
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    • You may need two posts to fit them both in.



NEXT:



Scanning with GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


NEXT:



Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The logs that were produced after running the OTL scans. (OTL.txt & Extras.txt)
3. The log that was produced after running GMER
4. An update on how your computer is currently running.
It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 05:59 PM #3
Hi SweetTech,

Thanks for helping me out with this.

1. I don't have any questions at the moment.

I was able to complete the scans:

2.1 Here is the first OTL Scan (OTL.txt):

OTL logfile created on: 23/05/2010 2:33:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Ross\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.37 Gb Total Space | 25.19 Gb Free Space | 11.38% Space Free | Partition Type: NTFS
Drive D: | 11.51 Gb Total Space | 2.19 Gb Free Space | 19.03% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROSS-PC
Current User Name: Ross
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Users\Ross\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32.exe (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\FWES\program\fsdfwd.exe (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\Common\FSMA32.EXE (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\Common\FSM32.EXE (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\Common\FSHDLL32.EXE (F-Secure Corporation)
PRC - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\RocketDock\RocketDock.exe ()


========== Modules (SafeList) ==========

MOD - C:\Users\Ross\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\dmcompos32.dll ()
MOD - C:\Windows\System32\powrprof.dll (Microsoft Corporation)
MOD - C:\Windows\System32\dsound.dll (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\winsta.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (FSORSPClient) -- C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe (F-Secure Corporation)
SRV - (FSDFWD) -- C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe (F-Secure Corporation)
SRV - (FontCache) -- C:\Windows\System32\FntCache.dll (Microsoft Corporation)
SRV - (FSMA) -- C:\Program Files\Shaw Secure\Common\FSMA32.EXE (F-Secure Corporation)
SRV - (F-Secure Gatekeeper Handler Starter) -- C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe (F-Secure Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (Com4Qlb) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe (Hewlett-Packard Development Company, L.P.)


========== Driver Services (SafeList) ==========

DRV - (F-Secure Gatekeeper) -- C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys ()
DRV - (fsbts) -- C:\Windows\system32\Drivers\fsbts.sys ()
DRV - (FSES) -- C:\Windows\System32\drivers\fses.sys (F-Secure Corporation)
DRV - (F-Secure HIPS) -- C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys (F-Secure Corporation)
DRV - (FSFW) -- C:\Windows\System32\drivers\fsdfw.sys (F-Secure Corporation)
DRV - (F-Secure Filter) -- C:\Program Files\Shaw Secure\Anti-Virus\win2k\fsfilter.sys ()
DRV - (F-Secure Recognizer) -- C:\Program Files\Shaw Secure\Anti-Virus\win2k\fsrec.sys ()
DRV - (fsvista) -- C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys ()
DRV - (SCDEmu) -- C:\Windows\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV - (CnxtHdAudService) -- C:\Windows\System32\drivers\CHDRT32.sys (Conexant Systems Inc.)
DRV - (CnxtHdAudAddService) -- C:\Windows\System32\drivers\CHDART.sys (Conexant Systems Inc.)
DRV - (MegaSR) -- C:\Windows\system32\drivers\megasr.sys (LSI Corporation, Inc.)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Corporation)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (HSFHWAZL) -- C:\Windows\System32\drivers\VSTAZL3.SYS (Conexant Systems, Inc.)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (NETw3v32) Intel(R) -- C:\Windows\System32\drivers\NETw3v32.sys (Intel Corporation)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (iaStor) -- C:\Windows\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (RTSTOR) -- C:\Windows\System32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.)
DRV - (igfx) -- C:\Windows\System32\drivers\igdkmd32.sys (Intel Corporation)
DRV - (XAudio) -- C:\Windows\System32\drivers\XAudio.sys (Conexant Systems, Inc.)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (HSF_DPV) -- C:\Windows\System32\drivers\HSX_DPV.sys (Conexant Systems, Inc.)
DRV - (HSXHWAZL) -- C:\Windows\System32\drivers\HSXHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\Windows\System32\drivers\HSX_CNXT.sys (Conexant Systems, Inc.)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Atheros Communications, Inc.)
DRV - (RTL8023xp) -- C:\Windows\System32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm60x32.sys (NVIDIA Corporation)
DRV - (BCM43XV) -- C:\Windows\System32\drivers\BCMWL6.SYS (Broadcom Corporation)
DRV - (HBtnKey) -- C:\Windows\System32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ario&pf=laptop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 81 68 B9 00 D6 D6 27 49 B4 39 FA 26 2B 99 85 08 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Wikipedia (en)"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.lse.ac.uk/"
FF - prefs.js..extensions.enabledItems: bettergmail2@ginatrapani.org:0.9.8
FF - prefs.js..extensions.enabledItems: litmus-ff@f-secure.com:1.10
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {1575efbd-9df9-4802-92a4-af89cc4d56eb}:1.0


FF - HKLM\software\mozilla\Firefox\Extensions\\litmus-ff@f-secure.com: C:\Program Files\Shaw Secure\NRS\litmus-ff@f-secure.com [2010/05/17 08:28:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 15:04:14 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/02 15:04:14 | 000,000,000 | ---D | M]

[2009/11/11 17:17:19 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Mozilla\Extensions
[2009/11/11 17:17:19 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/23 13:55:40 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions
[2010/05/15 18:57:57 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}
[2009/09/02 23:01:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/10/05 18:11:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}-trash
[2009/12/01 10:00:31 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/12/01 10:00:29 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\bettergmail2@ginatrapani.org
[2009/11/26 09:52:38 | 000,001,775 | ---- | M] () -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\sea rchplugins\curriculum.xml
[2008/07/14 17:04:38 | 000,004,431 | ---- | M] () -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\sea rchplugins\scour---search-socially.xml
[2009/11/26 09:52:26 | 000,002,130 | ---- | M] () -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\sea rchplugins\twitterjobsearchcom.xml
[2009/11/20 10:24:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2009/12/19 22:10:00 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/12/19 22:10:00 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/12/19 22:10:00 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/12/19 22:10:00 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2006/09/18 17:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll (TechSmith Corporation)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Browsing Protection Class) - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (Browsing Protection Toolbar) - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll (F-Secure Corporation)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKLM\..\Toolbar: (SnagIt) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll (TechSmith Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
O4 - HKLM..\Run: [F-Secure Manager] C:\Program Files\Shaw Secure\Common\FSM32.EXE (F-Secure Corporation)
O4 - HKLM..\Run: [F-Secure TNB] C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe (F-Secure Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] File not found
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [RocketDock] C:\Program Files\RocketDock\RocketDock.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\Program Files\Shaw Secure\FSPS\program\FSLSP.DLL (F-Secure Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_04)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 67.55.0.11 66.49.220.95
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\Windows\system32\dmcompos32.dll) - C:\Windows\System32\dmcompos32.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Ross\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Ross\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/02/22 07:22:01 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\AutoPlay\CommaNd - "" = F:\vvkxj.pif -- File not found
O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\AutoRun\command - "" = F:\vvkxj.pif -- File not found
O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\EXpLORe\coMmanD - "" = F:\vvkxj.pif -- File not found
O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\OpeN\cOmmand - "" = F:\vvkxj.pif -- File not found
O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\AutoRun\command - "" = F:\1u0o8bnq.cmd -- File not found
O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\explore\Command - "" = F:\1u0o8bnq.cmd -- File not found
O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\open\Command - "" = F:\1u0o8bnq.cmd -- File not found
O33 - MountPoints2\{4bf76167-81b2-11dd-9f0b-001eec73b80b}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
O33 - MountPoints2\{4bf76167-81b2-11dd-9f0b-001eec73b80b}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\AutoRun\command - "" = scene.exe 1
O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\explore\Command - "" = scene.exe 1
O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\open\Command - "" = scene.exe 1
O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\Scan\Command - "" = scene.exe 2
O33 - MountPoints2\{889a0e11-6c7d-11dd-a77b-001eec73b80b}\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 22:34:27 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/05/23 14:33:10 | 000,000,000 | ---D | C] -- C:\Users\Ross\Desktop\scans
[2010/05/21 18:11:31 | 000,000,000 | ---D | C] -- C:\Program Files\MalwareSweeper.com
[2010/05/12 18:20:44 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/11 19:49:02 | 000,000,000 | -HSD | C] -- C:\ProgramData\SysWoW32
[2010/05/11 19:48:47 | 000,000,000 | ---D | C] -- C:\ProgramData\19346585
[2010/05/11 19:48:25 | 000,000,000 | -HSD | C] -- C:\Users\Ross\AppData\Roaming\SystemProc
[2009/05/07 13:19:11 | 000,018,944 | ---- | C] ( ) -- C:\Windows\System32\Implode.dll

========== Files - Modified Within 30 Days ==========

[2010/05/23 14:35:01 | 000,000,416 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{ADFF579A-09CE-4522-B57E-E3AEAB417FB8}.job
[2010/05/23 14:33:45 | 005,242,880 | -HS- | M] () -- C:\Users\Ross\ntuser.dat
[2010/05/23 14:30:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/23 14:29:09 | 000,003,781 | -HS- | M] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912P.manifest
[2010/05/23 13:49:02 | 000,000,011 | -HS- | M] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912S.manifest
[2010/05/23 13:48:52 | 000,000,051 | -HS- | M] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912C.manifest
[2010/05/23 13:48:52 | 000,000,011 | -HS- | M] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912O.manifest
[2010/05/23 13:44:44 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/05/23 13:44:13 | 000,000,279 | ---- | M] () -- C:\Users\Public\Documents\hpqp.ini
[2010/05/23 13:42:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/23 13:42:11 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/23 13:42:05 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/23 13:41:59 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/23 13:41:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/23 13:41:40 | 3210,756,096 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/23 13:40:35 | 000,524,288 | -HS- | M] () -- C:\Users\Ross\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms
[2010/05/23 13:40:35 | 000,065,536 | -HS- | M] () -- C:\Users\Ross\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2010/05/20 21:07:14 | 000,000,817 | ---- | M] () -- C:\ProgramData\857035774
[2010/05/20 21:06:56 | 000,000,943 | -HS- | M] () -- C:\ProgramData\1665467310
[2010/05/17 23:29:37 | 000,000,040 | ---- | M] () -- C:\Users\Ross\AppData\Roaming\639554f9
[2010/05/16 18:34:05 | 000,003,144 | ---- | M] () -- C:\Users\Ross\Documents\cc_20100516_183359.reg
[2010/05/16 18:20:21 | 352,786,082 | ---- | M] () -- C:\Users\Ross\Documents\backup 16-05-10.reg
[2010/05/16 18:12:48 | 000,011,318 | ---- | M] () -- C:\Users\Ross\Documents\cc_20100516_181202.reg
[2010/05/14 17:44:45 | 000,005,648 | ---- | M] () -- C:\Users\Ross\AppData\Local\d3d9caps.dat
[2010/05/12 18:20:44 | 000,001,834 | ---- | M] () -- C:\Users\Ross\Desktop\HijackThis.lnk
[2010/05/12 11:21:16 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/05/11 19:49:02 | 000,000,113 | ---- | M] () -- C:\ProgramData\sl44339516
[2010/05/11 19:48:47 | 000,203,776 | -HS- | M] () -- C:\ProgramData\unrar.exe
[2010/05/11 19:48:22 | 000,113,152 | ---- | M] () -- C:\Windows\System32\dmsynth32.dll
[2010/05/11 19:48:18 | 000,283,136 | ---- | M] () -- C:\Windows\System32\dmdskres32.dll
[2010/05/11 19:48:17 | 000,187,392 | ---- | M] () -- C:\Windows\System32\dmcompos32.dll
[2010/05/01 09:34:36 | 001,749,920 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/26 19:12:50 | 000,159,232 | ---- | M] () -- C:\Users\Ross\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/26 19:06:17 | 001,491,138 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/04/26 19:06:17 | 000,679,070 | ---- | M] () -- C:\Windows\System32\perfh00C.dat
[2010/04/26 19:06:17 | 000,607,068 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/04/26 19:06:17 | 000,130,562 | ---- | M] () -- C:\Windows\System32\perfc00C.dat
[2010/04/26 19:06:17 | 000,108,836 | ---- | M] () -- C:\Windows\System32\perfc009.dat

========== Files Created - No Company Name ==========

[2010/05/23 13:38:49 | 3210,756,096 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/16 18:34:02 | 000,003,144 | ---- | C] () -- C:\Users\Ross\Documents\cc_20100516_183359.reg
[2010/05/16 18:19:53 | 352,786,082 | ---- | C] () -- C:\Users\Ross\Documents\backup 16-05-10.reg
[2010/05/16 18:12:08 | 000,011,318 | ---- | C] () -- C:\Users\Ross\Documents\cc_20100516_181202.reg
[2010/05/13 19:44:41 | 000,000,040 | ---- | C] () -- C:\Users\Ross\AppData\Roaming\639554f9
[2010/05/12 18:20:44 | 000,001,834 | ---- | C] () -- C:\Users\Ross\Desktop\HijackThis.lnk
[2010/05/11 19:56:53 | 000,000,943 | -HS- | C] () -- C:\ProgramData\1665467310
[2010/05/11 19:49:34 | 000,000,817 | ---- | C] () -- C:\ProgramData\857035774
[2010/05/11 19:49:02 | 000,000,113 | ---- | C] () -- C:\ProgramData\sl44339516
[2010/05/11 19:48:47 | 000,203,776 | -HS- | C] () -- C:\ProgramData\unrar.exe
[2010/05/11 19:48:21 | 000,113,152 | ---- | C] () -- C:\Windows\System32\dmsynth32.dll
[2010/05/11 19:48:18 | 000,283,136 | ---- | C] () -- C:\Windows\System32\dmdskres32.dll
[2010/05/11 19:48:17 | 000,187,392 | ---- | C] () -- C:\Windows\System32\dmcompos32.dll
[2010/05/11 19:48:17 | 000,003,781 | -HS- | C] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912P.manifest
[2010/05/11 19:48:17 | 000,000,051 | -HS- | C] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912C.manifest
[2010/05/11 19:48:17 | 000,000,011 | -HS- | C] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912S.manifest
[2010/05/11 19:48:17 | 000,000,011 | -HS- | C] () -- C:\Users\Ross\AppData\Roaming\020000001dda6ac9912O.manifest
[2009/10/20 18:49:33 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 18:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/01 06:31:56 | 000,176,235 | ---- | C] () -- C:\Windows\System32\Primomonnt.dll
[2009/05/07 13:25:31 | 000,018,790 | ---- | C] () -- C:\Windows\System32\ddmon.dll
[2009/05/07 13:19:12 | 000,054,272 | ---- | C] () -- C:\Windows\System32\P2irdao.dll
[2009/05/07 13:19:12 | 000,050,176 | ---- | C] () -- C:\Windows\System32\P2ctdao.dll
[2009/05/07 13:19:11 | 000,748,160 | ---- | C] () -- C:\Windows\System32\Co2c40en.dll
[2009/04/27 00:13:36 | 000,000,314 | ---- | C] () -- C:\Windows\primopdf.ini
[2008/10/31 05:15:00 | 000,033,920 | ---- | C] () -- C:\Windows\System32\drivers\fsbts.sys
[2008/06/12 21:06:07 | 000,155,648 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2007/08/20 08:34:08 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1318.dll
[2007/08/20 08:25:00 | 000,910,720 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/08/20 08:10:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/05/07 13:27:30 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\deskPDF
[2010/05/18 18:59:48 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\F-Secure
[2008/07/29 23:40:32 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\IrfanView
[2010/05/21 19:53:04 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\LimeWire
[2009/06/11 04:57:42 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Mapi2Xml
[2008/09/24 14:42:35 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\MiniLyrics
[2008/08/31 01:11:57 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\muvee Technologies
[2008/08/06 23:12:16 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\rockbox.org
[2008/07/14 17:02:51 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\scourtoolbar
[2009/10/15 01:33:28 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\Spotify
[2010/05/16 18:57:37 | 000,000,000 | -HSD | M] -- C:\Users\Ross\AppData\Roaming\SystemProc
[2010/03/10 00:32:20 | 000,000,000 | ---D | M] -- C:\Users\Ross\AppData\Roaming\uTorrent
[2010/05/23 13:40:36 | 000,032,558 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/05/23 14:35:01 | 000,000,416 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{ADFF579A-09CE-4522-B57E-E3AEAB417FB8}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/02/22 07:22:01 | 000,000,074 | ---- | M] () -- C:\autoexec.bat
[2009/04/11 02:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2006/09/18 17:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2010/05/23 13:41:40 | 3210,756,096 | -HS- | M] () -- C:\hiberfil.sys
[2008/06/29 00:52:25 | 000,000,373 | -H-- | M] () -- C:\IPH.PH
[2010/05/23 13:41:37 | 3524,546,560 | -HS- | M] () -- C:\pagefile.sys
[2008/10/16 14:52:56 | 000,000,594 | ---- | M] () -- C:\updatedatfix.log

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/04/11 02:27:47 | 000,241,128 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\rsaenh.dll
[2009/04/11 02:28:23 | 000,228,352 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\SLC.dll
[2009/04/11 02:28:25 | 000,443,392 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\win32spl.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/01/20 23:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/20 23:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/20 23:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 06:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 06:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /180 >
[2010/03/30 08:13:22 | 000,033,920 | ---- | M] () -- C:\Windows\System32\drivers\fsbts.sys
[2010/03/17 18:10:36 | 000,035,792 | ---- | M] (F-Secure Corporation) -- C:\Windows\System32\drivers\fses.sys
[2010/02/20 16:53:34 | 000,411,648 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\http.sys
[2010/02/23 07:10:13 | 000,106,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb.sys
[2010/02/23 07:10:19 | 000,212,992 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb10.sys
[2010/02/23 07:10:13 | 000,079,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\mrxsmb20.sys
[2009/12/11 07:43:30 | 000,302,080 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srv.sys
[2009/12/11 07:43:11 | 000,098,816 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\srvnet.sys
[2010/02/18 10:07:16 | 000,904,576 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpip.sys
[2009/12/08 13:26:18 | 000,030,720 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tcpipreg.sys
[2010/02/18 07:28:13 | 000,025,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\tunnel.sys
< End of report >




2.2. Here is the second OTL Scan (Extras.txt):


OTL Extras logfile created on: 23/05/2010 2:33:57 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Ross\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 55.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 221.37 Gb Total Space | 25.19 Gb Free Space | 11.38% Space Free | Partition Type: NTFS
Drive D: | 11.51 Gb Total Space | 2.19 Gb Free Space | 19.03% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ROSS-PC
Current User Name: Ross
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"AutoUpdateDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\FirewallRules]
"{062725BE-EE18-414A-ADA1-3DB7ABF1B6D1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{10AEC925-4B09-4005-9244-D65DA130F628}" = lport=138 | protocol=17 | dir=in | app=system |
"{262A4AF4-F638-4D0F-B932-FFFEBD4FB569}" = rport=137 | protocol=17 | dir=out | app=system |
"{68660AFC-EF91-4AC2-9FE9-6C67900FD03B}" = rport=138 | protocol=17 | dir=out | app=system |
"{6D32DD3E-9085-42EC-B3BD-4F830C48AE9D}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{70E8711C-CEBC-4932-B0C5-CAED91B6E142}" = rport=139 | protocol=6 | dir=out | app=system |
"{920C55BD-1537-41CD-9EA2-0BE5D69B52EE}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{95B5E301-A33A-4BCD-BF66-FFB084FBAA63}" = lport=137 | protocol=17 | dir=in | app=system |
"{C2CDF4C7-3E7D-4E42-B06F-EBB7CF5AAD55}" = rport=445 | protocol=6 | dir=out | app=system |
"{D8315A2F-0A41-468D-BA73-C23DC9BFF017}" = lport=139 | protocol=6 | dir=in | app=system |
"{D99B6538-41D4-439A-86A6-12D485C14139}" = lport=445 | protocol=6 | dir=in | app=system |
"{FE0686F1-B76F-4E81-93FE-378B85B9773D}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\FirewallRules]
"{119071E7-57B5-4811-AE64-CF649622A045}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{3AA9208D-5512-4415-AD8F-D93198A770CD}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{3E351391-E4A9-4C73-A7C9-E412A63AE7B6}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{4056C4B2-AB8E-4916-94F8-E3CD2061D9EE}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{55CB85D3-B82C-47A7-BE0C-0A6E87912C58}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{6C87ED90-D925-43A5-8E4E-AA7236C39A10}" = dir=in | app=c:\program files\hp\quickplay\qp.exe |
"{6EB4A77E-7B35-48A4-884D-E57D2B43BA9A}" = protocol=17 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{7100A31A-E9D4-41CA-BEC6-ABE218A42B40}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{77BE3E79-6E80-4212-8F05-80BBD9E2F270}" = dir=in | app=c:\windows\explorer.exe |
"{7ACC6E87-8C12-4adb-91B7-EFC3F2F4705A}" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"{7D42DDC1-979A-415B-9951-4E0E4C20BE66}" = protocol=6 | dir=in | app=c:\program files\utorrent\utorrent.exe |
"{8E05F5C3-F70E-482A-AB39-CA37B40EFDC7}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{8F729970-824D-4495-B1C6-CD7B3D18DEBC}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{92459C5E-D350-4cba-AA74-C8F989C9336F}" = protocol=17 | dir=out | app=c:\windows\explorer.exe |
"{98DC8AA5-730F-4D81-B9B6-DC94E455D5B0}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{B078B2B6-A878-44ff-9BCC-458257924F96}" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"{B1A40E4F-58DB-490f-9D18-55B5194E8BD5}" = protocol=6 | dir=out | app=c:\windows\explorer.exe |
"{C3E9B20A-B7E2-4aab-9835-3C548937E46F}" = dir=out | app=c:\windows\explorer.exe |
"{D96675A6-F388-4281-AC6B-AEB3E4400013}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{DBB1980F-B43B-4F6F-A8BC-8368F659B6B3}" = dir=in | app=c:\program files\cyberlink\powerdirector\pdr.exe |
"{DC93BA21-29FA-414E-ADC4-4BA5C4BB2A62}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{E695B01D-D456-4D20-8801-791BCCE0D0D6}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{F8D6664E-D2F6-47EE-BFF0-8A5F8138E849}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{FCB9AE1D-E08E-4097-9C54-46A1CDFC86C5}" = dir=in | app=c:\program files\hp\quickplay\qpservice.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3
"{06E74B9B-631F-4378-BF3A-40D868450C05}" = HPPhotoSmartPhotobookHolidayPack1
"{082702D5-5DD8-4600-BCE5-48B15174687F}" = HP Doc Viewer
"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting
"{0F0D5D62-738D-4DCB-908F-7D8C8FAD5845}" = StudioTax 2009
"{11BB336F-0E58-4977-B866-F24FA334616B}" = HP Active Support Library
"{12A76360-388E-4B27-ABEB-D5FC5378DD2A}" = HPPhotoSmartPhotobookWebPack1
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{172AEB5E-CBB2-4CDD-A4CF-388600825839}" = HPPhotoSmartPhotobookPlayfulPack1
"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin
"{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}" = Adobe Shockwave Player
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{209CDA54-D390-46A2-A97C-7BF61734418D}" = WeatherBug Gadget
"{20AC583C-A6FB-410A-807D-25308225C201}" = Paint.NET v3.35
"{228C6B46-64E2-404E-898A-EF0830603EF4}" = HPNetworkAssistant
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype™ 4.0
"{250E9609-E830-43EB-B379-DAB7546A2422}" = muvee autoProducer 6.1
"{254C37AA-6B72-4300-84F6-98A82419187E}" = Hewlett-Packard Active Check
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 17
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program
"{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}" = HP Help and Support
"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3
"{2CD2C0DB-81C3-416B-9FA6-589B9235359B}" = OpenOffice.org 2.4
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160040}" = Java(TM) 6 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2
"{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}" = Adobe Photoshop CS3
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{4448ABF6-786D-4C3D-A49D-7BB237E6DD17}" = Foxit PDF IFilter
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.6
"{4CACFCD9-F71B-413A-8DF5-1A6419D5CDC6}" = Cards_Calendar_OrderGift_DoMorePlugout
"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings
"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = Hewlett-Packard Asset Agent for Health Check
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All
"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{89E052B2-5CA5-4B7A-AF0C-28CA2836B030}" = HPPhotoSmartPhotobookModernPack1
"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3
"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings
"{9885A11E-60E4-417C-B58B-8B31B21C0B8A}" = HP Easy Setup - Frontend
"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
"{A07840FC-CE63-4CB8-8030-EF4B9805925A}" = HPPhotoSmartDiscLabel_PaperLabel
"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps
"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AC95121F-1576-45B8-82F7-3911D27882E6}" = HPPhotoSmartPhotobookScrapbookPack1
"{ADDD6985-3A28-44D0-A1BA-FDD19A820491}" = SnagIt 9
"{ADFB9653-F44C-460C-BF58-189CC552DFFE}" = hpphotosmartdisclabelplugin
"{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}" = Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
"{b02df929-29a7-4fd2-9a70-81a644b635f7}" = HP Total Care Advisor
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4E91E95-A5BA-4E50-A465-DB7EFEB176E8}" = HPPhotoSmartDiscLabel_PrintOnDisc
"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{BD0E2B92-3814-46F0-893B-4612EA010C7E}" = HP Customer Experience Enhancements
"{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}" = Adobe ExtendScript Toolkit 2
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}" = HP Wireless Assistant
"{CC4A73BF-938E-4C19-A553-853C035C9BA1}" = LightScribe System Software 1.10.13.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client
"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files
"{D7358B07-4F10-4014-9869-7999578BE8ED}" = HP User Guides 0093
"{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}" = Adobe Color Common Settings
"{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader
"{DD3C88A0-C53C-41D0-A21B-6D021981D23E}" = HPPhotoSmartDiscLabelContent1
"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}" = mobile PhoneTools
"{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"{F636EE9A-F9EC-4606-BCFA-77DD0E210788}" = HPPhotoSmartDiscLabel_Tattoo
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"CCleaner" = CCleaner (remove only)
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"deskPDF 2.5 Professional_is1" = deskPDF 2.5 Professional Edition
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FeedDemon_is1" = FeedDemon
"FeedStation_is1" = FeedStation
"Foxit Reader" = Foxit Reader
"F-Secure Product 444" = Shaw Secure
"gAttach!_is1" = gAttach!
"Google Updater" = Google Updater
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = CyberLink YouCam
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{F5577101-33CC-4711-8235-3A95BCD49DB0}" = EA Link
"IrfanView" = IrfanView (remove only)
"LimeWire" = LimeWire 5.5.8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Picasa 3" = Picasa 3
"PowerISO" = PowerISO
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"RocketDock_is1" = RocketDock 1.3.5
"scourtoolbar" = Scour Toolbar
"SlingMedia.QPSlingPlayer_is1" = QuickPlay SlingPlayer 0.4.6
"Spotify" = Spotify
"TVWiz" = Intel(R) TV Wizard
"uTorrent" = µTorrent
"ViewpointMediaPlayer" = Viewpoint Media Player
"Winamp" = Winamp
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/02/2010 11:08:05 PM | Computer Name = Ross-PC | Source = Google Update | ID = 20
Description =

Error - 06/02/2010 2:36:46 AM | Computer Name = Ross-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2010 2:36:56 AM | Computer Name = Ross-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 06/02/2010 10:17:54 AM | Computer Name = Ross-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2010 10:18:16 AM | Computer Name = Ross-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 06/02/2010 12:22:26 PM | Computer Name = Ross-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2010 1:08:05 PM | Computer Name = Ross-PC | Source = Google Update | ID = 20
Description =

Error - 06/02/2010 1:50:02 PM | Computer Name = Ross-PC | Source = WinMgmt | ID = 10
Description =

Error - 06/02/2010 1:51:07 PM | Computer Name = Ross-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 06/02/2010 1:51:08 PM | Computer Name = Ross-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 16/12/2008 6:36:00 PM | Computer Name = Ross-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 07/05/2009 3:32:14 PM | Computer Name = Ross-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 16/09/2009 7:38:22 PM | Computer Name = Ross-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 12/10/2009 2:01:29 AM | Computer Name = Ross-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ OSession Events ]
Error - 20/04/2009 12:13:10 PM | Computer Name = Ross-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6331.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1291
seconds with 840 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 23/05/2010 1:31:42 PM | Computer Name = Ross-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 23/05/2010 1:31:42 PM | Computer Name = Ross-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 23/05/2010 1:31:42 PM | Computer Name = Ross-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 23/05/2010 1:31:54 PM | Computer Name = Ross-PC | Source = DCOM | ID = 10005
Description =

Error - 23/05/2010 1:40:02 PM | Computer Name = Ross-PC | Source = WinDefend | ID = 2004
Description = %%827 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x8050a001 Error description: The program can't find definition files that
help detect unwanted software. Check for updates to the definition files, and then
try again. For information on installing updates, see Help and Support. Signatures
loading: %%825 Loading signature version: 1.81.1898.0 Loading engine version: 1.1.5703.0

Error - 23/05/2010 1:42:40 PM | Computer Name = Ross-PC | Source = WinDefend | ID = 2004
Description = %%827 has encountered an error trying to load signatures and will
attempt reverting back to a known-good set of signatures. Signatures Attempted: %%824

Error
Code: 0x8050a001 Error description: The program can't find definition files that
help detect unwanted software. Check for updates to the definition files, and then
try again. For information on installing updates, see Help and Support. Signatures
loading: %%825 Loading signature version: 1.81.1898.0 Loading engine version: 1.1.5703.0

Error - 23/05/2010 1:44:55 PM | Computer Name = Ross-PC | Source = DCOM | ID = 10010
Description =

Error - 23/05/2010 1:47:55 PM | Computer Name = Ross-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 23/05/2010 1:52:36 PM | Computer Name = Ross-PC | Source = ACPI | ID = 327693
Description = : The embedded controller (EC) did not respond within the specified
timeout period. This may indicate that there is an error in the EC hardware or
firmware or that the BIOS is accessing the EC incorrectly. You should check with
your computer manufacturer for an upgraded BIOS. In some situations, this error
may cause the computer to function incorrectly.

Error - 23/05/2010 1:58:16 PM | Computer Name = Ross-PC | Source = Microsoft-Windows-LanguagePackSetup | ID = 1003
Description =


< End of report >




3. Gmer scan:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-23 17:09:18
Windows 6.0.6002 Service Pack 2
Running: 3d3342i9.exe; Driver: C:\Users\Ross\AppData\Local\Temp\kxldrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThread [0x8FBA3E8C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwLoadDriver [0x8FBA41BC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x8FBA3BCC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwOpenSection [0x8FBA45EE]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwRenameKey [0x8FBA588C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSetSystemInformation [0x8FBA443E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendProcess [0x8FBA3A4C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendThread [0x8FBA3EC0]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSystemDebugControl [0x8FBA4042]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateProcess [0x8FBA39A6]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateThread [0x8FBA3B06]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x8FBA3F86]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x8FBA3EA6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 81EFD984 4 Bytes [8C, 3E, BA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 37D 81EFDAE0 4 Bytes [BC, 41, BA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 3AD 81EFDB10 4 Bytes [CC, 3B, BA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 3FD 81EFDB60 4 Bytes [EE, 45, BA, 8F]
.text ntkrnlpa.exe!KeSetEvent + 516 81EFDC79 3 Bytes [58, BA, 8F]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] kernel32.dll!LoadLibraryExW 77589109 5 Bytes JMP 030D000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!closesocket 7777330C 5 Bytes JMP 10012F96 C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!WSASocketW 777734EB 7 Bytes JMP 10012EBD C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!connect 777740D9 5 Bytes JMP 10012F20 C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!getaddrinfo 7777418A 5 Bytes JMP 1001300C C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!bind 7777652F 5 Bytes JMP 10012E47 C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!WSAConnect 7777D7B0 5 Bytes JMP 10012F55 C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!WSAAsyncGetHostByName 77785FB9 5 Bytes JMP 1001305A C:\Windows\system32\dmcompos32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4832] WS2_32.dll!gethostbyname 777862D4 5 Bytes JMP 10012FC0 C:\Windows\system32\dmcompos32.dll

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???^?^??Network adapters?2????????<??^?????????2?????$???^???????????????????????????^????? ??2?????????????)?????????3?????????????)?????????3???#???????????#??1?2?5? ??????sy??????$???4????? ??????? ??????????????? ????????????????????????????????????????? ???????????????????$???4????? ??????? ????p???????????????????????????????????????? ????????????????O??Microsoft Windows Management Interface for ACPI?????tunnel???????$???^???????????????????????????$???^???????????????? ??????????????$???4????? ??????? ??????????????? ????????????????????????????????????????? ??????????? ????????????? ?????????????? ???????????????^??????$???4????? ??????? ????????????????????????? ??????????? ????????????????????????????????????????????????????????????????????????h?? ???h6JO??????h??????????? ??? ????????8?? ??????? ??????? ??? ????????????????? ? ? ? ? ??? ??????? ??? ????????????????? D???????? ??? ??? ???????????????????g?????????^???P???????????D??system32\DRIVERS\wmiacpi.sy s?wmiacpi.sys??????<??^???!?????????????????

---- EOF - GMER 1.0.15 ----


4. Update

Twice now when I have started my computer, windows fails to load leaving me with only a blank screen. An error message stating that Windows Explorer failed to load appears. I booted up in Safe Mode and did a system restore to a few days ago and was able to start the computer normally. The scans were not completed in Safe Mode.

The other problems persist, although I have not seen PersistWndName again since the first time it appeared.


Thanks again for your help,
Red
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 06:15 PM #4
I'll be back shortly with instructions.
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 06:20 PM #5
Hello,

Disable SpyBot TeaTimer
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy



NEXT:



OTL Fix

We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    Code:
    :Services
    :OTL
    [2010/05/15 18:57:57 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.
    O4 - HKLM..\Run: [HP Health Check Scheduler] File not found
    O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
    O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\AutoPlay\CommaNd - "" = F:\vvkxj.pif -- File not found
    O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\AutoRun\command - "" = F:\vvkxj.pif -- File not found
    O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\EXpLORe\coMmanD - "" = F:\vvkxj.pif -- File not found
    O33 - MountPoints2\{17c04ccc-7fc8-11dd-b3e8-001eec73b80b}\Shell\OpeN\cOmmand - "" = F:\vvkxj.pif -- File not found
    O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\AutoRun\command - "" = F:\1u0o8bnq.cmd -- File not found
    O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\explore\Command - "" = F:\1u0o8bnq.cmd -- File not found
    O33 - MountPoints2\{4a6895a3-720d-11dd-a344-001eec73b80b}\Shell\open\Command - "" = F:\1u0o8bnq.cmd -- File not found
    O33 - MountPoints2\{4bf76167-81b2-11dd-9f0b-001eec73b80b}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
    O33 - MountPoints2\{4bf76167-81b2-11dd-9f0b-001eec73b80b}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\ipse32.exe
    O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\AutoRun\command - "" = scene.exe 1
    O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\explore\Command - "" = scene.exe 1
    O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\open\Command - "" = scene.exe 1
    O33 - MountPoints2\{588f2376-4b85-11dd-bb7f-001eec73b80b}\Shell\Scan\Command - "" = scene.exe 2
    O33 - MountPoints2\{889a0e11-6c7d-11dd-a77b-001eec73b80b}\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe -- File not found
    [2010/05/11 19:48:47 | 000,000,000 | ---D | C] -- C:\ProgramData\19346585
    [2010/05/11 19:48:25 | 000,000,000 | -HSD | C] -- C:\Users\Ross\AppData\Roaming\SystemProc
    [2010/05/20 21:07:14 | 000,000,817 | ---- | M] () -- C:\ProgramData\857035774
    [2010/05/20 21:06:56 | 000,000,943 | -HS- | M] () -- C:\ProgramData\1665467310
    [2010/05/17 23:29:37 | 000,000,040 | ---- | M] () -- C:\Users\Ross\AppData\Roaming\639554f9
    [2010/05/11 19:49:02 | 000,000,113 | ---- | M] () -- C:\ProgramData\sl44339516
    [2010/05/11 19:48:47 | 000,203,776 | -HS- | M] () -- C:\ProgramData\unrar.exe
    [2010/05/13 19:44:41 | 000,000,040 | ---- | C] () -- C:\Users\Ross\AppData\Roaming\639554f9
    [2010/05/11 19:49:34 | 000,000,817 | ---- | C] () -- C:\ProgramData\857035774
    [2010/05/11 19:49:02 | 000,000,113 | ---- | C] () -- C:\ProgramData\sl44339516
    [2010/05/11 19:48:47 | 000,203,776 | -HS- | C] () -- C:\ProgramData\unrar.exe
    [2010/05/16 18:57:37 | 000,000,000 | -HSD | M] -- C:\Users\Ross\AppData\Roaming\SystemProc
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [start explorer]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
  7. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.



NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.



NEXT:



Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that is produced after running the OTL fix.
3. The log that is produced after running the ComboFix scan.
4. An update on how your computer is currently running.
It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 07:12 PM #6
I disabled TeaTimer and ran the OTL fix; however, part way through a dialogue box came up saying that OTL had stopped working. Once the program closed, I had to reboot.

When the computer started, a text file was open on the desktop reading:
Files\Folders moved on Reboot...
C:\Users\Ross\AppData\Local\Temp\ehmsas.txt moved successfully.

Registry entries deleted on Reboot...
So not sure how much of the fix went through. Should i do another OTL scan and send you the results?

Red
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 07:15 PM #7
Hello,

Please look for a log file here:

C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

If one is present please post it in your next response.

Cheers,
ST.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 07:19 PM #8
Yeah, it looks like that was the log generated:


Files\Folders moved on Reboot...
C:\Users\Ross\AppData\Local\Temp\ehmsas.txt moved successfully.

Registry entries deleted on Reboot...
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 07:23 PM #9
Please proceed with running the ComboFix scan.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 07:58 PM #10
Here is the ComboFix report:


ComboFix 10-05-23.05 - Ross 23/05/2010 19:44:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3061.1762 [GMT -4:00]
Running from: c:\users\Ross\Desktop\ComboFix.exe
FW: Shaw Secure 2.0 7.03 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u1766787492v0
c:\programdata\SysWoW32\@u1766787492v1
c:\programdata\SysWoW32\@u1766787492v2
c:\programdata\SysWoW32\@u1766787492v3
c:\programdata\SysWoW32\@u1766787492v4
c:\programdata\SysWoW32\@u1766787492v5
c:\programdata\SysWoW32\@u1766787492v6
c:\programdata\SysWoW32\@u1766787492v7
c:\programdata\SysWoW32\_u1766787492v0
c:\programdata\SysWoW32\_u1766787492v1
c:\programdata\SysWoW32\_u1766787492v2
c:\programdata\SysWoW32\_u1766787492v3
c:\programdata\SysWoW32\_u1766787492v4
c:\programdata\SysWoW32\_u1766787492v5
c:\programdata\SysWoW32\_u1766787492v6
c:\programdata\SysWoW32\_u1766787492v7
c:\programdata\SysWoW32\mu1766787492v4
c:\programdata\SysWoW32\mu1766787492v4.kwd
c:\programdata\SysWoW32\mu1766787492v5
c:\programdata\SysWoW32\mu1766787492v5.kwd
c:\programdata\SysWoW32\mu1766787492v6
c:\programdata\SysWoW32\mu1766787492v6.kwd
c:\programdata\SysWoW32\mu1766787492v7
c:\programdata\SysWoW32\mu1766787492v7.kwd
c:\programdata\SysWoW32\wu1766787492v0
c:\programdata\SysWoW32\wu1766787492v0.kwd
c:\programdata\SysWoW32\wu1766787492v1
c:\programdata\SysWoW32\wu1766787492v1.kwd
c:\programdata\SysWoW32\wu1766787492v2
c:\programdata\SysWoW32\wu1766787492v2.kwd
c:\programdata\SysWoW32\wu1766787492v3
c:\programdata\SysWoW32\wu1766787492v3.kwd
c:\users\Ross\AppData\Roaming\020000001dda6ac9912C.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912O.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912P.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912S.manifest
c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}
c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}\chrome.manifest
c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}\chrome\xulcache.jar
c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}\defaults\preferences\xulcache.js
c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\ext ensions\{1575efbd-9df9-4802-92a4-af89cc4d56eb}\install.rdf
c:\users\Ross\Documents\backup 16-05-10.reg
c:\windows\system32\AbaleZip.dll
c:\windows\system32\DMSYNTH32.DLL
c:\windows\system32\KBL.LOG

.
((((((((((((((((((((((((( Files Created from 2010-04-23 to 2010-05-23 )))))))))))))))))))))))))))))))
.

2010-05-23 23:52 . 2010-05-23 23:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-23 23:02 . 2010-05-23 23:02 -------- d-----w- C:\_OTL
2010-05-21 22:11 . 2010-05-21 22:11 -------- d-----w- c:\program files\MalwareSweeper.com
2010-05-12 22:20 . 2010-05-12 22:20 -------- d-----w- c:\program files\Trend Micro
2010-05-11 23:48 . 2010-05-11 23:48 283136 ----a-w- c:\windows\system32\dmdskres32.dll
2010-05-11 23:48 . 2010-05-11 23:48 187392 ----a-w- c:\windows\system32\dmcompos32.dll
2010-05-11 22:04 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 18:39 . 2008-07-06 20:42 -------- d-----w- c:\program files\Google
2010-05-23 17:42 . 2008-07-08 01:03 -------- d-----w- c:\programdata\Google Updater
2010-05-23 17:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-23 17:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-23 17:37 . 2009-01-27 21:27 -------- d-----w- c:\users\Ross\AppData\Roaming\Winamp
2010-05-23 17:37 . 2008-07-08 00:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-23 17:37 . 2008-07-08 00:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 17:37 . 2008-07-06 21:02 -------- d-----w- c:\program files\Bonjour
2010-05-23 17:37 . 2008-06-29 22:25 -------- d-----w- c:\program files\CCleaner
2010-05-23 17:37 . 2008-06-29 04:43 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-23 17:37 . 2008-06-13 01:06 -------- d-----w- c:\program files\Apoint2K
2010-05-23 17:00 . 2009-02-05 22:18 -------- d-----w- c:\users\Ross\AppData\Roaming\Skype
2010-05-23 15:30 . 2009-02-05 22:21 -------- d-----w- c:\users\Ross\AppData\Roaming\skypePM
2010-05-21 23:53 . 2009-11-11 21:15 -------- d-----w- c:\users\Ross\AppData\Roaming\LimeWire
2010-05-18 22:59 . 2008-07-09 23:49 -------- d-----w- c:\users\Ross\AppData\Roaming\F-Secure
2010-05-14 21:44 . 2008-07-19 15:30 5648 ----a-w- c:\users\Ross\AppData\Local\d3d9caps.dat
2010-05-12 15:21 . 2009-10-02 16:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 07:03 . 2008-06-29 04:52 -------- d-----w- c:\programdata\Microsoft Help
2010-04-26 23:06 . 2008-02-22 10:32 679070 ----a-w- c:\windows\system32\perfh00C.dat
2010-04-26 23:06 . 2008-02-22 10:32 130562 ----a-w- c:\windows\system32\perfc00C.dat
2010-04-13 00:32 . 2010-04-13 00:32 -------- d-----w- c:\program files\BHOK IT Consulting
2010-03-30 22:35 . 2009-11-11 20:56 -------- d-----w- c:\program files\LimeWire
2010-03-30 12:13 . 2008-10-31 09:15 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-03-17 22:10 . 2008-06-29 22:13 35792 ----a-w- c:\windows\system32\drivers\fses.sys
2010-03-09 16:25 . 2010-03-30 22:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-30 22:36 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 16:08 . 2008-06-29 05:11 112136 ----a-w- c:\users\Ross\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-04 17:33 . 2010-04-13 22:39 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 11:10 . 2010-04-13 22:40 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-13 22:40 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-13 22:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-29 07:11 . 2008-06-29 07:11 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-30 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-03-14 23:50 233472 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-02-04 12:27 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):7f,6b,3c,02,73,62,ca,01

R2 gupdate1c985844c7b3510;Google Update Service (gupdate1c985844c7b3510);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 133104]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-01-22 187904]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-03-30 33920]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2009-08-05 68064]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-03-17 35792]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-08-05 71040]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2009-08-05 12384]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2010-05-06 113856]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2010-05-17 55992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-06 10:07]

2010-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 22:19]

2010-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 22:19]

2010-05-23 c:\windows\Tasks\User_Feed_Synchronization-{ADFF579A-09CE-4522-B57E-E3AEAB417FB8}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.lse.ac.uk/
FF - component: c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-23 19:52
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\dmcompos32.dll

- - - - - - - > 'lsass.exe'(696)
c:\windows\system32\dmcompos32.dll
.
Completion time: 2010-05-23 19:55:30
ComboFix-quarantined-files.txt 2010-05-23 23:55

Pre-Run: 29,219,880,960 bytes free
Post-Run: 29,300,207,616 bytes free

- - End Of File - - ECD9D448070146DBBF1285C21B3ABD39
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 08:07 PM #11
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
KillAll::
Folder::
c:\program files\MalwareSweeper.com
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Scanning with MalwareBytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Make sure that the option "Remove found threats" is Unchecked
  9. Push the Start button.
  10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  11. When the scan completes, push
  12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  13. Push the button.
  14. Push



NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  1. Please reopen on your desktop.
  2. Copy and Paste the following bolded text into the textbox.

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /180
  3. Push
  4. A report will open. Copy and Paste that report in your next reply.




NEXT:


Please make sure you include the following items in your next post:
1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that was produced after running the ComboFix scan.
3. The log that was produced after running the updated MalwareBytes' Anti-Malware scan.
4. The log that was produced after running the ESET Online Virus Scanner.
5. The logs that were produced after running the OTL scan.
6. An update on how your computer is currently running.
It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Cheers,
SweetTech.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 08:13 PM #12
Hey,

I don't have Malwarebytes' Anti-Malware- should I download it and use it, or use another program?

Red
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 08:14 PM #13
Hello,

I quickly edited my last post to you and I changed the directions to include the download link for MBAM. Sorry about that.
Redaxe's Avatar
Redaxe Redaxe is offline
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: May 2010
Experience: Intermediate
23-May-2010, 08:48 PM #14
I have just completed the first step, the ComboFix script... the computer restarted and gave me the log file (which I have pasted below); however, whenever I click on any application, it will not open and gives me an error that reads "Illegal operation attempted on a registry key that has been marked for deletion" The only way I can run applications is by right clicking and selecting 'run as administrator.' Double clicking brings that error message.

Should I continue with the other steps?

Here is the log:


ComboFix 10-05-23.05 - Ross 23/05/2010 20:23:07.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3061.1496 [GMT -4:00]
Running from: c:\users\Ross\Desktop\ComboFix.exe
Command switches used :: c:\users\Ross\Desktop\CFscript.txt
FW: Shaw Secure 2.0 7.03 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\MalwareSweeper.com
c:\program files\MalwareSweeper.com\MalwareSweeper\Alert.swf
c:\program files\MalwareSweeper.com\MalwareSweeper\browse.swf
c:\program files\MalwareSweeper.com\MalwareSweeper\Def1.ms1
c:\program files\MalwareSweeper.com\MalwareSweeper\Def2.ms1
c:\program files\MalwareSweeper.com\MalwareSweeper\English.jpg
c:\program files\MalwareSweeper.com\MalwareSweeper\Help.chm
c:\program files\MalwareSweeper.com\MalwareSweeper\Main.skn
c:\program files\MalwareSweeper.com\MalwareSweeper\Main.swf
c:\program files\MalwareSweeper.com\MalwareSweeper\Message.swf
c:\program files\MalwareSweeper.com\MalwareSweeper\Splash.spl
c:\program files\MalwareSweeper.com\MalwareSweeper\Trial.swf
c:\program files\MalwareSweeper.com\MalwareSweeper\unins000.dat
c:\program files\MalwareSweeper.com\MalwareSweeper\update.cli
c:\programdata\SysWoW32
c:\programdata\SysWoW32\mu1766787492v4
c:\programdata\SysWoW32\mu1766787492v4.kwd
c:\programdata\SysWoW32\mu1766787492v5
c:\programdata\SysWoW32\mu1766787492v5.kwd
c:\programdata\SysWoW32\mu1766787492v6
c:\programdata\SysWoW32\mu1766787492v6.kwd
c:\programdata\SysWoW32\mu1766787492v7
c:\programdata\SysWoW32\mu1766787492v7.kwd
c:\programdata\SysWoW32\wu1766787492v0
c:\programdata\SysWoW32\wu1766787492v0.kwd
c:\programdata\SysWoW32\wu1766787492v1
c:\programdata\SysWoW32\wu1766787492v1.kwd
c:\programdata\SysWoW32\wu1766787492v2
c:\programdata\SysWoW32\wu1766787492v2.kwd
c:\programdata\SysWoW32\wu1766787492v3
c:\programdata\SysWoW32\wu1766787492v3.kwd
c:\programdata\unrar.exe
c:\users\Ross\AppData\Roaming\020000001dda6ac9912C.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912O.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912P.manifest
c:\users\Ross\AppData\Roaming\020000001dda6ac9912S.manifest
c:\users\Ross\AppData\Roaming\E9B3.tmp
c:\windows\GnuHashes.ini

.
((((((((((((((((((((((((( Files Created from 2010-04-24 to 2010-05-24 )))))))))))))))))))))))))))))))
.

2010-05-24 00:28 . 2010-05-24 00:31 -------- d-----w- c:\users\Ross\AppData\Local\temp
2010-05-24 00:28 . 2010-05-24 00:28 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-24 00:28 . 2010-05-24 00:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-24 00:06 . 2010-05-24 00:06 -------- d-----w- c:\programdata\19346585
2010-05-23 23:02 . 2010-05-23 23:02 -------- d-----w- C:\_OTL
2010-05-12 22:20 . 2010-05-12 22:20 -------- d-----w- c:\program files\Trend Micro
2010-05-11 23:48 . 2010-05-11 23:48 283136 ----a-w- c:\windows\system32\dmdskres32.dll
2010-05-11 23:48 . 2010-05-11 23:48 187392 ----a-w- c:\windows\system32\dmcompos32.dll
2010-05-11 22:04 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-23 18:39 . 2008-07-06 20:42 -------- d-----w- c:\program files\Google
2010-05-23 17:42 . 2008-07-08 01:03 -------- d-----w- c:\programdata\Google Updater
2010-05-23 17:37 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-23 17:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-23 17:37 . 2009-01-27 21:27 -------- d-----w- c:\users\Ross\AppData\Roaming\Winamp
2010-05-23 17:37 . 2008-07-08 00:53 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-23 17:37 . 2008-07-08 00:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-23 17:37 . 2008-07-06 21:02 -------- d-----w- c:\program files\Bonjour
2010-05-23 17:37 . 2008-06-29 22:25 -------- d-----w- c:\program files\CCleaner
2010-05-23 17:37 . 2008-06-29 04:43 -------- d-----w- c:\program files\Common Files\LightScribe
2010-05-23 17:37 . 2008-06-13 01:06 -------- d-----w- c:\program files\Apoint2K
2010-05-23 17:00 . 2009-02-05 22:18 -------- d-----w- c:\users\Ross\AppData\Roaming\Skype
2010-05-23 15:30 . 2009-02-05 22:21 -------- d-----w- c:\users\Ross\AppData\Roaming\skypePM
2010-05-21 23:53 . 2009-11-11 21:15 -------- d-----w- c:\users\Ross\AppData\Roaming\LimeWire
2010-05-18 22:59 . 2008-07-09 23:49 -------- d-----w- c:\users\Ross\AppData\Roaming\F-Secure
2010-05-14 21:44 . 2008-07-19 15:30 5648 ----a-w- c:\users\Ross\AppData\Local\d3d9caps.dat
2010-05-12 15:21 . 2009-10-02 16:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-12 07:03 . 2008-06-29 04:52 -------- d-----w- c:\programdata\Microsoft Help
2010-04-26 23:06 . 2008-02-22 10:32 679070 ----a-w- c:\windows\system32\perfh00C.dat
2010-04-26 23:06 . 2008-02-22 10:32 130562 ----a-w- c:\windows\system32\perfc00C.dat
2010-04-13 00:32 . 2010-04-13 00:32 -------- d-----w- c:\program files\BHOK IT Consulting
2010-03-30 22:35 . 2009-11-11 20:56 -------- d-----w- c:\program files\LimeWire
2010-03-30 12:13 . 2008-10-31 09:15 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-03-17 22:10 . 2008-06-29 22:13 35792 ----a-w- c:\windows\system32\drivers\fses.sys
2010-03-09 16:25 . 2010-03-30 22:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-30 22:36 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 16:08 . 2008-06-29 05:11 112136 ----a-w- c:\users\Ross\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-04 17:33 . 2010-04-13 22:39 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 11:10 . 2010-04-13 22:40 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 11:10 . 2010-04-13 22:40 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 11:10 . 2010-04-13 22:40 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-06-29 07:11 . 2008-06-29 07:11 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-28 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-28 137752]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-30 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-20 468264]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2008-03-14 23:50 233472 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-02-04 12:27 23975720 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):7f,6b,3c,02,73,62,ca,01

R2 gupdate1c985844c7b3510;Google Update Service (gupdate1c985844c7b3510);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 133104]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDART.sys [2008-01-22 187904]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-03-30 33920]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2009-08-05 68064]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-03-17 35792]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-08-05 71040]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2009-08-05 12384]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2010-05-06 113856]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2010-05-17 55992]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-06 10:07]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 22:19]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 22:19]

2010-05-24 c:\windows\Tasks\User_Feed_Synchronization-{ADFF579A-09CE-4522-B57E-E3AEAB417FB8}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=81&bd=Presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\ffocbw4o.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.lse.ac.uk/
FF - component: c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2632)
c:\program files\Shaw Secure\Spam Control\fsscoepl.dll
c:\program files\RocketDock\RocketDock.dll
c:\program files\shaw secure\scanner-interface\fsgkiapi.dll
c:\program files\Shaw Secure\Common\fpshx.dll
c:\program files\WinRAR\rarext.dll
c:\program files\PowerISO\PWRISOSH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Shaw Secure\Anti-Virus\fsgk32st.exe
c:\program files\Shaw Secure\Common\FSMA32.EXE
c:\program files\Shaw Secure\Anti-Virus\FSGK32.EXE
c:\program files\Shaw Secure\Common\FSHDLL32.EXE
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Shaw Secure\FWES\Program\fsdfwd.exe
c:\program files\Shaw Secure\Anti-Virus\fssm32.exe
c:\program files\Shaw Secure\Anti-Virus\fsav32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-23 20:39:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-24 00:39
ComboFix2.txt 2010-05-23 23:55

Pre-Run: 29,287,878,656 bytes free
Post-Run: 29,290,033,152 bytes free

- - End Of File - - 127D4FEE6DA135DBEB038376C64B124A
SweetTech's Avatar
Senior Member with 1,016 posts.
 
Join Date: Jan 1970
Location: Antarctica
23-May-2010, 09:09 PM #15
Hello,

Please run this script;

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:
KillAll::
Folder::
c:\programdata\19346585
Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


Similar Threads
Title Thread Starter Forum Replies Last Post
Google Redirecting & numerous Avira Trojan popups juniper35 Virus & Other Malware Removal 8 04-Jan-2010 09:52 AM
Google redirect trojan is doing my head in!!! CALLING ALL THE LEGION OF SUPER-TECHIES Jeremiah1 Virus & Other Malware Removal 37 30-Nov-2009 03:13 PM
Every anti-spyware program crashes, Google redirects, BSODs Slossius Virus & Other Malware Removal 0 28-Jun-2009 09:10 PM
Real Headache: Google redirects after TWO formats! Kamil Virus & Other Malware Removal 0 10-May-2009 09:54 AM

WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑