# Java Trojan thingy -please take a look



## Zigg (May 27, 2010)

I followed a thread on here regarding "ie popups" -even when not surfing (and I use Firefox as my main browser for that matter), 
but when using "Highjack this" I get: *"For some reason your system denied write access to the Hosts file"* when trying to run a system log scan with HJT... Running Vista, but I can't seem to right click "run as admin" as another thread said to do for HJT

*My Log from ESET online scan:*
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Contacts w No Address.dbx JS/Kak worm
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Email Contacts.dbx JS/Kak worm
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Sent Items.dbx JS/Kak worm
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Folder1.mbx JS/Kak worm
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Inbox.mbx JS/Kak worm
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Sent Items.mbx JS/Kak worm
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1f29cc41-17a76e59 multiple threats
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\5a3d7b8a-79ff06b3 Java/TrojanDownloader.Agent.AF trojan
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\20bdd891-561f5437 a variant of Java/Exploit.Agent.F trojan
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\4f493191-1e49039d Java/TrojanDownloader.Agent.NAM trojan
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\1f3f8202-48862555 a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\d188a2c-3ca1f522 Java/TrojanDownloader.Agent.AF trojan
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-6a5229c1 a variant of Java/TrojanDownloader.Agent.NAX trojan

*My Log from Screens security check:*
Results of screen317's Security Check version 0.99.4 
Windows Vista Service Pack 1 (UAC is enabled) 
*Out of date service pack!!* 
Internet Explorer 8 
*`````````````````````````````` 
Antivirus/Firewall Check:* 
Windows Firewall Disabled! 
McAfee SecurityCenter 
WMI entry may not exist for antivirus; attempting automatic update. 
*``````````````````````````````` 
Anti-malware/Other Utilities Check:* 
Malwarebytes' Anti-Malware 
Java(TM) 6 Update 20 
Java(TM) SE Runtime Environment 6 
Java(TM) SE Runtime Environment 6 Update 1 
Java(TM) 6 Update 2 
Java 2 Runtime Environment, SE v1.4.2_03 
*Out of date Java installed!* 
Adobe Flash Player 10.0.45.2 
Adobe Reader 9.1 
*Out of date Adobe Reader installed!* 
*```````````````````````````````` 
Process Check: 
objlist.exe by Laurent* 
McAfee VIRUSS~1 mcshield.exe 
McAfee VIRUSS~1 mcsysmon.exe 
Microsoft Small Business Business Contact Manager BcmSqlStartupSvc.exe 
*````````````````````````````````
DNS Vulnerability Check:*
GREAT! (Not vulnerable to DNS cache poisoning)

*``````````End of Log````````````*[/QUOTE]


----------



## CatByte (Feb 24, 2009)

Hi,

Please run the following:

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top change it to *Minimal Output*.
Check the boxes beside *LOP Check* and *Purity Check*.
Under the Custom Scan box paste this in

*
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav 
%systemroot%\system32\drivers\*.sys /90
CREATERESTOREPOINT

*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please copy *(Edit->Select All, Edit->Copy)* the contents of these files, one at a time, and post them in your next reply.

*

NEXT*

Download *GMER Rootkit Scanner *from *here**http://www.gmer.net/download.php*http://www.gmer.net/download.php to your desktop. It will be a randomly named executable.

 Double click the exe file.
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*, then use the following settings for a more complete scan.


_Click the image to enlarge it_

 In the right panel, you will see several boxes that have been checked. Ensure the following are *unchecked*
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and attach it in reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _[/QUOTE]


----------



## Zigg (May 27, 2010)

*OTL.Txt log:

*OTL logfile created on: 5/28/2010 5:02:53 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Lake\Downloads
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 47.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 463.71 Gb Total Space | 201.00 Gb Free Space | 43.35% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.40 Gb Free Space | 70.09% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAKE-PC
Current User Name: Lake
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Users\Lake\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Users\Lake\AppData\Roaming\Dropbox\bin\dropbox.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - c:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MPF\MpfSrv.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Windows Media Player\wmplayer.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\MSK\msksrver.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - C:\Program Files\Citrix\GoToMyPC\g2tray.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\GoToMyPC\g2pre.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\Citrix\GoToMyPC\g2comm.exe (Citrix Online, a division of Citrix Systems, Inc.)
PRC - C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe (Sage Software, Inc.)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Windows\System32\cmd.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
PRC - C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
PRC - C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
PRC - c:\Program Files\Common Files\Protexis\License Service\PSIService_2.exe (Protexis Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
PRC - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe ()
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)

========== Modules (SafeList) ==========

MOD - C:\Users\Lake\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\Windows\System32\sfc_os.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msi.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msscript.ocx (Microsoft Corporation)
MOD - C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll (Microsoft Corporation)
MOD - C:\Windows\System32\sfc.dll (Microsoft Corporation)
MOD - C:\Windows\System32\msiltcfg.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (MpfService) -- C:\Program Files\McAfee\MPF\MPFSrv.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\McAfee\MSK\MskSrver.exe (McAfee, Inc.)
SRV - (McProxy) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McNASvc) -- c:\program files\common files\mcafee\mna\mcnasvc.exe (McAfee, Inc.)
SRV - (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (MSSQL$ACT7) SQL Server (ACT7) -- C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SBSDWSCService) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe (Safer Networking Ltd.)
SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (GoToMyPC) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Macrovision Europe Ltd.)
SRV - (STacSV) -- C:\Windows\System32\stacsv.exe (SigmaTel, Inc.)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)
SRV - (PSI_SVC_2) -- c:\Program Files\Common Files\Protexis\License Service\PSIService_2.exe (Protexis Inc.)
SRV - (IAANTMON) Intel(R) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (AdobeActiveFileMonitor5.0) -- C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe ()
SRV - (MSMFramework) -- C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe ()
SRV - (MegaMonitorSrv) -- C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe ()
SRV - (MSSQL$MICROSOFTSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SQLAgent$MICROSOFTSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\Windows\System32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\Windows\System32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfesmfk) -- C:\Windows\System32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\Windows\System32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mferkdk) -- C:\Windows\System32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\Windows\System32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (winusb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (b57nd60x) -- C:\Windows\System32\drivers\b57nd60x.sys (Broadcom Corporation)
DRV - (viaide) -- C:\Windows\system32\drivers\viaide.sys (VIA Technologies, Inc.)
DRV - (cmdide) -- C:\Windows\system32\drivers\cmdide.sys (CMD Technology, Inc.)
DRV - (aliide) -- C:\Windows\system32\drivers\aliide.sys (Acer Laboratories Inc.)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (SigmaTel, Inc.)
DRV - (iaStor) -- C:\Windows\system32\drivers\iastor.sys (Intel Corporation)
DRV - (LSI_SAS) -- C:\Windows\system32\drivers\lsi_sas.sys (LSI Logic)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (ql2300) -- C:\Windows\system32\drivers\ql2300.sys (QLogic Corporation)
DRV - (adp94xx) -- C:\Windows\system32\drivers\adp94xx.sys (Adaptec, Inc.)
DRV - (elxstor) -- C:\Windows\system32\drivers\elxstor.sys (Emulex)
DRV - (adpahci) -- C:\Windows\system32\drivers\adpahci.sys (Adaptec, Inc.)
DRV - (uliahci) -- C:\Windows\system32\drivers\uliahci.sys (ULi Electronics Inc.)
DRV - (iaStorV) -- C:\Windows\system32\drivers\iastorv.sys (Intel Corporation)
DRV - (adpu320) -- C:\Windows\system32\drivers\adpu320.sys (Adaptec, Inc.)
DRV - (ulsata2) -- C:\Windows\system32\drivers\ulsata2.sys (Promise Technology, Inc.)
DRV - (vsmraid) -- C:\Windows\system32\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)
DRV - (ql40xx) -- C:\Windows\system32\drivers\ql40xx.sys (QLogic Corporation)
DRV - (UlSata) -- C:\Windows\system32\drivers\ulsata.sys (Promise Technology, Inc.)
DRV - (adpu160m) -- C:\Windows\system32\drivers\adpu160m.sys (Adaptec, Inc.)
DRV - (nvraid) -- C:\Windows\system32\drivers\nvraid.sys (NVIDIA Corporation)
DRV - (nfrd960) -- C:\Windows\system32\drivers\nfrd960.sys (IBM Corporation)
DRV - (iirsp) -- C:\Windows\system32\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)
DRV - (SiSRaid4) -- C:\Windows\system32\drivers\sisraid4.sys (Silicon Integrated Systems)
DRV - (nvstor) -- C:\Windows\system32\drivers\nvstor.sys (NVIDIA Corporation)
DRV - (aic78xx) -- C:\Windows\system32\drivers\djsvs.sys (Adaptec, Inc.)
DRV - (arcsas) -- C:\Windows\system32\drivers\arcsas.sys (Adaptec, Inc.)
DRV - (LSI_SCSI) -- C:\Windows\system32\drivers\lsi_scsi.sys (LSI Logic)
DRV - (SiSRaid2) -- C:\Windows\system32\drivers\sisraid2.sys (Silicon Integrated Systems Corp.)
DRV - (HpCISSs) -- C:\Windows\system32\drivers\hpcisss.sys (Hewlett-Packard Company)
DRV - (arc) -- C:\Windows\system32\drivers\arc.sys (Adaptec, Inc.)
DRV - (iteraid) -- C:\Windows\system32\drivers\iteraid.sys (Integrated Technology Express, Inc.)
DRV - (iteatapi) -- C:\Windows\system32\drivers\iteatapi.sys (Integrated Technology Express, Inc.)
DRV - (Symc8xx) -- C:\Windows\system32\drivers\symc8xx.sys (LSI Logic)
DRV - (LSI_FC) -- C:\Windows\system32\drivers\lsi_fc.sys (LSI Logic)
DRV - (Sym_u3) -- C:\Windows\system32\drivers\sym_u3.sys (LSI Logic)
DRV - (Mraid35x) -- C:\Windows\system32\drivers\mraid35x.sys (LSI Logic Corporation)
DRV - (Sym_hi) -- C:\Windows\system32\drivers\sym_hi.sys (LSI Logic)
DRV - (megasas) -- C:\Windows\system32\drivers\megasas.sys (LSI Logic Corporation)
DRV - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\system32\drivers\brserid.sys (Brother Industries Ltd.)
DRV - (BrUsbSer) -- C:\Windows\system32\drivers\brusbser.sys (Brother Industries Ltd.)
DRV - (BrFiltUp) -- C:\Windows\system32\drivers\brfiltup.sys (Brother Industries, Ltd.)
DRV - (BrFiltLo) -- C:\Windows\system32\drivers\brfiltlo.sys (Brother Industries, Ltd.)
DRV - (BrSerWdm) -- C:\Windows\system32\drivers\brserwdm.sys (Brother Industries Ltd.)
DRV - (BrUsbMdm) -- C:\Windows\system32\drivers\brusbmdm.sys (Brother Industries Ltd.)
DRV - (ntrigdigi) -- C:\Windows\system32\drivers\ntrigdigi.sys (N-trig Innovative Technologies)
DRV - (R300) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (e1express) Intel(R) -- C:\Windows\System32\drivers\e1e6032.sys (Intel Corporation)
DRV - (E1G60) Intel(R) -- C:\Windows\System32\drivers\E1G60I32.sys (Intel Corporation)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071018
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3071018
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.southernlandco.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:2.5.10.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\ProgramData\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2010/02/08 22:13:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/09 11:38:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/30 18:44:03 | 000,000,000 | ---D | M]

[2008/12/23 17:42:42 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Mozilla\Extensions
[2010/05/28 15:27:39 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions
[2010/05/20 19:03:40 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}
[2010/04/28 18:01:08 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/30 10:37:34 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/09/10 09:56:32 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}(50)
[2010/02/09 13:20:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2010/02/09 13:20:52 | 000,000,000 | ---D | M] (Java Console) -- C:\Users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2010/05/28 15:27:39 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/30 18:44:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2004/11/12 22:36:20 | 000,005,120 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Mozilla Firefox\plugins\NPAdbESD.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2006/08/01 02:30:56 | 000,532,480 | ---- | M] (Lizardtech Software) -- C:\Program Files\Mozilla Firefox\plugins\npexview.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll File not found
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Speed Launch] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Synchronizer] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Act! Preloader] C:\Program Files\ACT\Act for Windows\ActSage.exe (Sage Software, Inc.)
O4 - HKLM..\Run: [Act.Outlook.Service] C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe (Sage Software, Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvSvc] C:\Windows\System32\nvsvc.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ISUSPM Startup] c:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Users\Lake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Lake\AppData\Roaming\Dropbox\bin\dropbox.exe ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &ieSpell Options - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Check &Spelling - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files\ieSpell\wikipedia.HTM ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://support.microsoft.com/OAS/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-40e1-a617-af65a72a0465/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} http://www.linkedin.com/cab/LinkedInContactFinderControl.cab (LinkedIn ContactFinderControl)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181086765921 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1181086829078 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} http://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab (InstallShield International Setup Player)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll (PCPitstop Exam)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Lake\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Users\Lake\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{3cce30c3-8d19-11de-8d98-001aa0c3b258}\Shell\AutoRun\command - "" = Iexplores.exe
O33 - MountPoints2\{5124176d-5d1b-11df-95e4-001aa0c3b258}\Shell\AutoRun\command - "" = J:\WDSetup.exe -- File not found
O33 - MountPoints2\{75b28532-3c9e-11df-9ce6-001aa0c3b258}\Shell\AutoRun\command - "" = J:\JDSecure\Windows\JDSecure31.exe -- File not found
O33 - MountPoints2\{7db1affd-f048-11dc-a1ca-001aa0c3b258}\Shell - "" = AutoRun
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2010/04/14 13:23:44 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 90 Days ==========

[2010/05/27 17:58:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/05/27 17:58:30 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/05/27 17:11:36 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/27 16:46:49 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\t file
[2010/05/27 12:12:47 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/27 11:12:51 | 000,000,000 | ---D | C] -- C:\Users\Lake\AppData\Local\Adobe
[2010/05/27 11:12:02 | 000,000,000 | ---D | C] -- C:\Users\Lake\AppData\Roaming\Malwarebytes
[2010/05/27 11:11:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/27 11:11:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/27 11:11:44 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/27 11:11:44 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/26 10:49:47 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\180, AR Pics
[2010/05/20 18:14:52 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\80 Quitman, MS Cypress Club
[2010/05/19 14:12:26 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\Flatbed Rat Damage Pics
[2010/05/19 10:45:36 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\Midnight, MS
[2010/05/11 10:42:16 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\Lake Camera
[2010/05/10 16:40:15 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\443 Holmes, MS Pics
[2010/04/20 11:28:59 | 000,000,000 | ---D | C] -- C:\Users\Lake\Desktop\March-database files
[2010/04/02 12:02:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/02/28 11:42:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2004/07/13 18:32:40 | 000,637,136 | ---- | C] ( ) -- C:\Windows\System32\RC87E1us.DLL
[2004/07/13 18:32:40 | 000,552,544 | ---- | C] ( ) -- C:\Windows\System32\RC87C1XX.DLL

========== Files - Modified Within 90 Days ==========

[2010/05/28 17:09:59 | 008,388,608 | -HS- | M] () -- C:\Users\Lake\ntuser.dat
[2010/05/28 16:51:00 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/28 16:21:41 | 000,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2010/05/28 15:37:46 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/28 15:37:45 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/28 13:43:23 | 004,766,208 | ---- | M] () -- C:\Users\Lake\Desktop\600 Sunflower FLYER.pub
[2010/05/28 10:42:11 | 000,002,521 | ---- | M] () -- C:\Users\Lake\Desktop\HiJackThis.lnk
[2010/05/27 23:51:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/27 17:58:36 | 000,001,090 | ---- | M] () -- C:\Users\Lake\Desktop\Spybot - Search & Destroy.lnk
[2010/05/27 15:24:24 | 000,000,848 | -HS- | M] () -- C:\ProgramData\KGyGaAvL.sys
[2010/05/27 11:43:14 | 000,829,084 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/27 11:43:14 | 000,693,332 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/27 11:43:14 | 000,138,358 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/27 11:37:32 | 000,025,107 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2010/05/27 11:37:01 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/27 11:36:58 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/27 11:36:46 | 2145,026,048 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/27 11:35:35 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2010/05/27 11:35:12 | 000,524,288 | -HS- | M] () -- C:\Users\Lake\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms
[2010/05/27 11:35:12 | 000,065,536 | -HS- | M] () -- C:\Users\Lake\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf
[2010/05/27 11:35:04 | 003,275,222 | -H-- | M] () -- C:\Users\Lake\AppData\Local\IconCache.db
[2010/05/27 11:33:26 | 002,206,208 | ---- | M] () -- C:\Users\Lake\Desktop\Pocahantas, AR.pub
[2010/05/27 11:11:50 | 000,000,853 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/21 11:31:20 | 001,425,081 | ---- | M] () -- C:\Users\Lake\Desktop\337 Small Flyer pic.jpg
[2010/05/18 11:23:44 | 002,325,504 | ---- | M] () -- C:\Users\Lake\Documents\anguilla 2.pub
[2010/05/18 11:22:54 | 002,325,504 | ---- | M] () -- C:\Users\Lake\Documents\Anguilla 1.pub
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2010/05/13 16:54:11 | 000,356,714 | ---- | M] () -- C:\Users\Lake\Desktop\Brattford aerial goog.jpg
[2010/05/11 18:41:16 | 000,167,936 | ---- | M] () -- C:\Users\Lake\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/10 16:35:28 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/05/10 04:53:36 | 000,002,108 | ---- | M] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/05/05 15:28:29 | 000,012,141 | ---- | M] () -- C:\Users\Lake\Desktop\Fax Cover Page Kauther Farms lease.docx
[2010/05/05 15:14:24 | 000,039,160 | ---- | M] () -- C:\Users\Lake\Desktop\kauther Farms 2010 May.pdf
[2010/05/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2010/04/30 18:09:46 | 000,578,496 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/27 13:04:31 | 001,530,368 | ---- | M] () -- C:\Users\Lake\Documents\watson aerial # 2.pub
[2010/04/27 12:36:56 | 001,530,368 | ---- | M] () -- C:\Users\Lake\Documents\watson sunflower aerial.pub
[2010/04/22 14:23:23 | 000,000,967 | ---- | M] () -- C:\Users\Lake\Desktop\ActSage.exe - Shortcut.lnk
[2010/04/22 11:00:41 | 000,002,628 | ---- | M] () -- C:\Users\Lake\Desktop\Contact_Database.pad - Shortcut.lnk
[2010/04/20 11:29:09 | 000,000,253 | ---- | M] () -- C:\Users\Lake\Desktop\March.pad
[2010/04/14 13:37:16 | 000,000,749 | RH-- | M] () -- C:\Windows\WindowsShell.Manifest
[2010/04/14 13:03:16 | 000,101,888 | ---- | M] (Infineon Technologies AG) -- C:\Windows\System32\ifxcardm.dll
[2010/04/14 13:03:13 | 000,082,432 | ---- | M] (Gemalto, Inc.) -- C:\Windows\System32\axaltocm.dll
[2010/02/28 00:21:20 | 000,000,853 | ---- | M] () -- C:\Users\Lake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2010/02/28 00:21:20 | 000,000,672 | ---- | M] () -- C:\Windows\wininit.ini

========== Files Created - No Company Name ==========

[2010/05/28 13:15:52 | 004,766,208 | ---- | C] () -- C:\Users\Lake\Desktop\600 Sunflower FLYER.pub
[2010/05/27 17:58:36 | 000,001,090 | ---- | C] () -- C:\Users\Lake\Desktop\Spybot - Search & Destroy.lnk
[2010/05/27 17:11:40 | 000,002,521 | ---- | C] () -- C:\Users\Lake\Desktop\HiJackThis.lnk
[2010/05/27 11:11:50 | 000,000,853 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/22 12:09:37 | 002,206,208 | ---- | C] () -- C:\Users\Lake\Desktop\Pocahantas, AR.pub
[2010/05/21 11:31:18 | 001,425,081 | ---- | C] () -- C:\Users\Lake\Desktop\337 Small Flyer pic.jpg
[2010/05/18 11:23:43 | 002,325,504 | ---- | C] () -- C:\Users\Lake\Documents\anguilla 2.pub
[2010/05/18 11:22:54 | 002,325,504 | ---- | C] () -- C:\Users\Lake\Documents\Anguilla 1.pub
[2010/05/13 16:54:11 | 000,356,714 | ---- | C] () -- C:\Users\Lake\Desktop\Brattford aerial goog.jpg
[2010/05/11 11:32:50 | 001,177,958 | ---- | C] () -- C:\Users\Lake\Desktop\britt_0001.jpg
[2010/05/10 16:35:28 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
[2010/05/10 04:53:36 | 000,002,108 | ---- | C] () -- C:\Users\Public\Desktop\Google Earth.lnk
[2010/05/05 15:28:28 | 000,012,141 | ---- | C] () -- C:\Users\Lake\Desktop\Fax Cover Page Kauther Farms lease.docx
[2010/05/05 15:14:24 | 000,039,160 | ---- | C] () -- C:\Users\Lake\Desktop\kauther Farms 2010 May.pdf
[2010/04/27 13:01:21 | 001,530,368 | ---- | C] () -- C:\Users\Lake\Documents\watson aerial # 2.pub
[2010/04/27 10:04:43 | 001,530,368 | ---- | C] () -- C:\Users\Lake\Documents\watson sunflower aerial.pub
[2010/04/22 14:23:23 | 000,000,967 | ---- | C] () -- C:\Users\Lake\Desktop\ActSage.exe - Shortcut.lnk
[2010/04/20 11:29:09 | 000,000,253 | ---- | C] () -- C:\Users\Lake\Desktop\March.pad
[2010/04/15 03:02:10 | 000,106,605 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2010/04/15 03:02:10 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2010/04/15 03:02:07 | 011,967,524 | ---- | C] () -- C:\Windows\System32\korwbrkr.lex
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/03/09 15:36:21 | 000,053,760 | ---- | C] () -- C:\Windows\System32\Zlib.dll
[2007/07/05 11:05:29 | 000,000,151 | ---- | C] () -- C:\Windows\PhotoSnapViewer.INI
[2007/05/16 23:48:00 | 000,000,116 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/05/16 23:30:17 | 000,000,000 | ---- | C] () -- C:\Windows\vstudio.INI
[2007/05/16 18:44:19 | 000,027,136 | ---- | C] () -- C:\Windows\System32\QTUninst.dll
[2007/05/16 18:43:01 | 000,000,000 | ---- | C] () -- C:\Windows\nsrex.INI
[2007/05/16 18:42:48 | 000,000,917 | ---- | C] () -- C:\Windows\Ulead32.ini
[2007/05/16 18:42:48 | 000,000,074 | ---- | C] () -- C:\Windows\vidwiz.ini
[2007/03/27 16:57:24 | 000,000,028 | ---- | C] () -- C:\Windows\pdf995.ini
[2007/03/27 16:52:22 | 000,000,059 | ---- | C] () -- C:\Windows\wpd99.drv
[2007/03/27 16:52:21 | 000,122,880 | ---- | C] () -- C:\Windows\System32\pdfmona.dll
[2007/03/27 16:52:21 | 000,051,716 | ---- | C] () -- C:\Windows\System32\pdf995mon.dll
[2007/03/27 11:45:22 | 000,004,096 | ---- | C] () -- C:\Windows\System32\sysres.dll
[2007/01/26 13:02:50 | 000,000,002 | ---- | C] () -- C:\Windows\msoffice.ini
[2006/11/15 10:55:44 | 000,880,640 | R--- | C] () -- C:\Windows\System32\libeay32.dll
[2006/11/15 10:55:44 | 000,159,744 | R--- | C] () -- C:\Windows\System32\ssleay32.dll
[2006/11/15 10:55:44 | 000,069,632 | R--- | C] () -- C:\Windows\System32\AlertStrings.dll
[2006/11/07 14:25:58 | 000,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/09/16 23:36:50 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/08/18 02:59:50 | 000,071,749 | ---- | C] () -- C:\Windows\hcextoutput.dll
[2006/08/18 02:59:50 | 000,000,823 | ---- | C] () -- C:\Windows\tsc.ini
[2006/08/18 02:55:53 | 000,000,170 | ---- | C] () -- C:\Windows\GetServer.ini
[2006/06/15 16:11:42 | 000,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.dll
[2006/01/12 19:46:17 | 000,001,315 | ---- | C] () -- C:\Windows\cdPlayer.ini
[2005/09/08 15:30:38 | 000,000,070 | ---- | C] () -- C:\Windows\ricdb.ini
[2005/09/08 15:30:35 | 000,000,000 | ---- | C] () -- C:\Windows\System32\RPCS.ini
[2005/09/07 20:07:04 | 000,000,241 | ---- | C] () -- C:\Windows\ActiveAct.INI
[2005/09/07 17:40:05 | 000,159,744 | ---- | C] () -- C:\Windows\System32\ActAB32.dll
[2005/09/07 17:40:04 | 000,192,590 | ---- | C] () -- C:\Windows\System32\ActExt.dll
[2005/09/07 17:39:41 | 000,192,512 | ---- | C] () -- C:\Windows\System32\EmailShared.dll
[2005/08/29 17:59:22 | 000,000,061 | ---- | C] () -- C:\Windows\smscfg.ini
[2005/08/29 17:55:47 | 000,000,672 | ---- | C] () -- C:\Windows\wininit.ini
[2005/08/29 17:43:59 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2004/08/11 17:24:19 | 000,000,753 | ---- | C] () -- C:\Windows\orun32.ini
[2004/08/11 17:00:18 | 000,013,576 | ---- | C] () -- C:\Windows\System32\syscorecfg256.dll
[2004/07/13 18:32:40 | 000,647,680 | ---- | C] () -- C:\Windows\System32\Rc87c120.dll
[2004/07/13 18:32:40 | 000,080,057 | ---- | C] () -- C:\Windows\System32\RC87E172.ini
[2004/07/13 18:32:40 | 000,018,309 | ---- | C] () -- C:\Windows\System32\RCINSTM.ini
[2004/07/08 20:53:32 | 000,080,494 | ---- | C] () -- C:\Windows\System32\RCINST.INI
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1999/07/23 13:46:48 | 000,000,116 | ---- | C] () -- C:\Windows\AuHCcup1.ini
[1999/07/23 10:53:20 | 000,129,536 | ---- | C] () -- C:\Windows\AuHCcup1.dll

========== LOP Check ==========

[2007/10/25 21:28:39 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\ACD Systems
[2008/07/11 07:34:29 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\ACT
[2007/10/25 21:28:40 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Alibre Design
[2009/04/02 17:40:26 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Autodesk
[2010/02/18 17:27:15 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\dBpoweramp
[2008/12/16 16:41:43 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Downloaded Installations
[2010/05/27 11:38:54 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Dropbox
[2007/10/25 21:28:43 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Interact Commerce
[2008/07/11 07:47:27 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\IsolatedStorage
[2007/10/25 21:28:52 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Kontiki
[2007/10/25 21:28:54 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Leadertech
[2007/10/25 21:28:54 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\LinkedIn
[2007/10/25 21:29:17 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Musicmatch
[2007/10/25 21:29:18 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\OfficeUpdate12
[2007/10/25 21:29:18 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Opera
[2007/10/25 21:29:18 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\pdf995
[2007/10/25 21:29:18 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Proof
[2007/10/25 18:50:27 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Spearit
[2009/10/23 10:06:36 | 000,000,000 | ---D | M] -- C:\Users\Lake\AppData\Roaming\Uniblue
[2010/05/15 01:00:00 | 000,000,366 | ---- | M] () -- C:\Windows\Tasks\McDefragTask.job
[2010/05/01 01:00:00 | 000,000,368 | ---- | M] () -- C:\Windows\Tasks\McQcTask.job
[2010/05/27 11:35:41 | 000,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:AGP440.sys
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/19 02:42:25 | 000,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2007/10/18 18:38:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\drivers\AGP440.sys
[2007/10/18 18:38:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_8ed06b47\AGP440.sys
[2007/10/18 18:38:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16400_none_b82caac9c18a4e3b\AGP440.sys
[2007/10/18 18:38:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=BF34B4A0E0B64440C5389AA6B902F4AD -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20496_none_b85af81edaeb8461\AGP440.sys
[2006/11/02 04:49:52 | 000,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\i386\sp2.cab:atapi.sys
[2009/04/11 01:32:26 | 000,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\drivers\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/19 02:41:30 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2006/11/02 04:49:36 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2007/10/18 18:39:33 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2007/10/18 18:46:10 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys
[2007/10/18 18:46:10 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys
[2007/10/18 18:46:10 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys
[2007/10/18 18:46:10 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys
[2007/10/18 18:39:20 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys
[2007/10/18 18:39:20 | 000,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys
[2007/10/18 18:39:32 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2007/10/18 18:39:32 | 000,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008/02/13 04:06:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008/02/13 04:06:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\System32\dllcache\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\Windows\System32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
[2008/02/13 04:06:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys
[2008/02/13 04:06:45 | 000,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 04:46:03 | 000,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

< MD5 for: EVENTLOG.DLL >
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/04 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\Windows\System32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/06/19 06:06:16 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\storage\R158601\iastor.sys
[2007/03/21 12:58:56 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/06/19 06:06:16 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\drivers\iaStor.sys
[2007/06/19 06:06:16 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007/06/19 06:06:16 | 000,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys
[2007/03/21 12:59:30 | 000,381,720 | ---- | M] (Intel Corporation) MD5=9D7ED4275702E2FC409F2CC563245740 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2005/07/08 22:02:00 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\Drivers\storage\SATA\ONBOARD\iaStor.sys
[2005/07/08 22:02:00 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\i386\iaStor.sys

< MD5 for: IASTORV.SYS >
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/19 02:42:51 | 000,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2006/11/02 04:46:11 | 000,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2009/04/11 01:28:23 | 000,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
[2004/08/04 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2008/01/19 02:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\System32\netlogon.dll
[2008/01/19 02:35:36 | 000,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2008/01/19 02:42:09 | 000,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2008/01/19 02:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\System32\scecli.dll
[2008/01/19 02:36:19 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2006/11/02 04:46:12 | 000,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2009/04/11 01:28:24 | 000,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/01/19 02:34:21 | 000,403,968 | ---- | M] (Microsoft Corporation)* Unable to obtain MD5* -- C:\Windows\System32\FirewallAPI.dll
[2008/01/19 02:38:03 | 000,242,744 | ---- | M] (Microsoft Corporation)* Unable to obtain MD5* -- C:\Windows\System32\rsaenh.dll
[2008/01/19 02:36:10 | 000,225,792 | ---- | M] (Microsoft Corporation)* Unable to obtain MD5* -- C:\Windows\System32\SLC.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2006/11/02 05:34:05 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2006/11/02 05:34:05 | 000,008,192 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 05:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 05:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
< End of report >

*Extras.Txt:

*OTL Extras logfile created on: 5/28/2010 5:02:53 PM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\Lake\Downloads
Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18904)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 47.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 463.71 Gb Total Space | 201.00 Gb Free Space | 43.35% Space Free | Partition Type: NTFS
Drive D: | 2.00 Gb Total Space | 1.40 Gb Free Space | 70.09% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAKE-PC
Current User Name: Lake
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1106CBAE-B7FB-44BC-93D4-21B6429D04B5}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{19129F5E-BE01-41C8-A5E4-64241953807B}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{2DC70F35-9333-4A46-B66B-A6081BE29286}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{2E9DAC15-1F5A-41F2-9485-2DA2B483FC70}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{355DAFAB-F438-4608-B1F0-586E43058842}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{3B573D9D-D0C1-4E89-B5A6-4C4050813BE3}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{3B5F9932-22EB-4C0C-B42D-C287993C8B85}" = lport=26675 | protocol=6 | dir=in | [email protected]%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 
"{45CF10D9-70C8-4ECB-BC0D-D2290DD398FC}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{46D242A7-2796-4E14-9130-8448B5C078F7}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{59F77CE6-F17F-4861-8AF2-E31B29DDD6A5}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{5CC2E409-D03C-4AA2-96CC-00F70DCA4AEA}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{620FCE63-F415-4CCC-980B-D39FC1849996}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{69F74718-3491-42B8-9552-9A61176993EF}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{6F1BBA62-3992-4666-A368-DBC012C052C9}" = lport=26675 | protocol=6 | dir=in | [email protected]%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 
"{6F59CAA2-B5C7-43F1-AE46-61E291932269}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{78DEF5B7-D068-4D5B-8D48-9C873C29466D}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{83D7D7D5-8EE4-4497-8405-994AE2F22D63}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{C071E789-120A-4967-AF6D-D577021A6F78}" = lport=26675 | protocol=6 | dir=in | [email protected]%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 
"{C6930755-DCE6-44A1-9292-155E6E06F82B}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{C88B086F-E205-4DCC-8B4C-EFCB2D64D6A5}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{C988A0EB-7E9A-41CA-AF1D-A6B67ED24FEE}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{E08C9162-03EA-4497-B054-0CBCA4F07382}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe | 
"{EFDBC2D6-3495-4DBD-89FE-87D47F1989D1}" = lport=26675 | protocol=6 | dir=in | [email protected]%systemroot%\windowsmobile\wmdcbase.exe,-4006 | 
"{FC76EBDB-F9EB-4B62-8B97-037BA2B903F9}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{FDB59F59-AEB5-4C02-B8E4-A795760A06E2}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04E2FA82-1939-42CD-B846-51A9D0692ABC}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{0B32C945-97BF-4813-B74B-84217C96F2D6}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{0B7B0897-353E-4EAC-991D-4EFEFF3CC2A9}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{0F7D733D-084A-48AD-95D3-93E0591E8AFC}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{18042AC2-A99B-4FDC-8CBC-EC8572D34557}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{1B231B7D-266A-4FB5-BFD0-F993C70828A2}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{1BB32E96-AA31-4E08-B33A-786575E2D6E3}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{1BC281B9-C0F0-4A5B-B577-A78615B201F5}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{2C511688-7C65-4403-8273-97F86F76F815}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{441AED0F-2F14-4034-9FC1-DD7FDB1B0404}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{45410211-6AB6-49B5-BB93-5AA53137AE84}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{4CAEB147-6B27-4F9B-B55C-8BC9A318361F}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{6AAB459E-6C9C-4CED-9CC6-03E3014D0CCD}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{6AF87F78-86B6-46B8-ADA3-F417B09DAEF8}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{6E1107E1-7BF5-4498-A658-DECC3BEC75C6}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{6F81E6B5-8B93-4B36-9FFA-0FDF0E46A145}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{7C29FB51-F09C-486B-9D2E-C43BE174AD10}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{7E3B729E-3E65-4791-A693-1A55AB2AAD67}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{9881DE6C-1990-4D48-A614-8E5641C56C55}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{9BB518DF-89D5-4756-A946-F4DE14A3E909}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{B1E3E715-9F66-46C3-AE8F-FDB78372AC26}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{B2ED35AF-B859-46CD-9B58-82729860D77A}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe | 
"{B408BE01-DB7A-45BA-A333-563E062DA9A7}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{CDF0FB22-0E35-422E-B546-E27B427AF0C2}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | 
"{ED3DAF88-CCD1-4726-851E-666F48F092D8}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe | 
"{EDD074FC-74B1-4D54-B343-2C08AE94C7B0}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"{F0580219-72FE-4E36-869B-C8E25CF91536}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe | 
"TCP Query User{E490353D-5C57-44B4-BB2D-9FC9B7E2F751}C:\program files\dell sas raid storage manager\megapopup\popup.exe" = protocol=6 | dir=in | app=c:\program files\dell sas raid storage manager\megapopup\popup.exe | 
"UDP Query User{F271A8E6-EB11-4F3A-A21A-4E91F76C7634}C:\program files\dell sas raid storage manager\megapopup\popup.exe" = protocol=17 | dir=in | app=c:\program files\dell sas raid storage manager\megapopup\popup.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{14374619-0900-4056-BA06-C87C900AF9E6}" = QuickBooks Simple Start Special Edition
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1EBB57D4-63FF-87CC-A0F0-D73982CF6008}" = Adobe Media Player
"{221125DC-6A40-4900-B844-591F5E1195B0}" = Microsoft Visual Web Developer 2005 Express Edition - ENU
"{22DEC852-3ABE-4BE0-BCA3-9E4E2FDE5A76}" = Dell SAS RAID Storage Manager
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{25569723-DC5A-4467-A639-79535BF01B71}" = Adobe Help Center 2.1
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java(TM) 6 Update 20
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{281ECE39-F043-492B-8337-F2E546B5604A}" = PowerDVD
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{2C0A655C-61E7-428A-8ED2-23A3D20E7DD2}" = Data Lifeguard Tools
"{2CCBABCB-6427-4A55-B091-49864623C43F}" = Google Toolbar for Firefox
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{36BD0774-6CD6-4FF9-A148-83CA09AC123E}" = Intel(R) PROSafe for Wired Connections
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{3AA6AC6D-82E1-455E-8109-8A8D440D7A9C}" = PCmover
"{403EF592-953B-4794-BCEF-ECAB835C2095}" = Intel(R) PROSafe for Wired Connections
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{47F21113-0D9A-11D5-8132-00C04FA0998D}" = Alibre Design
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F8D44E7-3F47-4002-AE6A-BCB6A46A1788}" = Lizardtech Express View Browser Plug-in
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{530AFAFF-6F0A-48BB-88D0-04F9658322D3}" = Adobe Premiere Elements 3.0.2
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{55D9E026-DCB0-46FF-B60A-68B972228CF6}" = Autodesk Design Review 2010
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{5783F2D7-8028-0409-0000-0060B0CE6BBA}" = DWG TrueView 2010
"{58F4D4FD-1814-4068-B316-C28FC776C6DD}" = GoToMyPC
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.5
"{6DEF11C0-35FF-4160-A543-FDD336C4DAE5}" = Microsoft SQL Server 2005 Express Edition (ACT7)
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6EACDDF4-4220-49A3-9204-984C86852C3D}" = Adobe Premiere Elements 3.0.2 Templates
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5102}" = Adobe Common File Installer
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A351224F-533A-4EED-89F4-0BF3417FD31D}" = WD Backup
"{A52415E5-CA1E-44DE-9EDC-D412F31D271C}" = Google Photos Screensaver
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}" = Adobe Photoshop Elements 5.0
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{ABDA9912-5D00-11D4-BAE7-9367CA097955}" = Macromedia Dreamweaver 4
"{AC76BA86-1033-0000-BA7E-000000000003}" = Adobe Acrobat 8 Standard
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AD4203ED-7683-435E-B436-C299773A9936}" = MapSource - US Topo v3.02
"{AD88355B-A4E0-4DA1-BAC3-EA4FEA930691}" = Ipswitch WS_FTP Professional 2007
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6751A10-2389-4AEF-870A-4DD925F48733}" = Intellimover BE
"{BA68600E-96D9-4E92-80F2-26B9681B5A63}" = Microsoft Office Outlook 2003 with Business Contact Manager Update
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C41E5038-88CE-466F-A01C-0AE65B5FE1F2}" = ACT! by Sage 2008 (10.0)
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6771E19-1BB6-43B1-811E-ECC5A4613579}" = Broadcom Management Programs
"{E031338C-839D-4EDD-9537-99B653C39D81}" = Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010
"{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
"{F3885DDF-E711-4F14-B4C9-5CA3F07A13E9}" = PCsync
"{F7B0939E-58DF-11DF-B3A6-005056806466}" = Google Earth
"ACT!" = ACT!
"AddressGrabber" = AddressGrabber
"Adobe Acrobat 8 Standard" = Adobe Acrobat 8.2.2 Standard
"Adobe Acrobat 8 Standard_822" = Adobe Acrobat 8.2.2 - CPSID_53952
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop Elements 5" = Adobe Photoshop Elements 5.0
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"ArcExplorer 2.0" = ESRI ArcExplorer 2.0
"Autodesk Design Review 2010" = Autodesk Design Review 2010
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"dBpoweramp CD Writer" = dBpoweramp CD Writer
"dBpoweramp DSP Effects" = dBpoweramp DSP Effects
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp m4a Codec" = dBpoweramp m4a Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Windows Media Audio 10 Codec" = dBpoweramp Windows Media Audio 10 Codec
"DWG TrueView 2010" = DWG TrueView 2010
"Gigaware Gigaware Optical Mouse Driver" = Gigaware Optical Mouse Driver 4.06
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ieSpell" = ieSpell
"InstallShield_{22DEC852-3ABE-4BE0-BCA3-9E4E2FDE5A76}" = Dell SAS RAID Storage Manager v2.08-00
"InstallShield_{C41E5038-88CE-466F-A01C-0AE65B5FE1F2}" = ACT! by Sage 2008 (10.0)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft NetShow Tools 2.0" = NetShow Tools 3.0
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Web Developer 2005 Express Edition - ENU" = Microsoft Visual Web Developer 2005 Express Edition - ENU
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PC Pitstop Optimize2_is1" = PC Pitstop Optimize2 2.0
"Pdf995" = Pdf995
"Picasa 3" = Picasa 3
"PremElem30" = Adobe Premiere Elements 3.0.2
"PROHYBRIDR" = 2007 Microsoft Office system
"QuickTime" = QuickTime
"QuickTime 3.0" = QuickTime 3.0
"Real Estate Transaction Viewer" = Real Estate Transaction Viewer
"StreetPlugin" = Learn2 Player (Uninstall Only)
"Ulead VideoStudio 4.0" = Ulead VideoStudio version 4.0 SE Basic
"ViewpointMediaPlayer" = Viewpoint Media Player
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WETCable" = Windows Easy Transfer
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


----------



## CatByte (Feb 24, 2009)

please post the GMER log

thanks


----------



## Zigg (May 27, 2010)

CatByte, 
I've been trying to get the Gmer-but my 'puter was locking up and restarting... this suxors bug time.


----------



## CatByte (Feb 24, 2009)

Try this scanner instead:

Please download this file, and save it to your Desktop. Once you have downloaded it, save and close all other programs and run it by double-clicking on the file named "RootRepeal.exe".

Once the main window shows up, please click on the "Report" button on the bottom of the window. Next, please click the "Scan" button.

Another window will pop up asking you to select what to include in the scan. Please uncheck everything except for the "Stealth Code" checkbox, and then click OK.

Once the program has finished scanning, the results will appear. Click on the "Save Report" button, and save the report to your desktop.

Finally, please open this report with Notepad, and post it here.


----------



## Zigg (May 27, 2010)

Clicked on RootRepeal.exe and bluescreened almost imediately. 
: (


----------



## CatByte (Feb 24, 2009)

Try running the gmer program in safe mode with just "sections" and the "c:\" drive selected,

leave everything else blank


----------



## Zigg (May 27, 2010)

Gmer said it found nothing to report. There was a firefox dll on the first run but when I ran it again with firefox closed, it said there was nothing to report (that's with only the sections and c drive checked). 
I saved the Gmer report as a txt file, but there was nothing on there when I opened it.


----------



## Zigg (May 27, 2010)

For kicks, I just tried the more detailed report you told me to run previously before on Gmer, and it blue screened... 
Be standing by


----------



## CatByte (Feb 24, 2009)

Hi,

please do the following:

Download *Combofix* from either of the links below, and save it to your desktop. 
*Link 1* 
*Link 2*

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

--------------------------------------------------------------------

Double click on *ComboFix.exe* & follow the prompts. 
When finished, it will produce a report for you. 
Please post the *C:\ComboFix.txt * for further review.


----------



## Zigg (May 27, 2010)

Spybot S&D is still running promt before I click OK for combo fix...
I looked for switches in advanced mode...
disabled Tea timer rebooted...
Combofix is running now...


----------



## Zigg (May 27, 2010)

Looks like it hung up.

Blue admin command box says:

Please wait
ComboFix is prepairing to run...

Been that way for 25 min with minimal activity from the hd


----------



## CatByte (Feb 24, 2009)

Hi,

No doubt McAffee is interfering;

Please make sure it is totally disabled;

1 Locate the red "M" icon in the system tray at the bottom right corner of the desktop. Double click on it to open the Security Center program.

2 Click on the "Advanced" tab and then choose the option labeled as "Configure."

3 Click on the "Files" button on the top toolbar. Click on the "Disable" button at the center of the screen.

4 Enter in a time for the program to automatically turn back on in the text field at the right or,(choose never) instead, re-start the computer to turn it back on when you are finished scanning.

delete the copy of ComboFix that you have, download a fresh copy but rename it to Combo.com _before_ you save it to your desktop.

Try running it in safe mode if it still wont run properly.


----------



## Zigg (May 27, 2010)

CB,

Same symptoms with Combofix... McAfee, S&D, and Defender are off...
Deleted and resaved as "Combo.com" on desktop.
Just tried to launch it in Safe Mode with networking and got:
"Access denied, Admin permissions are needed to use selected options.
use admin control prompt to complete these tasks"
I even tired "open as admin" and got the same.


----------



## CatByte (Feb 24, 2009)

Please run the following:


Download *TDSSKiller* and save it to your Desktop.

*Extract* the file and *run it.*

Once completed it will create a log in your *C:\* drive called TDSSKiller*_** _(*** denotes version & date)_

please post the content of the TDSSKiller log


----------



## Zigg (May 27, 2010)

*TDSSKiller Log:*

15:38:21:871 3404 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
15:38:21:871 3404 ================================================================================
15:38:21:872 3404 SystemInfo:

15:38:21:872 3404 OS Version: 6.0.6001 ServicePack: 1.0
15:38:21:872 3404 Product type: Workstation
15:38:21:872 3404 ComputerName: LAKE-PC
15:38:21:872 3404 UserName: Lake
15:38:21:872 3404 Windows directory: C:\Windows
15:38:21:872 3404 Processor architecture: Intel x86
15:38:21:872 3404 Number of processors: 2
15:38:21:872 3404 Page size: 0x1000
15:38:21:874 3404 Boot type: Normal boot
15:38:21:874 3404 ================================================================================
15:38:38:757 3404 Initialize success
15:38:38:758 3404 
15:38:38:758 3404 Scanning Services ...
15:38:39:362 3404 Raw services enum returned 433 services
15:38:39:371 3404 
15:38:39:371 3404 Scanning Drivers ...
15:38:40:811 3404 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
15:38:40:858 3404 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
15:38:40:885 3404 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
15:38:40:899 3404 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
15:38:40:913 3404 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
15:38:41:001 3404 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
15:38:41:093 3404 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
15:38:41:138 3404 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
15:38:41:161 3404 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
15:38:41:180 3404 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
15:38:41:209 3404 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
15:38:41:227 3404 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
15:38:41:242 3404 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
15:38:41:257 3404 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
15:38:41:309 3404 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
15:38:41:379 3404 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
15:38:41:450 3404 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
15:38:41:618 3404 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
15:38:41:802 3404 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
15:38:41:876 3404 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
15:38:41:913 3404 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
15:38:41:923 3404 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
15:38:41:937 3404 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
15:38:41:956 3404 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
15:38:42:005 3404 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
15:38:42:034 3404 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
15:38:42:062 3404 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
15:38:42:124 3404 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
15:38:42:204 3404 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
15:38:42:257 3404 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
15:38:42:313 3404 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
15:38:42:355 3404 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
15:38:42:528 3404 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
15:38:42:587 3404 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
15:38:42:606 3404 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
15:38:42:756 3404 CSC (9a5434125c3dfe42393de4bbb791bd19) C:\Windows\system32\drivers\csc.sys
15:38:42:818 3404 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
15:38:42:894 3404 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
15:38:43:219 3404 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
15:38:43:267 3404 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
15:38:43:295 3404 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
15:38:43:336 3404 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
15:38:43:399 3404 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
15:38:43:478 3404 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
15:38:43:559 3404 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
15:38:43:623 3404 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
15:38:43:648 3404 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
15:38:43:699 3404 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
15:38:43:748 3404 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
15:38:43:772 3404 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
15:38:43:899 3404 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
15:38:43:926 3404 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
15:38:43:946 3404 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
15:38:44:011 3404 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:38:44:040 3404 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
15:38:44:056 3404 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
15:38:44:132 3404 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
15:38:44:147 3404 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
15:38:44:278 3404 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
15:38:44:324 3404 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
15:38:44:387 3404 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
15:38:44:420 3404 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys
15:38:44:453 3404 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
15:38:44:477 3404 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
15:38:44:539 3404 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\drivers\intelide.sys
15:38:44:616 3404 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
15:38:44:683 3404 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:38:44:737 3404 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
15:38:44:811 3404 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
15:38:44:906 3404 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
15:38:44:920 3404 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
15:38:44:980 3404 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
15:38:45:053 3404 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
15:38:45:080 3404 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
15:38:45:175 3404 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
15:38:45:193 3404 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
15:38:45:223 3404 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
15:38:45:257 3404 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
15:38:45:311 3404 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
15:38:45:348 3404 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
15:38:45:380 3404 LSI_SAS (bdee47843d852a00f34b1fbacefbceb8) C:\Windows\system32\drivers\lsi_sas.sys
15:38:45:438 3404 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
15:38:45:508 3404 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
15:38:45:537 3404 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
15:38:45:600 3404 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\Windows\system32\drivers\mfeavfk.sys
15:38:45:658 3404 mfebopk (1d003e3056a43d881597d6763e83b943) C:\Windows\system32\drivers\mfebopk.sys
15:38:45:692 3404 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\Windows\system32\drivers\mfehidk.sys
15:38:45:720 3404 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\Windows\system32\drivers\mferkdk.sys
15:38:45:748 3404 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\Windows\system32\drivers\mfesmfk.sys
15:38:45:854 3404 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
15:38:45:928 3404 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
15:38:46:001 3404 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
15:38:46:022 3404 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
15:38:46:074 3404 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
15:38:46:100 3404 MPFP (95675c3398dcc084c8d1dc35cc4e9e01) C:\Windows\system32\Drivers\Mpfp.sys
15:38:46:153 3404 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
15:38:46:257 3404 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
15:38:46:275 3404 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
15:38:46:327 3404 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
15:38:46:403 3404 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:38:46:474 3404 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:38:46:504 3404 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:38:46:524 3404 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
15:38:46:547 3404 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
15:38:46:615 3404 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
15:38:46:724 3404 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
15:38:46:741 3404 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
15:38:46:796 3404 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
15:38:46:813 3404 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
15:38:46:876 3404 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
15:38:46:948 3404 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
15:38:47:051 3404 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
15:38:47:081 3404 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
15:38:47:127 3404 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
15:38:47:201 3404 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
15:38:47:264 3404 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
15:38:47:347 3404 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
15:38:47:409 3404 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
15:38:47:475 3404 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
15:38:47:486 3404 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
15:38:47:547 3404 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
15:38:47:588 3404 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
15:38:47:645 3404 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
15:38:47:802 3404 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
15:38:47:970 3404 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
15:38:47:998 3404 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
15:38:48:056 3404 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
15:38:48:433 3404 nvlddmkm (b02587fa997723297384c95f424e78fa) C:\Windows\system32\DRIVERS\nvlddmkm.sys
15:38:48:689 3404 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
15:38:48:711 3404 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
15:38:48:746 3404 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
15:38:48:852 3404 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
15:38:48:913 3404 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
15:38:48:966 3404 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
15:38:48:999 3404 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
15:38:49:070 3404 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
15:38:49:085 3404 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
15:38:49:127 3404 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
15:38:49:180 3404 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
15:38:49:241 3404 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
15:38:49:257 3404 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
15:38:49:287 3404 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
15:38:49:329 3404 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
15:38:49:367 3404 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
15:38:49:422 3404 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
15:38:49:493 3404 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
15:38:49:555 3404 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
15:38:49:646 3404 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
15:38:49:700 3404 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:38:49:770 3404 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
15:38:49:819 3404 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
15:38:49:857 3404 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
15:38:49:911 3404 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:38:49:976 3404 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\DRIVERS\rdpdr.sys
15:38:50:008 3404 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
15:38:50:023 3404 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
15:38:50:070 3404 rootrepeal (5d690375755cd4400b69bf8f4d835607) C:\Windows\system32\drivers\rootrepeal.sys
15:38:50:071 3404 Suspicious file (Forged): C:\Windows\system32\drivers\rootrepeal.sys. Real md5: 5d690375755cd4400b69bf8f4d835607, Fake md5: 0b4ccd9b8e02a27fd032b9e08ac2e12f
15:38:50:161 3404 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
15:38:50:184 3404 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
15:38:50:198 3404 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
15:38:50:264 3404 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
15:38:50:276 3404 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
15:38:50:341 3404 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
15:38:50:367 3404 sffdisk (51cf56aa8bcc241f134b420b8f850406) C:\Windows\system32\drivers\sffdisk.sys
15:38:50:381 3404 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
15:38:50:397 3404 sffp_sd (8b08cab1267b2c377883fc9e56981f90) C:\Windows\system32\drivers\sffp_sd.sys
15:38:50:465 3404 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
15:38:50:483 3404 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
15:38:50:499 3404 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
15:38:50:518 3404 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
15:38:50:571 3404 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
15:38:50:632 3404 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
15:38:50:702 3404 srv (8e5fc19b3b38364c5f44ccecec5248e9) C:\Windows\system32\DRIVERS\srv.sys
15:38:50:734 3404 srv2 (4ceeb95e0b79e48b81f2da0a6c24c64b) C:\Windows\system32\DRIVERS\srv2.sys
15:38:50:807 3404 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
15:38:50:852 3404 STHDA (167909a1c36aa3e8f2582962f0ccc748) C:\Windows\system32\drivers\stwrt.sys
15:38:50:926 3404 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
15:38:50:950 3404 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
15:38:50:967 3404 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
15:38:50:991 3404 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
15:38:51:076 3404 Tcpip (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\drivers\tcpip.sys
15:38:51:128 3404 Tcpip6 (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\DRIVERS\tcpip.sys
15:38:51:198 3404 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
15:38:51:244 3404 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
15:38:51:300 3404 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
15:38:51:353 3404 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
15:38:51:420 3404 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
15:38:51:439 3404 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:38:51:499 3404 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
15:38:51:510 3404 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
15:38:51:550 3404 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
15:38:51:624 3404 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
15:38:51:659 3404 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
15:38:51:684 3404 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
15:38:51:699 3404 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
15:38:51:725 3404 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
15:38:51:791 3404 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
15:38:51:857 3404 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
15:38:51:883 3404 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
15:38:51:923 3404 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
15:38:52:008 3404 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
15:38:52:039 3404 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
15:38:52:063 3404 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
15:38:52:124 3404 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:38:52:142 3404 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
15:38:52:203 3404 usb_rndisx (ee181a08e09db23cf4a49b46a1e66bb8) C:\Windows\system32\DRIVERS\usb8023x.sys
15:38:52:220 3404 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
15:38:52:283 3404 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
15:38:52:309 3404 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
15:38:52:346 3404 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
15:38:52:364 3404 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
15:38:52:436 3404 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
15:38:52:501 3404 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
15:38:52:571 3404 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
15:38:52:603 3404 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
15:38:52:633 3404 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
15:38:52:704 3404 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:38:52:707 3404 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
15:38:52:722 3404 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
15:38:52:746 3404 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
15:38:52:827 3404 winusb (f03110711b17ad31271cb2baf0dbb2b1) C:\Windows\system32\DRIVERS\WinUSB.SYS
15:38:52:841 3404 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
15:38:52:914 3404 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
15:38:52:968 3404 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
15:38:53:027 3404 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
15:38:53:030 3404 
15:38:53:030 3404 Completed
15:38:53:030 3404 
15:38:53:030 3404 Results:
15:38:53:031 3404 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:38:53:031 3404 File objects infected / cured / cured on reboot: 0 / 0 / 0
15:38:53:031 3404 
15:38:53:033 3404 KLMD(ARK) unloaded successfully


----------



## CatByte (Feb 24, 2009)

Hi,

It seems as though it's definitely McAfee interfering with ComboFix, I have seen this before with this AV program, If possible, please uninstall McAffee until we have finished using ComboFix, then reinstall it.

Please delete the ComboFix icon from your desktop then go to C:\ComboFix and delete the folder:

Try downloading a fresh copy, renaming it before saving it to the desktop and allow it to run uninterrupted, make certain all other programs are closed, all other windows are closed and no security program is active.

Give it lots of time, sometimes it appears as though it has stalled but it is still working away.


----------



## Zigg (May 27, 2010)

K, McAfee is GONE by by now!.. rebooted and Windows Defender is squawking... 
I've turned real time in defender off... But the secondary directions of going through the control panel in an extra step didn't quite make sense to what I'm seeing in Vista...
What about Windows firewall? 
Turn this off as well?...

Thanks for helping me, BTW... I hope you realize how much I appreciate this.
Z


----------



## Zigg (May 27, 2010)

Firewall and Defender are off (followed the "whatthetech" instructions).
But ComboFix is still hanging up... looked at a performance graph and cpu is almost at a standstill at 0 to 3%... moving the mouse will bump it to 12% by comparison...

I see ComboFix starting up, and I have these two MS updates that NEVER take... every time Combo tries to start, I see the "new update" icon duplicate... then the program goes idle.

*

Microsoft .NET Framework 1.1 Service Pack 1 Security Update for Windows 2000, Windows XP, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 (KB953297)
* 
Download size: 13.5 MB

You may need to restart your computer for this update to take effect.

Update type: Important

A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system.

More information: 
http://go.microsoft.com/fwlink/?LinkID=127769

Help and Support: 
http://support.microsoft.com

*Security Update for Microsoft Office Web Components (KB947319)
* 
Download size: 3.7 MB

You may need to restart your computer for this update to take effect.

Update type: Important

A security vulnerability exists in Microsoft Office 2003 Web Components and Microsoft Office XP Web Components that could allow arbitrary code to run when a maliciously modified web page is opened. This update resolves that vulnerability in both products.

More information: 
http://support.microsoft.com/kb/947319

Help and Support: 
http://support.microsoft.com/?LN=en-us


----------



## CatByte (Feb 24, 2009)

Hi,

Try this:
Press the Windows Key + R to open a run box > *copy/paste* the following single line command in the runbox & click *OK*

*"%userprofile%\desktop\combofix.exe" /killall*










*DO NOT USE* your computer for any other purpose while ComboFix is running.
ComboFix may restart your computer, this is normal.
When finished, it will produce a log, *ComboFix.txt.*
Please*post ComboFix.txt* in your next reply.


----------



## Zigg (May 27, 2010)

Since I resaved it to "combo.com" again, it wouldn't run... then I typed in the command box "*"%userprofile%\desktop\combo.com.exe" /killall
*and it came up with some prompts (combo.com is not affiliated with combo fix, not for private use, blah blah blah...)
There was an update for Combofix (I clicked on update)... 
It started up again, tried to make a system restore point and *quit working when the windows update icon popped up again... <<<There is a pattern here 
*


----------



## CatByte (Feb 24, 2009)

Let's try turning off the windows update feature, see if we can get comboFix to run, then deal with the windows updates:

Open Start menu, *right-click *on *Computer* and click *Properties*. 
This will open a *System dialog box *that will show basic information about your computer. 
On the left sidebar, under *See also *heading, you will find *Windows Update*. 
Clicking it will bring you to the *Windows Update dialog box*, now on the left sidebar click on *Change Settings*. 
You will now see a window that will look like this,










You will notice that Windows has enabled option as default, to disable it, select *Never check for updates *and you are done.

Now Try comboFix again.


----------



## Zigg (May 27, 2010)

It's running now... Deleting stuff... Standby for report after reboot.


----------



## Zigg (May 27, 2010)

ComboFix 10-06-01.05 - Lake 06/02/2010 13:26:04.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2045.1300 [GMT -5:00]
Running from: c:\users\Lake\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
/wow section - STAGE 1

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Lake\MEDIA
c:\users\Lake\MEDIA\Bach's Brandenburg Concerto No. 3.rmi
c:\users\Lake\MEDIA\Beethoven's 5th Symphony.rmi
c:\users\Lake\MEDIA\Beethoven's Fur Elise.rmi
c:\users\Lake\MEDIA\CANYON.MID
c:\users\Lake\MEDIA\ChatInvt.wav
c:\users\Lake\MEDIA\ChatJoin.wav
c:\users\Lake\MEDIA\ChatKick.wav
c:\users\Lake\MEDIA\ChatTag.wav
c:\users\Lake\MEDIA\ChatWhsp.wav
c:\users\Lake\MEDIA\CHIMES.WAV
c:\users\Lake\MEDIA\Dance of the Sugar-Plum Fairy.rmi
c:\users\Lake\MEDIA\Debussy's Claire de Lune.rmi
c:\users\Lake\MEDIA\In the Hall of the Mountain King.rmi
c:\users\Lake\MEDIA\Jungle Close.wav
c:\users\Lake\MEDIA\Jungle Default.wav
c:\users\Lake\MEDIA\Jungle Open.wav
c:\users\Lake\MEDIA\Mozart's Symphony No. 40.rmi
c:\users\Lake\MEDIA\Musica Close.wav
c:\users\Lake\MEDIA\Musica Default.wav
c:\users\Lake\MEDIA\Musica Open.wav
c:\users\Lake\MEDIA\PASSPORT.MID
c:\users\Lake\MEDIA\Robotz Close.wav
c:\users\Lake\MEDIA\Robotz Default.wav
c:\users\Lake\MEDIA\Robotz Open.wav
c:\users\Lake\MEDIA\Utopia Close.wav
c:\users\Lake\MEDIA\Utopia Default.wav
c:\users\Lake\MEDIA\Utopia Open.wav
c:\users\Lake\SYSTEM
c:\users\Lake\SYSTEM\7thLevel\Cache\BillClinton.7ls\BillClinton.7ls
c:\users\Lake\SYSTEM\APPLE380.SPD
c:\users\Lake\SYSTEM\CHARSET.DAT
c:\users\Lake\SYSTEM\COLOR\C4306101.DAT
c:\users\Lake\SYSTEM\COLOR\C4306301.DAT
c:\users\Lake\SYSTEM\COLOR\E6004101.DAT
c:\users\Lake\SYSTEM\COLOR\E6004302.DAT
c:\users\Lake\SYSTEM\COLOR\E7006101.DAT
c:\users\Lake\SYSTEM\COLOR\E7006301.DAT
c:\users\Lake\SYSTEM\COLOR\E7404102.DAT
c:\users\Lake\SYSTEM\COLOR\E7404301.DAT
c:\users\Lake\SYSTEM\COLOR\E8504101.DAT
c:\users\Lake\SYSTEM\COLOR\E8504301.DAT
c:\users\Lake\SYSTEM\COLOR\E9004101.DAT
c:\users\Lake\SYSTEM\COLOR\E9004301.DAT
c:\users\Lake\SYSTEM\COLOR\H6944101.DAT
c:\users\Lake\SYSTEM\COLOR\H6946102.DAT
c:\users\Lake\SYSTEM\COLOR\H6946301.DAT
c:\users\Lake\SYSTEM\COLOR\H7224101.DAT
c:\users\Lake\SYSTEM\COLOR\H7224301.DAT
c:\users\Lake\SYSTEM\COLOR\H8954101.DAT
c:\users\Lake\SYSTEM\COLOR\H8954301.DAT
c:\users\Lake\SYSTEM\COLOR\L5706101.DAT
c:\users\Lake\SYSTEM\COLOR\L5706301.DAT
c:\users\Lake\SYSTEM\COLOR\L5706302.DAT
c:\users\Lake\SYSTEM\COLOR\PCDIIDX.DAT
c:\users\Lake\SYSTEM\COLOR\PCDOIDX.DAT
c:\users\Lake\SYSTEM\CONLOCK.MOD
c:\users\Lake\SYSTEM\directx\Dinput\act_rs.png
c:\users\Lake\SYSTEM\directx\Dinput\glmda.png
c:\users\Lake\SYSTEM\directx\Dinput\glmdiggp.png
c:\users\Lake\SYSTEM\directx\Dinput\gr3001.png
c:\users\Lake\SYSTEM\directx\Dinput\gr4001.png
c:\users\Lake\SYSTEM\directx\Dinput\gr4001_g.png
c:\users\Lake\SYSTEM\directx\Dinput\gr4003.png
c:\users\Lake\SYSTEM\directx\Dinput\gr4005.png
c:\users\Lake\SYSTEM\directx\Dinput\ia3002_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ia3002_2.png
c:\users\Lake\SYSTEM\directx\Dinput\lgc202.png
c:\users\Lake\SYSTEM\directx\Dinput\lgc207.png
c:\users\Lake\SYSTEM\directx\Dinput\lgc209.png
c:\users\Lake\SYSTEM\directx\Dinput\lgc20a.png
c:\users\Lake\SYSTEM\directx\Dinput\lgc291.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_01.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_02.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_03.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_04.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_05.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_06.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_07.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_08.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_09.png
c:\users\Lake\SYSTEM\directx\Dinput\ms1b_10.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_01.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_02.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_03.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_04.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_05.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_06.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_07.png
c:\users\Lake\SYSTEM\directx\Dinput\ms26_08.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms27_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms28_8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_01.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_02.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_03.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_04.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_05.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_06.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_07.png
c:\users\Lake\SYSTEM\directx\Dinput\ms34_08.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_a.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_c.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_m.png
c:\users\Lake\SYSTEM\directx\Dinput\ms3b_t.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_10.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms56_9.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_10.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms6_9.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms7_9.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_1.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_10.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_2.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_3.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_4.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_5.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_6.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_7.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_8.png
c:\users\Lake\SYSTEM\directx\Dinput\ms8_9.png
c:\users\Lake\SYSTEM\directx\Dinput\mse.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_1.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_10.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_2.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_3.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_4.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_5.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_6.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_7.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_8.png
c:\users\Lake\SYSTEM\directx\Dinput\mse_9.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_1.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_10.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_2.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_3.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_4.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_5.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_6.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_7.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_8.png
c:\users\Lake\SYSTEM\directx\Dinput\msf1f_9.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_1.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_2.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_3.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_4.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_5.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_6.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_7.png
c:\users\Lake\SYSTEM\directx\Dinput\msprw_8.png
c:\users\Lake\SYSTEM\directx\Dinput\SV-262e1.png
c:\users\Lake\SYSTEM\directx\Dinput\SV-262e3.png
c:\users\Lake\SYSTEM\directx\Dinput\SV-262e4.png
c:\users\Lake\SYSTEM\directx\Dinput\sv2511.png
c:\users\Lake\SYSTEM\directx\Dinput\sv2512.png
c:\users\Lake\SYSTEM\FFASTLOG.TXT
c:\users\Lake\SYSTEM\fRpcs.Dat
c:\users\Lake\SYSTEM\HPF99001.DAT
c:\users\Lake\SYSTEM\HPOF1607.DAT
c:\users\Lake\SYSTEM\HPOP1607.DAT
c:\users\Lake\SYSTEM\license.txt
c:\users\Lake\SYSTEM\MACROMED\DIRECTOR\Prefs\EC.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_defender.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_joust.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_rampage.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_spyhunter.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\sm_hub_user1.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\SwLogo.bmp
c:\users\Lake\SYSTEM\MEMBG.HTM
c:\users\Lake\SYSTEM\MLANG.DAT
c:\users\Lake\SYSTEM\MSAAP.XLA
c:\users\Lake\SYSTEM\OEMLOGO.BMP
c:\users\Lake\SYSTEM\pdbrowse.bmp
c:\users\Lake\SYSTEM\R_DHK_IPDLC_NOMEM.csv
c:\users\Lake\SYSTEM\R_DK_IPDLC_ALL.csv
c:\users\Lake\SYSTEM\R_DK_PCL5E_300.csv
c:\users\Lake\SYSTEM\R_DK_PCL5E_600.csv
c:\users\Lake\SYSTEM\R_DK_PCLXL_1200_11.csv
c:\users\Lake\SYSTEM\R_DK_PCLXL_600_11.csv
c:\users\Lake\SYSTEM\R_DK_RPCS_ALL.csv
c:\users\Lake\SYSTEM\R_DK_RPDL_1200.csv
c:\users\Lake\SYSTEM\R_DK_RPDL_400.csv
c:\users\Lake\SYSTEM\R_DK_RPDL_600.csv
c:\users\Lake\SYSTEM\R_HK_IPDLC_ALL.csv
c:\users\Lake\SYSTEM\R_HK_PCL5E_300.csv
c:\users\Lake\SYSTEM\R_HK_PCL5E_600.csv
c:\users\Lake\SYSTEM\R_HK_PCLXL_1200_11.csv
c:\users\Lake\SYSTEM\R_HK_PCLXL_600_11.csv
c:\users\Lake\SYSTEM\R_HK_RPCS_ALL.csv
c:\users\Lake\SYSTEM\R_HK_RPDL_1200.csv
c:\users\Lake\SYSTEM\R_HK_RPDL_400.csv
c:\users\Lake\SYSTEM\R_HK_RPDL_600.csv
c:\users\Lake\SYSTEM\RC87E171.RSB
c:\users\Lake\SYSTEM\REDIRECT.MOD
c:\users\Lake\SYSTEM\rpnvwait.avi
c:\users\Lake\SYSTEM\RSACI.RAT
c:\users\Lake\SYSTEM\SBFM20.XLA
c:\users\Lake\SYSTEM\Show Desktop.scf
c:\users\Lake\SYSTEM\SPBANNER.WMF
c:\users\Lake\SYSTEM\TESTPS.TXT
c:\users\Lake\SYSTEM\View Channels.scf
c:\users\Lake\SYSTEM\WBEM\REPOSITORY\CIM.REP
c:\users\Lake\SYSTEM\WINOA386.MOD
c:\users\Lake\SYSTEM\wmpscheme.xml
c:\windows\patch.exe
c:\windows\system32\bszip.dll
c:\windows\system32\jgaw400.dll
c:\windows\system32\sfcfiles.dll
c:\windows\system32\gotomon.log . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-05-02 to 2010-06-02 )))))))))))))))))))))))))))))))
.

2010-06-02 18:35 . 2010-06-02 18:35 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2010-06-02 18:35 . 2010-06-02 18:35 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2010-06-02 18:34 . 2010-06-02 18:38 -------- d-----w- c:\users\Lake\AppData\Local\temp
2010-06-02 18:34 . 2010-06-02 18:36 -------- d-----w- c:\windows\ServiceProfiles\LocalService\AppData\Local\temp
2010-06-02 18:34 . 2010-06-02 18:34 -------- d-----w- c:\windows\ServiceProfiles\NetworkService\AppData\Local\temp
2010-06-02 18:34 . 2010-06-02 18:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-01 14:35 . 2010-06-01 14:41 33792 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2010-05-31 22:59 . 2010-05-31 22:59 93056 ----a-w- C:\pxldapow.sys
2010-05-29 04:22 . 2010-05-29 04:22 -------- d-----w- c:\programdata\WindowsSearch
2010-05-27 22:58 . 2010-05-28 00:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-27 22:58 . 2010-05-27 22:58 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 22:11 . 2010-05-27 22:11 -------- d-----w- c:\program files\Trend Micro
2010-05-27 16:12 . 2010-05-28 20:13 -------- d-----w- c:\users\Lake\AppData\Local\Adobe
2010-05-27 16:12 . 2010-05-27 16:12 -------- d-----w- c:\users\Lake\AppData\Roaming\Malwarebytes
2010-05-27 16:11 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 16:11 . 2010-05-27 16:11 -------- d-----w- c:\programdata\Malwarebytes
2010-05-27 16:11 . 2010-05-27 16:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 16:11 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 08:14 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-12 12:46 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-02 18:34 . 2007-10-26 19:12 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-02 18:16 . 2008-07-11 12:47 848 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-02 18:16 . 2008-07-11 12:47 848 --sha-w- c:\programdata\KGyGaAvL.sys
2010-06-02 18:16 . 2008-05-19 18:38 -------- d-----w- c:\users\Lake\AppData\Roaming\Dropbox
2010-06-01 23:54 . 2007-10-26 01:56 -------- d-----w- c:\programdata\Google Updater
2010-06-01 21:40 . 2007-10-18 16:23 -------- d-----w- c:\programdata\McAfee
2010-06-01 19:17 . 2007-10-18 16:31 -------- d-----w- c:\programdata\FLEXnet
2010-05-27 22:11 . 2010-05-27 22:11 388096 ----a-r- c:\users\Lake\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-12 15:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-12 15:41 . 2007-10-18 16:18 -------- d-----w- c:\programdata\Microsoft Help
2010-05-10 21:35 . 2010-05-10 21:35 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-04-30 23:43 . 2007-10-18 16:12 -------- d-----w- c:\program files\Java
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-04-14 18:24 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-04-14 18:03 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-04-14 18:03 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-04-12 22:29 . 2010-04-30 23:44 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-06 18:26 . 2007-10-26 01:20 -------- d-----w- c:\program files\Picasa2
2010-03-26 15:33 . 2010-04-30 15:37 1496064 ----a-w- c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 15:33 . 2010-04-30 15:37 43008 ----a-w- c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 15:33 . 2010-04-30 15:37 339456 ----a-w- c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 15:32 . 2010-04-30 15:37 346112 ----a-w- c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-17 16:35 . 2010-05-21 00:03 309248 ----a-w- c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-03-05 14:01 . 2010-04-14 00:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2007-10-18 23:46 . 2007-10-18 23:38 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

------- Sigcheck -------

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\System32\msgsvc.dll

[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\System32\mspmsnsv.dll
[-] 2006-10-19 02:47 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\System32\dllcache\mspmsnsv.dll
[-] 2005-01-28 18:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2004-08-04 10:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\System32\ntmssvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Lake\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Lake\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Lake\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-05 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [2010-04-02 46520]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-09-30 258856]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-02-21 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-02-21 393216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [2010-04-02 738776]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-07-10 405504]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-08 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-08 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-08 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"PCmover CookieMerge"="c:\program files\Laplink\PCmover\CookieMerge.exe" [2007-09-25 42288]

c:\users\Lake\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Lake\AppData\Roaming\Dropbox\bin\dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-04-02 10:24 624056 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Popup]
2006-08-15 20:00 77920 ----a-r- c:\program files\Dell SAS RAID Storage Manager\MegaPopup\popup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartUp This]
2007-09-25 13:38 247088 ----a-w- c:\program files\Laplink\PCmover\LaunchSt.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 135664]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 b57nd60x;%SvcDispName%;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-19 179712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-06-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-05 09:42]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 17:36]

2010-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 17:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.southernlandco.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = 
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Lake\AppData\Roaming\Mozilla\Firefox\Profiles\x41ryv0f.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-M928366 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 13:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-699737960-2040937608-1441885375-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"DisplayName"="Microsoft ActiveSync"
"Name"="ActiveSync"
"Order"=dword:00000000
"Param1"="ActiveSync"
"State"=dword:0000000b
"Type"="wellknown"

[HKEY_USERS\S-1-5-21-699737960-2040937608-1441885375-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b
"Type"="IESettings"

[HKEY_USERS\S-1-5-21-699737960-2040937608-1441885375-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b
"Type"="MediaFiles"

[HKEY_USERS\S-1-5-21-699737960-2040937608-1441885375-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Order"=dword:00000001
"Param1"="NPW"
"State"=dword:0000000b
"Type"="wellknown"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2912)
c:\users\Lake\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\common files\protexis\license service\psiservice_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\STacSV.exe
c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-06-02 13:46:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-02 18:46

Pre-Run: 216,786,419,712 bytes free
Post-Run: 216,992,894,976 bytes free

- - End Of File - - FA30ADD5C8FF6E6878742E54299B028B


----------



## CatByte (Feb 24, 2009)

Hi,

ComboFix has targeted files in unusual directories

what can you tell me about these?

*c:\users\Lake\MEDIA
c:\users\Lake\SYSTEM*

Did you make up these paths and create these directories yourself?

I'd like to get an analysis on a random sampling of those files, just to make certain they are false positives, then I can dequarantine them.

Please do the following:


Please go to  VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the *"Suspicious files to scan"* box on the top of the page:

*c:\qoobox\quarantine\c\windows\system32\sfcfiles.dll.vir*​
Click on the *Upload* button
If a pop-up appears saying the file has been scanned already, please select the *ReScan* button.
Once the Scan is completed, click on the "*Copy to Clipboard*" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Please do the same for the following files:

*c:\qoobox\quarantine\c\users\Lake\MEDIA\Beethoven's Fur Elise.rmi.vir

c:\qoobox\quarantine\c\windows\patch.exe.vir

c:\qoobox\quarantine\c\windows\system32\gotomon.log.vir

c:\qoobox\quarantine\c\users\Lake\SYSTEM\rpnvwait.avi.vir*


----------



## Zigg (May 27, 2010)

VirSCAN.org Scanned Report :
Scanned time : 2010/06/02 18:39:09 (CDT)
Scanner results: Scanners did not find malware!
File Name : sfcfiles.dll.vir
File Size : 1580544 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 30a609e00bd1d4ffc49d6b5a432be7f2
SHA1 : 00fca7c88ff368f68d6184d6a2811d2d230f1536
Online report : http://virscan.org/report/2ba40393fe26dc1791956c9867033310.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100603053122 2010-06-03 0.37 -
AhnLab V3 2010.06.03.01 2010.06.03 2010-06-03 1.59 -
AntiVir 8.2.2.4 7.10.7.245 2010-06-02 0.28 -
Antiy 2.0.18 20100602.4613711 2010-06-02 0.02 -
Arcavir 2009 201006021537  2010-06-02 0.06 -
Authentium 5.1.1 201006021629 2010-06-02 1.49 -
AVAST! 4.7.4 100602-1 2010-06-02 0.08 -
AVG 8.5.793 271.1.1/2914 2010-06-03 0.26 -
BitDefender 7.90123.6122255 7.31989 2010-06-03 3.98 -
ClamAV 0.96.1 11123 2010-06-03 0.24 -
Comodo 3.13.579 4980 2010-06-01 0.88 -
CP Secure 1.3.0.5 2010.06.02 2010-06-02 0.43 -
Dr.Web 5.0.2.3300 2010.06.03 2010-06-03 8.52 -
F-Prot 4.4.4.56 20100602 2010-06-02 1.31 -
F-Secure 7.02.73807 2010.06.02.03 2010-06-02 0.22 -
Fortinet 4.1.133 12.12 2010-06-02 0.19 -
GData 21.282/21.93 20100602 2010-06-02 5.91 -
ViRobot 20100601 2010.06.01 2010-06-01 0.74 -
Ikarus T3.1.01.84 2010.06.02.75983 2010-06-02 7.26 -
JiangMin 13.0.900 2010.06.02 2010-06-02 1.46 -
Kaspersky 5.5.10 2010.06.02 2010-06-02 0.15 -
KingSoft 2009.2.5.15 2010.6.2.19 2010-06-02 0.62 -
McAfee 5400.1158 6001 2010-06-02 18.27 -
Microsoft 1.5802 2010.06.03 2010-06-03 6.38 -
Norman 6.04.12 6.04.00 2010-06-02 6.01 -
Panda 9.05.01 2010.06.02 2010-06-02 1.70 -
Trend Micro 9.120-1004 7.214.18 2010-06-02 0.08 -
Quick Heal 10.00 2010.06.02 2010-06-02 2.18 -
Rising 20.0 22.50.02.04 2010-06-02 1.15 -
Sophos 3.07.1 4.54 2010-06-03 3.30 -
Sunbelt 3.9.2424.2 6396 2010-06-02 6.84 -
Symantec 1.3.0.24 20100602.002 2010-06-02 0.11 -
nProtect 20100602.01 8543406 2010-06-02 7.77 -
The Hacker 6.5.2.0 v00292 2010-06-02 0.40 -
VBA32 3.12.12.5 20100602.1100 2010-06-02 2.77 -
VirusBuster 4.5.11.10 10.126.63/1995584 2010-06-02 2.38 -


----------



## Zigg (May 27, 2010)

*VirSCAN.org Scanned Report :
Scanned time : 2010/06/02 18:42:16 (CDT)
Scanner results: Scanners did not find malware!
File Name : Beethoven's Fur Elise.rmi.vir
File Size : 21312 byte
File Type : RIFF (little-endian) data, MIDI
MD5 : b1315ffca727f186652ffce7066d8445
SHA1 : 50624efe549d3c08753e1fa0db87ea6289daff7e
Online report : http://virscan.org/report/d1b7eac20f44cb24672e5d01ce87d7f3.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100603053122 2010-06-03 0.29 -
AhnLab V3 2010.06.03.01 2010.06.03 2010-06-03 1.10 -
AntiVir 8.2.2.4 7.10.7.245 2010-06-02 0.26 -
Antiy 2.0.18 20100602.4613711 2010-06-02 0.02 -
Arcavir 2009 201006021537 2010-06-02 0.02 -
Authentium 5.1.1 201006021629 2010-06-02 1.28 -
AVAST! 4.7.4 100602-1 2010-06-02 0.00 -
AVG 8.5.793 271.1.1/2914 2010-06-03 0.22 -
BitDefender 7.90123.6122255 7.31989 2010-06-03 3.90 -
ClamAV 0.96.1 11123 2010-06-03 0.00 -
Comodo 3.13.579 4980 2010-06-01 0.86 -
CP Secure 1.3.0.5 2010.06.02 2010-06-02 0.01 -
Dr.Web 5.0.2.3300 2010.06.03 2010-06-03 7.62 -
F-Prot 4.4.4.56 20100602 2010-06-02 1.26 -
F-Secure 7.02.73807 2010.06.02.03 2010-06-02 0.06 -
Fortinet 4.1.133 12.12 2010-06-02 0.10 -
GData 21.282/21.93 20100602 2010-06-02 6.87 -
ViRobot 20100601 2010.06.01 2010-06-01 0.37 -
Ikarus T3.1.01.84 2010.06.02.75983 2010-06-02 6.55 -
JiangMin 13.0.900 2010.06.02 2010-06-02 1.17 -
Kaspersky 5.5.10 2010.06.02 2010-06-02 0.03 -
KingSoft 2009.2.5.15 2010.6.2.19 2010-06-02 0.59 -
McAfee 5400.1158 6001 2010-06-02 15.87 -
Microsoft 1.5802 2010.06.03 2010-06-03 6.45 -
Norman 6.04.12 6.04.00 2010-06-02 6.01 -
Panda 9.05.01 2010.06.02 2010-06-02 1.62 -
Trend Micro 9.120-1004 7.214.18 2010-06-02 0.02 -
Quick Heal 10.00 2010.06.02 2010-06-02 1.57 -
Rising 20.0 22.50.02.04 2010-06-02 0.20 -
Sophos 3.07.1 4.54 2010-06-03 3.28 -
Sunbelt 3.9.2424.2 6396 2010-06-02 6.82 -
Symantec 1.3.0.24 20100602.002 2010-06-02 0.05 -
nProtect 20100602.01 8543406 2010-06-02 7.73 -
The Hacker 6.5.2.0 v00292 2010-06-02 0.31 -
VBA32 3.12.12.5 20100602.1100 2010-06-02 2.84 -
VirusBuster 4.5.11.10 10.126.63/1995584 2010-06-02 2.31 -

*


----------



## Zigg (May 27, 2010)

VirSCAN.org Scanned Report :
Scanned time : 2010/06/02 18:45:12 (CDT)
Scanner results: Scanners did not find malware!
File Name : PATCH.EXE.vir
File Size : 286720 byte
File Type : PE32 executable for MS Windows (console) Intel 80386 32-bit
MD5 : 19e73d5a247129160e27637328803475
SHA1 : c2df5522ed494c66124f881db54e654d72d908ee
Online report : http://virscan.org/report/5b6187647a1003e58f4d206a058f9cfc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100603053122 2010-06-03 0.32 -
AhnLab V3 2010.06.03.01 2010.06.03 2010-06-03 1.13 -
AntiVir 8.2.2.4 7.10.7.245 2010-06-02 0.26 -
Antiy 2.0.18 20100602.4613711 2010-06-02 0.02 -
Arcavir 2009 201006021537 2010-06-02 0.09 -
Authentium 5.1.1 201006021629 2010-06-02 2.17 -
AVAST! 4.7.4 100602-1 2010-06-02 0.02 -
AVG 8.5.793 271.1.1/2914 2010-06-03 0.29 -
BitDefender 7.90123.6122255 7.31989 2010-06-03 3.97 -
ClamAV 0.96.1 11123 2010-06-03 0.08 -
Comodo 3.13.579 4980 2010-06-01 0.90 -
CP Secure 1.3.0.5 2010.06.02 2010-06-02 0.08 -
Dr.Web 5.0.2.3300 2010.06.03 2010-06-03 7.71 -
F-Prot 4.4.4.56 20100602 2010-06-02 2.13 -
F-Secure 7.02.73807 2010.06.02.03 2010-06-02 10.67 -
Fortinet 4.1.133 12.12 2010-06-02 0.18 -
GData 21.282/21.93 20100602 2010-06-02 7.17 -
ViRobot 20100601 2010.06.01 2010-06-01 0.36 -
Ikarus T3.1.01.84 2010.06.02.75983 2010-06-02 6.52 -
JiangMin 13.0.900 2010.06.02 2010-06-02 1.31 -
Kaspersky 5.5.10 2010.06.02 2010-06-02 0.17 -
KingSoft 2009.2.5.15 2010.6.2.19 2010-06-02 0.72 -
McAfee 5400.1158 6001 2010-06-02 15.98 -
Microsoft 1.5802 2010.06.03 2010-06-03 6.75 -
Norman 6.04.12 6.04.00 2010-06-02 4.01 -
Panda 9.05.01 2010.06.02 2010-06-02 1.71 -
Trend Micro 9.120-1004 7.214.18 2010-06-02 0.04 -
Quick Heal 10.00 2010.06.02 2010-06-02 1.71 -
Rising 20.0 22.50.02.04 2010-06-02 1.21 -
Sophos 3.07.1 4.54 2010-06-03 3.44 -
Sunbelt 3.9.2424.2 6396 2010-06-02 7.29 -
Symantec 1.3.0.24 20100602.002 2010-06-02 0.05 -
nProtect 20100602.01 8543406 2010-06-02 10.50 -
The Hacker 6.5.2.0 v00292 2010-06-02 0.69 -
VBA32 3.12.12.5 20100602.1100 2010-06-02 2.96 -
VirusBuster 4.5.11.10 10.126.63/1995584 2010-06-02 3.24 -


----------



## Zigg (May 27, 2010)

*THIS ONE IS THE LAST ON THE LIST... SKIPPED THE ONE BEFORE IT CAUSE IT COULD NOT FIND IT (ZIPPED FILE)*

VirSCAN.org Scanned Report :
Scanned time : 2010/06/02 18:50:03 (CDT)
Scanner results: Scanners did not find malware!
File Name : rpnvwait.avi.vir
File Size : 292352 byte
File Type : RIFF (little-endian) data, AVI, 400 x 90, 8.00 fps, video
MD5 : c3e07a0bc6b2802d5797f444d5c84cde
SHA1 : 7b9f9e922d326289f8567679575c58c25fae9178
Online report : http://virscan.org/report/1fcb1b107d7449e90210461ecebd77b0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.11 20100603053122 2010-06-03 0.29 -
AhnLab V3 2010.06.03.01 2010.06.03 2010-06-03 1.16 -
AntiVir 8.2.2.4 7.10.7.245 2010-06-02 0.26 -
Antiy 2.0.18 20100602.4613711 2010-06-02 0.02 -
Arcavir 2009 201006021537 2010-06-02 0.02 -
Authentium 5.1.1 201006021629 2010-06-02 1.29 -
AVAST! 4.7.4 100602-1 2010-06-02 0.01 -
AVG 8.5.793 271.1.1/2914 2010-06-03 0.22 -
BitDefender 7.90123.6122255 7.31989 2010-06-03 3.91 -
ClamAV 0.96.1 11123 2010-06-03 0.01 -
Comodo 3.13.579 4980 2010-06-01 0.87 -
CP Secure 1.3.0.5 2010.06.02 2010-06-02 0.01 -
Dr.Web 5.0.2.3300 2010.06.03 2010-06-03 7.58 -
F-Prot 4.4.4.56 20100602 2010-06-02 1.26 -
F-Secure 7.02.73807 2010.06.02.03 2010-06-02 10.41 -
Fortinet 4.1.133 12.12 2010-06-02 0.10 -
GData 21.282/21.93 20100602 2010-06-02 6.81 -
ViRobot 20100601 2010.06.01 2010-06-01 0.36 -
Ikarus T3.1.01.84 2010.06.02.75983 2010-06-02 6.57 -
JiangMin 13.0.900 2010.06.02 2010-06-02 1.18 -
Kaspersky 5.5.10 2010.06.02 2010-06-02 0.03 -
KingSoft 2009.2.5.15 2010.6.2.19 2010-06-02 0.66 -
McAfee 5400.1158 6001 2010-06-02 15.94 -
Microsoft 1.5802 2010.06.03 2010-06-03 6.42 -
Norman 6.04.12 6.04.00 2010-06-02 6.01 -
Panda 9.05.01 2010.06.02 2010-06-02 1.67 -
Trend Micro 9.120-1004 7.214.18 2010-06-02 0.02 -
Quick Heal 10.00 2010.06.02 2010-06-02 1.49 -
Rising 20.0 22.50.02.04 2010-06-02 0.24 -
Sophos 3.07.1 4.54 2010-06-03 3.27 -
Sunbelt 3.9.2424.2 6396 2010-06-02 6.86 -
Symantec 1.3.0.24 20100602.002 2010-06-02 0.05 -
nProtect 20100602.01 8543406 2010-06-02 7.75 -
The Hacker 6.5.2.0 v00292 2010-06-02 0.34 -
VBA32 3.12.12.5 20100602.1100 2010-06-02 2.61 -
VirusBuster 4.5.11.10 10.126.63/1995584 2010-06-02 2.30 -


----------



## Zigg (May 27, 2010)

*
c:\qoobox\quarantine\c\windows\system32\gotomon.log.vir

*I'm having trouble with this one... Saw a gotomon file but it was zipped... now I can't seem to paste on the VirScan.org webpage.

*ADD/EDIT: *OK this is a zipped file 698 bytes modified today 6/2/2010 at 1:36 pm...
I was doing the ComboFix around then.


----------



## CatByte (Feb 24, 2009)

Hi,

what can you tell me about those folders?

Did you create them yourself and choose that path for them?


----------



## Zigg (May 27, 2010)

*c:\users\Lake\MEDIA
c:\users\Lake\SYSTEM

*I don't recognize... Did not "personally" create those...


----------



## CatByte (Feb 24, 2009)

what about the files within those folders....look at the deleted items in the ComboFix log...

do you recognize any of those files? what program created them?

Any idea where they came from?


----------



## Zigg (May 27, 2010)

I've been looking through them... I'm dealing with an AT&T U-verse install right now...
Maybe later this evening or tomorrow before I get a response to you... Some of them are only slightly familiar. I hope it's not too frustrating that "I don't know what I have" -but I'd like to clean house.


----------



## CatByte (Feb 24, 2009)

I would appreciate if you could tell me if you downloaded those files, or what program may have added them, or how those directories came to be created

thanks


----------



## Zigg (May 27, 2010)

A "guess" would be a program called PCmover from when I purchased a new desktop and migrated my files from the old one to the new one... 
Other than that I do not know. I certainly did not physically make those files... 
Or it could be from when I synced my Samsung Blackjack and Blackjack 2 cell phone up... 
Fir Elise and Mozart were music files that I was trying to use for a ring tone.

The zipped "gotomon" file has me puzzled... The file was modified around the time I was performing the ComboFix scan. 
Is this something that I should be concerned about?
My 'puter is still running naked with no protections on right now... but it is a lot faster.


----------



## CatByte (Feb 24, 2009)

Hi,

Do you wish to keep McAfee? If not I can recommend an excellent free antivirus for you.

Please do not surf the internet till an antivirus is reinstalled;

Please do the following:

Note: If comboFix requests to update, please allow it to do so.


*Very Important!* Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click *Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box - Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
FileLook::
c:\windows\system32\gotomon.log 

RESTORE::
c:\windows\System32\msgsvc.dll
c:\windows\System32\mspmsnsv.dll
c:\windows\System32\ntmssvc.dll

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\File Exts]
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')

*Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File;*
2.Click *Save As...* Change the directory to your *desktop;*
3.Change the *Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save* ...











 Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. 
 *Copy and paste the contents of the log in your next reply.*

*CAUTION:** Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.


----------



## Zigg (May 27, 2010)

Rats!... Combo's hanging up again. 
Defender and Firewall, and S&D were still turned off from before, I tried to go back and see if I could toggle the Script thing again -but I couldn't get to it because they were off (before there was a check box list with that on it)... I can't remember where I saw it.


----------



## CatByte (Feb 24, 2009)

Try running it in safe mode.


----------



## Zigg (May 27, 2010)

Hi,
Been on the farm all weekend -NOWHERE near the computer!...
After trying, I just shut it down for the weekend. 

After our last correspondence, I tried several times to run CF last Friday... The last 2 times in Safemode... It tried to get somewhere in Safemode (I think to scanning), but it definitely got hung up again...

Keep in mind that I've seen the ComboFix program work now, so I'm not being premature on calling it "hung Up"... I've walked away from the computer for several minutes allowing it to run with NO other program or mouse interruption... When the hard drive light goes dormant for 10 to 15 minutes (or longer) after I've let it run... I know it's hung up.

Also, the last time it ran successfully, it was not in Safemode.


----------



## CatByte (Feb 24, 2009)

OK, Let's move on, we can return to ComboFix

please do the following:


Open your *Malwarebytes' Anti-Malware* program and select the *update tab*, select *update now*
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.*

*NEXT*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*: 
*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2. * To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3. * Click *Run* at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. 
Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View scan report* at the bottom. 








 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## Zigg (May 27, 2010)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4177

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18904

6/7/2010 6:05:15 PM
mbam-log-2010-06-07 (18-05-15).txt

Scan type: Quick scan
Objects scanned: 156381
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

*^^^^^^^^MBAM FOUND NOTHING*

K, with Kaspersky online Scanner - I gotta *Java Security Warning* saying that Kaspersky needed an earlier version of JAVA... 
I'm just suspicious since I think I have some kind of "Java hacked Trojan thingy"

What's your take?... I canceled the scan (until I hear from you).


----------



## CatByte (Feb 24, 2009)

Hi

That generally happens when Java isn't enabled.


Hold down the *Windows key* and press *R* to open a run box
type the following text into the run box
*appwiz.cpl*​
This will open your *Programs And Features*
A list of installed programs will populate

*Remove* the following programs:

*Java(TM) SE Runtime Environment 6
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java 2 Runtime Environment, SE v1.4.2_03 *

Leave *Java(TM) 6 Update 20* in place as that is the current version.
*
NEXT*

to enable Java do the following:

In I.E.

Go to *Tools* > *Internet Options* > *Advanced tab.* 
Click *Reset* then *OK* and exit IE.
Re-open IE and ensure the Java add-ons are *enabled.* 










In FireFox:

Open *Firefox.*
At the top of the Firefox window on the menu bar, click on the *Tools* menu, and select *Options* 
Select the *Content* tab.
Make sure that *Enable Java* is selected.










If that makes no difference to Kaspersky, please try the following scan:

**Vista users - right click on the IE icon and run as administrator

Go *here* to run an online scanner from *ESET.*


*Note:* You will need to use *Internet explorer* for this scan
 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activeX control to install
Click *Start*
Make sure that the option *Remove found threats* is unticked and the *Scan Archives* option is ticked.
Click on Advanced Settings, ensure the options *Scan for potentially unwanted applications*, *Scan for potentially unsafe applications*, and *Enable Anti-Stealth Technology* are ticked.
Click *Scan*
Wait for the scan to finish
Use *notepad* to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.


----------



## Zigg (May 27, 2010)

Hi, before I do this, I also had some concerns about some add-ons in Firefox:
I will start the process, but here's a look:
*
FIREFOX ADD-ONS:*
IE Tab 2 (FF3.6+) 2.5.10.1
MS.NET Framwork Assistant 1.2.1
Java Console 6.0.01.02
^^^ 6.0.10
^^^ 6.0.12
^^^6.0.15
^^^6.0.17
^^^6.0.02.03
^^^6.0.19
^^^6.0.20


----------



## CatByte (Feb 24, 2009)

yes all those can go except the most recent

^^^6.0.20


----------



## Zigg (May 27, 2010)

OK, In FireFox I only see "Enable Java Script" (which is checked) -I do NOT see "Enable Java"

In I.E. manage add-ons, under Sun Microsystems I only see:
SSVHelper Class (disabled)
Java(tm) Plug-In 2 SSV Helper (disabled)
both filed 4/12/2010 at 6:44pm (both Version 6.0.200.2)

*UPDATE: I have Kasper running now*


----------



## CatByte (Feb 24, 2009)

OK, good


----------



## Zigg (May 27, 2010)

ZMG!... 2hrs and only 30% scanned... It's finding some stuff though.
Remind me to get rid of all my Zip files...


----------



## Zigg (May 27, 2010)

And 4 hours later:

KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, June 8, 2010
Operating system: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 08, 2010 14:21:23
Records in database: 4212547
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 250768
Threats found: 13
Infected objects found: 36
Suspicious objects found: 5
Scan duration: 04:32:35


File name / Threat / Threats count
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Contacts w No Address.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.NetSky.q 12
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 5
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn 1
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Email Contacts.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Folder1.mbx Infected: Email-Worm.VBS.KakWorm 1
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Inbox.mbx Infected: Email-Worm.VBS.KakWorm 2
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Mail\Sent Items.mbx Infected: Email-Worm.VBS.KakWorm 1
C:\Users\Lake\AppData\Local\Identities\{41C76100-5FE6-11D5-9DCC-0050BAE590E4}\Microsoft\Outlook Express\Sent Items.dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\1f29cc41-17a76e59 Infected: Trojan-Downloader.Java.OpenStream.ae 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\10\5a3d7b8a-79ff06b3 Infected: Trojan-Downloader.Java.Agent.af 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\20bdd891-561f5437 Infected: Exploit.Java.Agent.s 3
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\4f493191-1e49039d Infected: Exploit.Java.Agent.f 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\4f493191-1e49039d Infected: Trojan-Downloader.Java.Agent.cd 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\4f493191-1e49039d Infected: Trojan-Downloader.Java.OpenStream.al 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\1f3f8202-48862555 Infected: Exploit.Java.Agent.f 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\d188a2c-3ca1f522 Infected: Trojan-Downloader.Java.Agent.af 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-6a5229c1 Infected: Trojan-Downloader.Java.Agent.eo 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-6a5229c1 Infected: Exploit.Java.Agent.t 1
C:\Users\Lake\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\53d361fc-6a5229c1 Infected: Trojan-Downloader.Java.Agent.ep 1
C:\Windows\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.VBS.KakWorm 3

Selected area has been scanned.


----------



## CatByte (Feb 24, 2009)

Hi,

Take a look at the files located in these folders:
*
c:\users\Lake\MEDIA
c:\users\Lake\SYSTEM*

They were originally deleted by ComboFix, as the path is unusual, probably created by the phone sync.

The log is in this post here
http://forums.techguy.org/7422855-post25.html

If there are files there that you wish to keep I will need to dequarantine those folders, please let me know,

The items found by Kaspersky are primarily in your email.

Unfortunately, Kaspersky cannot pinpoint which particular emails are infected, so delete everything from anyone you don't know, those that contain attachments such as jokes or videos, old mail you no longer need, or items of no importance, empty the sent items folder, and the trash.

The other items are in your Java cache.

make certain you have the most up to date Java and older versions are all removed and Java cache is empty.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'. 
On the General tab, under Temporary Internet Files, click the *Settings* button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - *Leave BOTH Checked*

*Applications and Applets
Trace and Log Files*

Click OK on Delete Temporary Files Window
*Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.*
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

*NEXT*

Visit *ADOBE*and download the latest version of Acrobat Reader (version 9.3)
Having the latest updates ensures there are no security vulnerabilities in your system.

let me know about those folders,

once that is done, we can clean up all our tools


----------



## Zigg (May 27, 2010)

I googled one of the lines from my CombFix log and found some similarities in another person's log...
There are similar files in both system and media.
I am curious... What's your take on it?

The link is here: http://www.bleepingcomputer.com/forums/topic319253.html
But I will post their log under here so you don't have to dig (and you can pull my log in another window and compare)

Also recall playing some online shockwave games maybe here:
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_defender.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_joust.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_rampage.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\Mid_spyhunter.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\Prefs\sm_hub_user1.txt
c:\users\Lake\SYSTEM\MACROMED\Shockwave 8\SwLogo.bmp

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

*Begin other person's log:*
Hi Tom,
Thank you very much for your help. I ran ComboFix as requested. There were some problems, apparently some corrupted and unreadable files and I received an error message telling me to run the chkdsk utility. I was posting back to find out if I should do that when ComboFix kicked in and did it itself. It said the drive was dirty, but apparently was able to fix whatever was wrong. Also, I was able to complete the ESET Online Scan yesterday (took forever and I had to babysit with the Task Manager and keep shutting down processes to keep from hanging). It found 2 infected files, but I think they were old and it did nothing to help the problem. Said it was probably variant of Win 32/Agent trojan and Win 32/Adware.SpywareProtect2009 application. The files were System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP843\A0117412.exe and System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP845\A0117784.exe.
Here is my ComboFix log:

ComboFix 10-05-28.08 - Christine Hageman 05/29/2010 12:50:45.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.156 [GMT -4:00]
Running from: c:\documents and settings\Christine Hageman\Desktop\schrauber.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

*c:\documents and settings\Larry Hageman\MEDIA
c:\documents and settings\Larry Hageman\MEDIA\Bach's Brandenburg Concerto No. 3.rmi
c:\documents and settings\Larry Hageman\MEDIA\Beethoven's 5th Symphony.rmi
c:\documents and settings\Larry Hageman\MEDIA\Beethoven's Fur Elise.rmi
c:\documents and settings\Larry Hageman\MEDIA\CANYON.MID
c:\documents and settings\Larry Hageman\MEDIA\CHIMES.WAV
c:\documents and settings\Larry Hageman\MEDIA\Dance of the Sugar-Plum Fairy.rmi
c:\documents and settings\Larry Hageman\MEDIA\Debussy's Claire de Lune.rmi
c:\documents and settings\Larry Hageman\MEDIA\In the Hall of the Mountain King.rmi
c:\documents and settings\Larry Hageman\MEDIA\Jungle Close.wav
c:\documents and settings\Larry Hageman\MEDIA\Jungle Open.wav
c:\documents and settings\Larry Hageman\MEDIA\Mozart's Symphony No. 40.rmi
c:\documents and settings\Larry Hageman\MEDIA\Musica Close.wav
c:\documents and settings\Larry Hageman\MEDIA\Musica Open.wav
c:\documents and settings\Larry Hageman\MEDIA\PASSPORT.MID
c:\documents and settings\Larry Hageman\MEDIA\Robotz Close.wav
c:\documents and settings\Larry Hageman\MEDIA\Robotz Open.wav
c:\documents and settings\Larry Hageman\MEDIA\START.WAV
c:\documents and settings\Larry Hageman\MEDIA\TADA.WAV
c:\documents and settings\Larry Hageman\MEDIA\The Microsoft Sound.wav
c:\documents and settings\Larry Hageman\MEDIA\Utopia Close.wav
c:\documents and settings\Larry Hageman\MEDIA\Utopia Open.wav*
c:\documents and settings\Larry Hageman\SYSTEM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_514300.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_514400.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_572400.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_586900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_589400.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_589500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_589900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_590900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_591200.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_591300.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_591600.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_629000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_638000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_638100.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_690000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_711400.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_716800.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_717500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_730200.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_737500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_741500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_741900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_1_789100.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_501700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_505800.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_505900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_507000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_523500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_578600.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_581100.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_586500.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_621700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_623700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_633700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_643300.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_654100.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_690700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_694300.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_746000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_746700.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_747000.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_291_0_2_797900.GIF
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_507600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_508100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_554300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_554600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_599400.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_600200.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_600600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_607200.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_613300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_622800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_651300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_652800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_665000.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_675700.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_676600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_678100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_690900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_691900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_693400.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_693600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_693800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_694800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_700400.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_700500.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_700800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_701000.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_701200.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_702500.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_707400.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_708800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_711500.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_715200.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_730100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_732100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_732900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_736000.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_743600.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_743700.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_743900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_744700.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_745900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_748300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_748700.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_750300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_750900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_751100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_751300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_751400.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_751500.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_752100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_757900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_761900.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_764800.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_784000.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_789300.HTM
c:\documents and settings\Larry Hageman\SYSTEM\AdCache\B_791100.HTM
c:\documents and settings\Larry Hageman\SYSTEM\bma_read_hhog.txt
c:\documents and settings\Larry Hageman\SYSTEM\bma_read_seasons.txt
c:\documents and settings\Larry Hageman\SYSTEM\bma_read_thnksg.txt
c:\documents and settings\Larry Hageman\SYSTEM\d3d8caps.dat
*c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\act_rs.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\glmda.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\glmdiggp.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\gr3001.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\gr4001.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\gr4001_g.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\gr4003.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\gr4005.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ia3002_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ia3002_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\lgc202.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\lgc207.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\lgc209.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\lgc20a.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\lgc291.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_01.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_02.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_03.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_04.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_05.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_06.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_07.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_08.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_09.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms1b_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_01.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_02.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_03.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_04.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_05.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_06.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_07.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms26_08.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms27_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms28_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_01.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_02.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_03.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_04.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_05.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_06.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_07.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms34_08.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_a.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_c.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_m.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms3b_t.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms56_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms6_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms7_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\ms8_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\mse_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_10.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msf1f_9.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_2.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_5.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_6.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_7.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\msprw_8.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\SV-262e1.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\SV-262e3.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\SV-262e4.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\sv2511.png
c:\documents and settings\Larry Hageman\SYSTEM\DirectX\Dinput\sv2512.png*
c:\documents and settings\Larry Hageman\SYSTEM\FFASTLOG.TXT
c:\documents and settings\Larry Hageman\SYSTEM\HERCULES.BMP
c:\documents and settings\Larry Hageman\SYSTEM\HPFVLK06.DAT
c:\documents and settings\Larry Hageman\SYSTEM\K_16M.BMP
c:\documents and settings\Larry Hageman\SYSTEM\K_256.BMP
c:\documents and settings\Larry Hageman\SYSTEM\K_BOX.BMP
c:\documents and settings\Larry Hageman\SYSTEM\LICENSE.TXT
c:\documents and settings\Larry Hageman\SYSTEM\MACROMED\Shockwave 8\SwLogo.bmp
c:\documents and settings\Larry Hageman\SYSTEM\MEMBG.HTM
c:\documents and settings\Larry Hageman\SYSTEM\MLANG.DAT
c:\documents and settings\Larry Hageman\SYSTEM\MSOracle32Readme.txt
c:\documents and settings\Larry Hageman\SYSTEM\MyPicture.jpg
c:\documents and settings\Larry Hageman\SYSTEM\pstore.log
c:\documents and settings\Larry Hageman\SYSTEM\qtplugin.log
c:\documents and settings\Larry Hageman\SYSTEM\QuickTime\Uninstall.log
c:\documents and settings\Larry Hageman\SYSTEM\Show Desktop.scf
c:\documents and settings\Larry Hageman\SYSTEM\SQLSRDME.TXT
c:\documents and settings\Larry Hageman\SYSTEM\TAB_BMP.BMP
c:\documents and settings\Larry Hageman\SYSTEM\VFPODBC.TXT
c:\documents and settings\Larry Hageman\SYSTEM\View Channels.scf
c:\documents and settings\Larry Hageman\SYSTEM\WBEM\logs\cimom.log
c:\documents and settings\Larry Hageman\SYSTEM\WBEM\logs\FrameWork.LOG
c:\documents and settings\Larry Hageman\SYSTEM\WBEM\logs\wbemprox.log
c:\documents and settings\Larry Hageman\SYSTEM\WinAlign Report.txt
c:\windows\system\olepro32.dll
c:\windows\system32\VB40032.DLL
c:\windows\system32\winsusrm.dll


----------



## CatByte (Feb 24, 2009)

Hi,

I'm really not sure what could have created those folders,

I wouldn't mind getting a random sampling of them to have a look at them

run a few more of the random samples through Virus total as well, as they don't appear to be infected, but it's curious how they arrived on your system in the location for a folder that is targeted as malware

all the files are in c:\qoobox\quarantine

they will have a .vir extension.

could you upload a few of them here:

Please open this page in your browser:

http://www.bleepingcomputer.com/submit-malware.php?channel=22

Fill in the *link to topic* field with a link to this topic

Copy/paste the following into the *Browse to the file you want to submit* field:



> c:\qoobox\quarantine\c\users\Lake\SYSTEM\COLOR\C4306101.DAT.vir


Then press *Send File*, this will upload the file for analysis

choose a few others at random, just so i can see what they are exactly

Then upload a few more of those files for analysis here

submit a file to virustotal for analysis

Use the *browse button* on that page to navigate to the location of the file to be scanned.
In the *right hand panel*, 
click on the file *c:\qoobox\quarantine\c\users\Lake\SYSTEM\license.txt.vir*
then click the *open* button. 
The file will now be displayed in the *submit box.*
Scroll down a bit and click *"send file"*, wait for the results
If you get a message saying *File has already been analyzed:* click *Reanalyze file now*
Once scanned, copy and paste the link to the results page in your next reply.

Thanks


----------



## Zigg (May 27, 2010)

*bleepingcopmuter:*
link to topic where this file was requested: (listed our thread) http://forums.techguy.org/virus-oth...-trojan-thingy-please-take-4.html#post7434868
Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

C4306101.DAT.vir
C4306301.DAT.vir
H7224101.DAT.vir
H7224301.DAT.vir
E7404301.DAT.vir
E8504101.DAT.vir
PCDOIDX.DAT.vir
BillClinton.7ls.vir
Bach's Brandenburg Concerto No. 3.rmi.vir
Mid_defender.txt.vir

*VirusTotal:
*http://www.virustotal.com/analisis/...55a2e5ab98d23b44512c5335c669d298a0-1276101653
^^^^ I'm having trouble understanding how to navigate browser to get to the "other" random files you wanted me to upload at VirusTotal...
I had to copy and past the above scan from the type in your post.
^^^^ Adapt and overcome VVVVV

*C4306101.DAT.vir* http://www.virustotal.com/analisis/...b0fa1fad0bcc107a343424edd83ccfe679-1276102782
*PCDOIDX.DAT.vir* http://www.virustotal.com/analisis/...86c84b668e7be9895f26a30946b5ea8c52-1276103217
*ms6_4.png.vir* http://www.virustotal.com/analisis/...2e12872527b0a191caf2134d80d785d078-1276103369
*BillClinton.7ls.vir* http://www.virustotal.com/analisis/...7f19b81322c6224c2d13e046ada4db5842-1276103486
*CIM.REP.vir* http://www.virustotal.com/analisis/...d280972ba33abcfa15ffc1e50111c4ee7c-1276103655
*Bach's Brandenburg Concerto No. 3.rmi.vir* http://www.virustotal.com/analisis/...91b8a2e45f0dfef3a0a6c034761e8f08ce-1276104146
*Beethoven_s_Fur_Elise.rmi.vir* http://www.virustotal.com/analisis/...584303d01a063328a0286bacbabf71fb47-1276104362
*Mid_joust.txt.vir* http://www.virustotal.com/analisis/...20e3fa4eb4c4772df2289c4f5a9819cd1c-1276104591
*EC.txt.vir* http://www.virustotal.com/analisis/...eab97578001ef6e807a97d84edf39b4da4-1276104703

Pheww!... 
Let me know if that's enough for a good look... I'm curious about what put those MEDIA files (Bach, Beethoven, etc.)


----------



## Zigg (May 27, 2010)

CatByte said:


> Hi
> 
> That generally happens when Java isn't enabled.
> 
> ...


Going back to this, I found:
J2SE Runtime Environment 5.0 Update 4
^^^ 6
^^^ 7
^^^ 9
^^^ 10
Then I see the java(TM) 6 Update 20 that we left earlier


----------



## CatByte (Feb 24, 2009)

Hi,

Remove all the java files from your computer except Java version 6 update 20 as that is the latest version:

The files do seem to be related to a game:

this was in one of the files:



> 00000132: Lives per game
> 00000149: Points needed for a bonus life


It appears to be the games data files or something, I wasn't able to find out what put them there or why, but they don't appear to be useful for anything, so they might as well stay deleted.

At least they aren't infections, but they appear to be clutter and no point leaving them on your PC

If you are happy with that and there are no outstanding issues, then we can clean up our tools

so let me know how the computer is running


----------



## Zigg (May 27, 2010)

Hey CB,
Thanks a bunch for your time!... You've taught me how to fish.
The computer has been running better faster since after the first Malwarebytes run... No hiccups.
Just need to do some more cleaning after 3+ years... 

I would like to hear your suggestions on anti virus software and checkup regimes.
as well as what I may need to get rid of (or keep) from the stuff we used for scanning.
Thanks,
Z


----------



## CatByte (Feb 24, 2009)

hi

Please do the following;

ComboFix did delete one file that is important to keep, so needs to be dequarantined.


*Very Important!* Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click *Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box - Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
DeQuarantine::
c:\qoobox\quarantine\c\windows\system32\sfcfiles.dll.vir

Quit::
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')

*Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File;*
2.Click *Save As...* Change the directory to your *desktop;*
3.Change the *Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save* ...











 Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. 
 *Copy and paste the contents of the log in your next reply.*

*CAUTION:** Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*NEXT*

As long as the above scan executes correctly then continue on with the following (you will not get a full log just a note showing the files have been dequarantined and replaced back to the system32 folder)

You can delete the *DDS* and *GMER* folders from your desktop.

*NEXT*

*Follow these steps to uninstall Combofix*
Make sure your security programs are totally disabled. 
Click *START* then *RUN* 
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U,* it needs to be there.










Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via  PayPal.

*NEXT*

Clean up with *OTL*

Double-click *OTL.exe* to start the program. 
Close all other programs apart from *OTL * as this step will require a reboot 
On the *OTL* main screen, press the *CLEANUP* button 
Say *Yes* to the prompt and then allow the program to *reboot* your computer.

*If there are any logs/tools remaining > right click and delete them.*

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article 
*Strong passwords: How to create and use them* Then consider a * password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/

This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure *
Click *Start > Run *
Type *Inetcpl.cpl* & click *OK *
Click on the *Security* tab 
Click *Reset all zones to default level* 
Make sure the *Internet Zone* is selected & Click *Custom level *
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". 
Next Click* OK,* then *Apply* button and then *OK* to exit the Internet Properties page.

*Download**TFC** to your desktop*
Close any open windows. 
Double click the *TFC* icon to run the program 
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted. 
The program should not take long to finish it's job 
Once its finished it should automatically *reboot your machine, *
if it doesn't, manually reboot to ensure a complete clean 
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *



* WOT,* Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green*to go
*Yellow* for caution 
*Red* to stop 
WOT has an addon available for both Firefox and IE

* Keep a backup of your important files *- Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

 * ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
* Think Prevention.*
*PC Safety and Security--What Do I Need?.* 

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## Zigg (May 27, 2010)

Hi,
I've been trying, but I'm still having an issue with CF hanging up... It's not getting past "trying to create restore point".

I checked and windows firewall and defender and both are off... and S&D should still be off from the time before...
It puzzles me that I've only had it run successfully once...


----------



## CatByte (Feb 24, 2009)

Try running it in safe mode and use the following command in a run box (Winkey + R)

*ComboFix "C:\Documents and Settings\User\Desktop\CFscript.txt"*


----------



## Zigg (May 27, 2010)

Can you give me a few more detailed baby steps?...
I don't understand how to drag and drop the file after CF is already open...
Or does typing (Winkey + R) take care of that...

When do I run the command box?... Before dragging the Script file to it?

Srry for the confusion


----------



## CatByte (Feb 24, 2009)

Sorry, my fault for not explaining more clearly.

Boot into safe mode.

Do not open ComboFix at this time.

make sure the script is properly saved to your desktop

open a run box by pressing the Winkey + R > then copy / paste the command into that open run box > OK

ComboFix should then start automatically.

leave all other windows closed and allow ComboFix to run uninterrupted.

This dequarantine routine should only take a moment and you wont get a full log.

check to see if the file has been returned to it's proper place first > it may have already been dequarantined

navigate to *c:\windows\system32 *see if the *sfcfiles.dll *is there


----------



## Zigg (May 27, 2010)

Tried to run it every which way... Made sure I had saved as CFSript.txt "All Files"
Tried to run it in safe mode though run window... All it did was open the notepad.
tried dragging it again... CF still got hungup.

Checked the windows/system32: I saw sfc.dll, but NOT *sfcfiles.dll*


----------



## CatByte (Feb 24, 2009)

Ok

Let's do it this way then

Please download *OTM* by OldTimer. 

Save it to your *desktop*.
Please click *OTM* and then click >> *run. *
Copy the lines* inside the codebox* below to the clipboard by highlighting *ALL* of them and pressing *CTRL + C *(or, after highlighting, right-click and choose Copy):


```
:Files
C:\windows\system32\sfcfiles.dll | c:\qoobox\quarantine\c\windows\system32\sfcfiles.dll.vir/replace


:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```

Return to *OTM*, right click in the *"Paste Instructions for items to be Moved"* window (under the yellow bar) and choose *Paste.*
Click the red *Moveit!* button.
Copy everything in the *Results window* (under the green bar) to the clipboard by highlighting *ALL* of them and pressing *CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
*Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. 
*


----------



## Zigg (May 27, 2010)

Hi,

Got a red "X" error: 
Invalid timeflag![replace]
must be numerical

tried in safemode... same thing
and explorer stopped working and froze both times


----------



## CatByte (Feb 24, 2009)

Hi,

Sorry,

It looks like I may have omitted a space in the command:

try pasting this in:


```
:Files
C:\windows\system32\sfcfiles.dll | c:\qoobox\quarantine\c\windows\system32\sfcfiles.dll.vir /replace


:Commands
[resethosts]
[emptyflash]
[purity]
[emptytemp]
[Reboot]
```


----------



## Zigg (May 27, 2010)

K, worked a lil bit before it got hung up... seems like explorer just takes a dive and locks up...
Looks like it got to emptytemp and reboot before in hung... I button pushed the shutdown.
Checked system32 folder for *sfcfiles.dll* and it was there.
Here's a cellphone pic of my screen...


----------



## CatByte (Feb 24, 2009)

Hi,

sounds like it worked before it hung up.

How is the computer running now.

Post a fresh DDS log and Attach.txt so I can make certain before you follow the final clean up steps


----------



## Zigg (May 27, 2010)

Srry, but which program produces the DDS log?..
Also my 'puter is running better -except that the other day MS Outlook got funky... 
I had been powering off the computer after our sessions, but I accidentally left it powered on over the weekend with no browsers or programs open...

The quirk is that Outlook doesn't give me a preview anymore... 
This either happened after the Oldtimer run, or from something over the weekend... I could have bumped a setting off by accident, but I don't think so... 
I also got a prompt when I first opened saying that one of my mail folders wasn't closed properly... 
I ran Oldtimer with everything closed, though...


----------



## CatByte (Feb 24, 2009)

Hi,

Sorry, I thought I had given you this before.

Please download DDS from one of the following links and save it to your desktop.


*DDS.scr*
*DDS.pif*

Disable any script blocking protection (How to Disable your Security Programs)
Double click *DDS* icon to run the tool (may take up to 3 minutes to run)
When done, DDS.txt will open. 
After a few moments, attach.txt will open in a second window.
Save both reports to your desktop.

_*Post*_ the contents of the *DDS.txt* report in your next reply
*Attach* the _*Attach.txt*_ report to your post by scroling down to the *Attachments* area and then clicking *Browse*. Browse to where you saved the file, and click *Open* and then click *UPLOAD*.

As for your outlook reading pane:

Open Outlook > click on your *in box *> on the top tool bar - click on *View* > click on *reading pane *> click on your preference of either displaying the pane *right *or *bottom*

your reading pane should now display.


----------



## Zigg (May 27, 2010)

Got Outlook right again, thanks...
But the DDS program from the links above just opened a notpad with a bunch of jibber jabber


----------



## CatByte (Feb 24, 2009)

Right click the link and choose to save the file to your desktop


----------



## Zigg (May 27, 2010)

MZ   ÿÿ ¸ @  º ´ Í!¸LÍ!This program cannot be run in DOS mode.

$ PE L +I à 2 n Z    @     0  f       Ô   ´ .code   î  PEC2FO à.rsrc   ð à ¸¨$R Pdÿ5 d% 3ÀPECompact2 VÒËK¬ÇÑçì¸oTN<N<T#®=L34w
ül©TS`M6lÕ[ÐåNPáHr_0)a´ãþòØ¾,íf½úÙ)|ü®BÅ£¨¥§3]Ë£oKjv©hÕ¸ª-PÛØw4l4¼òåâ`ªµ¾å \¤¹3ïnféwp"nsÅeXcåÝDgòñÏ¨«ýÄ|¢0 O ü·E öôÄ J\#2\üÇçbNê\MkÊ(Õ^EK¥] m
Ã<Ð_À@t½HÓw,KÚÄíØ{²³Y®wCÈdAý§Ej]vWªbÚ°Í.çÏcF §(C&{;Ùçy U2ø)[)g*æ®u¼¬Å¡0Ê«ä¬Mõåsÿ¼
PKÚ}Cb{/¬p=øÏ_¯ýI«ÐÅÑ¶_÷º²À'Ô Ö`ãVSJYg«ØÇÄ¹¡¹ç|_KwÈD;6àÐ¢oOªñGÞSÌ·c7äK ÓgB-6XfvâôÑ-§pÄÇ¼]úPméÚUuó ¤;âêÇïÿ&Æ²oÉÉYú-00


----------



## CatByte (Feb 24, 2009)

Hi

Try this link instead:

*LINK 1*


----------



## Zigg (May 27, 2010)

i used ie and it worked:

DDS (Ver_10-03-17.01) - NTFSx86 
Run by Lake at 14:12:17.53 on Tue 06/15/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista Business 6.0.6001.1.1252.1.1033.18.2045.1082 [GMT -5:00]
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Lake\AppData\Roaming\Dropbox\bin\dropbox.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroTray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Lake\Desktop\dds.pif
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.southernlandco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
mSearch Bar = 
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Acrobat Speed Launch] "c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Act! Preloader] "c:\program files\act\act for windows\ActSage.exe" -preload
mRun: [Acrobat Synchronizer] "c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRunOnce: [PCmover CookieMerge] "c:\program files\laplink\pcmover\cookiemerge.exe" "c:\windows\system32\config\systemprofile\appdata\local\laplink\pcmover\Cookies"
StartupFolder: c:\users\lake\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\lake\appdata\roaming\dropbox\bin\dropbox.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181086765921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181086829078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.lizardtech.com/download/files/win/expressview/webinstall/isetup.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\users\lake\appdata\roaming\mozilla\firefox\profiles\x41ryv0f.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\users\lake\appdata\roaming\mozilla\firefox\profiles\x41ryv0f.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\lake\appdata\roaming\mozilla\firefox\profiles\x41ryv0f.default\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-27 1153368]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2009-10-17 179712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-5 135664]
============== File Associations ===============
.scr=DWGTrueViewScriptFile
=============== Created Last 30 ================
2010-06-14 15:57:11 1580544 ----a-w- c:\windows\system32\sfcfiles.dll
2010-06-11 22:14:46 0 d-----w- C:\_OTM
2010-06-11 18:01:21 0 d-s---w- C:\ComboFix
2010-06-02 18:37:02 0 d-----w- C:\$RECYCLE.BIN
2010-06-01 17:50:51 77312 ----a-w- c:\windows\MBR.exe
2010-06-01 17:50:49 256512 ----a-w- c:\windows\PEV.exe
2010-06-01 17:50:49 161792 ----a-w- c:\windows\SWREG.exe
2010-06-01 17:50:48 98816 ----a-w- c:\windows\sed.exe
2010-06-01 14:35:36 33792 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2010-05-31 23:36:22 133200800 ----a-w- c:\windows\MEMORY.DMP
2010-05-31 22:59:18 93056 ----a-w- C:\pxldapow.sys
2010-05-29 04:22:36 0 d-----w- c:\programdata\WindowsSearch
2010-05-27 22:58:30 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-27 22:58:30 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-27 22:11:36 0 d-----w- c:\program files\Trend Micro
2010-05-27 16:12:02 0 d-----w- c:\users\lake\appdata\roaming\Malwarebytes
2010-05-27 16:11:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-27 16:11:45 0 d-----w- c:\programdata\Malwarebytes
2010-05-27 16:11:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 16:11:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-26 08:14:39 2048 ----a-w- c:\windows\system32\tzres.dll
==================== Find3M ====================
2010-06-15 16:32:18 848 --sha-w- c:\programdata\KGyGaAvL.sys
2010-05-10 21:35:28 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-04-14 18:37:16 174 --sha-w- c:\program files\desktop.ini
2010-04-14 18:32:12 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-04-14 18:32:12 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-14 18:32:12 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-14 18:20:18 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-04-14 18:03:16 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-04-14 18:03:13 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-04-12 22:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-03-01 00:40:17 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\feeds cache\index.dat
2007-10-25 23:15:54 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\feeds cache\index.dat
2009-10-21 22:21:01 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-10-18 23:46:12 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 14:13:59.75 ===============


----------



## CatByte (Feb 24, 2009)

Hi,

Logs are clean

just some housekeeping to do now

Please do the following:

*Follow these steps to uninstall Combofix *


Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










*NEXT*

Clean up with *OTL:*

Double-click *OTL.exe* to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the *CLEANUP* button
Say *Yes* to the prompt and then allow the program to reboot your computer.

If any logs/tools remain on your desktop > right click and delete them.

*NEXT*

Below I have included a number of recommendations for how to protect your computer against malware infections.


It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article*
Strong passwords: How to create and use them* 
Then consider a *password keeper,* to keep all your passwords safe.

Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

*Make Internet Explorer more secure*
Click *Start* > *Run*
Type *Inetcpl.cpl* & click *OK*
Click on the *Security* tab
Click *Reset all zones to default level*
Make sure the *Internet Zone* is selected & Click *Custom level*
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click *OK*, then *Apply* button and then *OK* to exit the Internet Properties page.

*Download* *TFC* *to your desktop*
Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*WOT*, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
*Green* to go 
*Yellow* for caution 
*Red* to stop
 WOT has an addon available for both Firefox, IE and chrome.

*Keep a backup of your important files* - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

*ERUNT* (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
*Think Prevention.*
*PC Safety and Security--What Do I Need?.*

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. *

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.


----------



## Zigg (May 27, 2010)

All done...

I have a Malwarebytes shortcut on my Desktop
RootRepeal
HijackThis Shortcut
Spybot S&D Shortcut
also have a folder that I saved all my reports

Which programs should I further remove or keep?


----------



## CatByte (Feb 24, 2009)

Keep Malwarebytes, it's a very handy program to have, update and run it every once in a while

right click and delete the Root repeal and Hijack This icons, you don't need them any longer.

You can keep Spybot if you wish, there wont be any conflicts with anything else and you can right click and delete that folder with all the logs, no need to keep them.

If you don't want the malwarebytes shortcut on the desktop, you can delete it and just run the program from start > all programs when you want to, same with Spybot. You can delete the "mbam set up" file if you have that on your desktop still.


----------



## Zigg (May 27, 2010)

been cleaning up... 
I'm seeing *tdsskiller.zip* showing in my desktop in a *start search*... and for the life of me, I can't physically see it... 
Does it look like something else (name or something on my desktop), or is it hidden some how?


----------



## CatByte (Feb 24, 2009)

Look in your C:\ drive for it, that's where it saves the logs, but if you don't see it on your desktop, then it's gone.


----------

