google has stopped working popup

Acer / Aspire 5610
January 10, 2010 at 16:30:02
Specs: Microsoft Windows Vista Home Premium, 1.733 GHz / 1013 MB
I get the google installer has stopped working popup everytime I start my computer and at exactly :09 every hour. IE stops working occasionally also then restarts. Tried various anti virus including Malwarebytes (changed .exe) found some viruses but can't get rid of popup. Any ideas?

See More: google has stopped working popup

Report •


#1
January 10, 2010 at 16:39:17
Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.


Report •

#2
January 10, 2010 at 16:52:22
Here is my log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Kelly at 2010-01-10 16:46:41
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 16 GB (22%) free of 73 GB
Total RAM: 1013 MB (15% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:10 PM, on 10/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\V0470Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\Kelly\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2O0BCZEP\RSIT[1].exe
C:\Program Files\trend micro\Kelly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://webmail.shaw.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/yc...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [V0470Mon.exe] C:\Windows\V0470Mon.exe
O4 - HKLM\..\Run: [C:\Windows\system32\V0470Ext.ax] C:\Windows\system32\RegSvr32.exe /s C:\Windows\system32\V0470Ext.ax
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\fluffy.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrob...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://photoshare.shaw.ca/files/Ima...
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/sof...
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10597 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Ad-Aware Update (Weekly).job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\SDMsgUpdate (TE).job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2009-08-04 1586472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-10-11 321312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}]
ShowBarObj Class - C:\Windows\system32\ActiveToolBand.dll [2007-02-06 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll [2008-07-28 160496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-02-06 151552]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2008-07-28 882416]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2006-11-21 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2006-11-21 7757824]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2006-11-21 81920]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2006-11-30 4186112]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-10-22 815104]
"LManager"=C:\PROGRA~1\LAUNCH~1\LManager.exe [2006-12-08 614400]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2007-02-06 464168]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"NeroFilterCheck"=C:\Windows\system32\NeroCheck.exe [2001-07-09 155648]
"V0470Mon.exe"=C:\Windows\V0470Mon.exe [2007-06-04 32768]
"C:\Windows\system32\V0470Ext.ax"=C:\Windows\system32\RegSvr32.exe [2006-11-02 14336]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\fluffy.exe /runcleanupscript []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"MSSE"=C:\Program Files\Microsoft Security Essentials\msseces.exe [2009-09-13 1048392]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-10 1233920]
"????r"= []
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-18 125952]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-18 202240]
"Creative Live! Cam Manager"=C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe [2007-05-02 151552]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2009-10-09 25623336]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-08-11 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe

C:\Users\Kelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\System32\avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-02-11 204800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60235a99-c788-11dd-905b-0016d4689814}]
shell\AutoRun\command - F:\DPFMate.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9232fae-bc22-11dd-9bb1-0016d4689814}]
shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71c16ff-b1be-11dd-8bea-0016d4689814}]
shell\AutoRun\command - F:\PortableVault.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-01-10 16:46:42 ----D---- C:\Program Files\trend micro
2010-01-10 16:46:41 ----D---- C:\rsit
2010-01-10 05:09:19 ----A---- C:\Windows\ntbtlog.txt
2010-01-09 20:20:13 ----D---- C:\Users\Kelly\AppData\Roaming\SUPERAntiSpyware.com
2010-01-09 10:14:51 ----D---- C:\Program Files\Microsoft Security Essentials
2010-01-08 21:23:09 ----AD---- C:\ProgramData\TEMP
2010-01-08 16:58:56 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2010-01-08 08:02:37 ----D---- C:\Users\Kelly\AppData\Roaming\Uniblue
2010-01-07 19:52:31 ----D---- C:\ProgramData\Lavasoft
2010-01-07 19:42:59 ----A---- C:\ComboFix.txt
2010-01-07 19:42:12 ----SHD---- C:\$RECYCLE.BIN
2010-01-07 19:33:20 ----A---- C:\Windows\zip.exe
2010-01-07 19:33:20 ----A---- C:\Windows\SWXCACLS.exe
2010-01-07 19:33:20 ----A---- C:\Windows\SWSC.exe
2010-01-07 19:33:20 ----A---- C:\Windows\SWREG.exe
2010-01-07 19:33:20 ----A---- C:\Windows\sed.exe
2010-01-07 19:33:20 ----A---- C:\Windows\PEV.exe
2010-01-07 19:33:20 ----A---- C:\Windows\NIRCMD.exe
2010-01-07 19:33:20 ----A---- C:\Windows\grep.exe
2010-01-07 19:33:03 ----D---- C:\Windows\ERDNT
2010-01-07 19:29:56 ----D---- C:\Qoobox
2010-01-07 05:42:00 ----D---- C:\Users\Kelly\AppData\Roaming\Malwarebytes
2010-01-07 05:41:43 ----D---- C:\ProgramData\Malwarebytes
2010-01-03 00:55:21 ----A---- C:\Windows\system32\javaws.exe
2010-01-03 00:55:21 ----A---- C:\Windows\system32\javaw.exe
2010-01-03 00:55:21 ----A---- C:\Windows\system32\java.exe
2009-12-12 13:52:48 ----D---- C:\Program Files\Common Files\Skype

======List of files/folders modified in the last 1 months======

2010-01-10 16:46:48 ----D---- C:\Windows\Temp
2010-01-10 16:46:42 ----RD---- C:\Program Files
2010-01-10 16:09:40 ----D---- C:\Users\Kelly\AppData\Roaming\skypePM
2010-01-10 15:59:24 ----D---- C:\Users\Kelly\AppData\Roaming\Skype
2010-01-10 14:55:47 ----D---- C:\Config.Msi
2010-01-10 07:06:28 ----SHD---- C:\System Volume Information
2010-01-10 07:00:13 ----SHD---- C:\Windows\Installer
2010-01-10 07:00:07 ----D---- C:\Windows\system32\drivers
2010-01-10 07:00:07 ----D---- C:\Windows\system32\catroot
2010-01-10 06:25:41 ----D---- C:\Windows\Prefetch
2010-01-10 05:09:19 ----D---- C:\Windows
2010-01-09 21:36:32 ----D---- C:\Program Files\Common Files
2010-01-09 19:48:45 ----D---- C:\Windows\System32
2010-01-09 10:34:35 ----SD---- C:\Users\Kelly\AppData\Roaming\Microsoft
2010-01-09 10:34:32 ----D---- C:\ProgramData
2010-01-09 10:15:19 ----SD---- C:\ProgramData\Microsoft
2010-01-09 07:04:13 ----D---- C:\Windows\winsxs
2010-01-08 08:23:49 ----D---- C:\Program Files\Common Files\microsoft shared
2010-01-08 08:21:42 ----D---- C:\Program Files\Google
2010-01-08 08:16:50 ----DC---- C:\Windows\system32\DRVSTORE
2010-01-08 04:20:12 ----D---- C:\Windows\Tasks
2010-01-07 19:57:45 ----D---- C:\Windows\system32\catroot2
2010-01-07 19:53:42 ----D---- C:\Windows\system32\Tasks
2010-01-07 19:43:03 ----D---- C:\Windows\system32\en-US
2010-01-07 19:40:12 ----A---- C:\Windows\system.ini
2010-01-07 16:40:28 ----D---- C:\Windows\twain_32
2010-01-03 00:55:06 ----D---- C:\Program Files\Java
2009-12-28 05:51:47 ----D---- C:\Windows\Minidump
2009-12-28 05:51:47 ----D---- C:\Windows\Debug
2009-12-26 17:05:25 ----D---- C:\Program Files\Windows Live
2009-12-12 13:52:49 ----RD---- C:\Program Files\Skype
2009-12-12 13:52:47 ----D---- C:\ProgramData\Skype

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys [2006-11-02 20112]
R1 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2009-06-18 142832]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 69632]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-18 95744]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-01 45056]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-18 14208]
R3 DKbFltr;Dritek Keyboard Filter Driver; C:\Windows\system32\DRIVERS\DKbFltr.sys [2006-11-02 21264]
R3 EMSCR;EMSCR; C:\Windows\system32\DRIVERS\EMS7SK.sys [2006-10-24 62208]
R3 ESDCR;ESDCR; C:\Windows\system32\DRIVERS\ESD7SK.sys [2006-10-24 42240]
R3 ESMCR;ESMCR; C:\Windows\system32\DRIVERS\ESM7SK.sys [2006-10-24 76928]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-17 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-10-17 206848]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2006-11-30 1655464]
R3 MpNWMon;Microsoft Malware Protection Network Driver; C:\Windows\system32\DRIVERS\MpNWMon.sys [2009-06-18 42480]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
R3 NTIDrvr;Upper Class Filter Driver; C:\Windows\system32\DRIVERS\NTIDrvr.sys [2006-12-01 6144]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-10-22 179896]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-17 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-18 11264]
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2006-11-01 167936]
S3 catchme;catchme; \??\C:\Users\Kelly\AppData\Local\Temp\catchme.sys []
S3 dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-18 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-18 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-18 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-01 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver; C:\Windows\System32\Drivers\nx6000.sys [2009-07-24 30560]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NETw3v32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-10-29 1786880]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-11-21 4455264]
S3 SMSCIRDA;SMSC Infrared Device Driver; C:\Windows\system32\DRIVERS\SMSCirda.sys [2006-10-18 31232]
S3 UIUSys;Conexant Setup API; C:\Windows\system32\DRIVERS\UIUSYS.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
S3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-18 134016]
S3 VF0470Vid;Live! Cam Notebook (VF0470); C:\Windows\system32\DRIVERS\V0470Vid.sys [2007-05-09 146720]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-02-06 457512]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2006-11-30 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2006-11-20 118784]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2006-11-16 45056]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2006-11-13 24576]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2008-10-16 860160]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-18 21504]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 107008]
R2 MsMpSvc;@C:\Program Files\Microsoft Security Essentials\MpAsDesc.dll,-241; C:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2009-07-02 17904]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-18 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-18 21504]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2008-10-16 466944]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-07-19 262247]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2006-12-01 131072]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-18 21504]
S3 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-23 135664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------


Report •

#3
January 10, 2010 at 16:57:18
fo.txt logfile of random's system information tool 1.06 2010-01-10 16:47:21

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe" -uninstall
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe" -uninstall
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9 -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9 -removeonly
Acer eNet Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9 -removeonly
Acer ePower Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9 -removeonly
Acer ePresentation Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9 -removeonly
Acer eSettings Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -l0x9 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9 -removeonly
Acer Registration-->C:\Program Files\Acer Registration\uninstall.exe
Acer ScreenSaver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9 -removeonly
Acer Tour-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9 -removeonly
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player-->C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Citrix Presentation Server Client-->MsiExec.exe /I{B2AE44CB-2AAB-4C08-A54B-D264BD604DA8}
Creative Live! Cam Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9 /remove
Creative Live! Cam Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9 /remove
Creative Live! Cam Notebook Driver (1.01.01.00)-->C:\Windows\CtDrvIns.exe -uninstall -script VF0470.uns -unsext NT -plugin V0470Pin.dll -pluginres CtCamPin.crl
Creative Live! Cam User's Guide-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34EDB7E6-D292-44BD-8CA6-A3E33C9D7750}\setup.exe" -l0x9 /remove
Creative Photo Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\HXFSETUP.EXE -U -IAcrSUN32z.inf
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel PROSet Wireless-->Intel PROSet Wireless
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
jZip-->C:\PROGRA~1\jZip\UNWISE.EXE /U C:\PROGRA~1\jZip\INSTALL.LOG
Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI
MetaFrame Presentation Server Web Client for Win32-->C:\Windows\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Antimalware-->MsiExec.exe /X{A0A77CDC-2419-4D5C-AD2C-E09E5926B806}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Essentials\setup.exe /x
Microsoft Security Essentials-->MsiExec.exe /I{48B3FB4D-CE22-488C-8E9F-24EBB77EAC0F}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.0.14)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
muveeNow 2.0 - Creative-->C:\Program Files\InstallShield Installation Information\{B0F64C44-DC77-497D-9A27-C0F5BAB12493}\setup.exe -runfromtemp -l0x0009 -removeonly
Nero 6 Demo-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NTI Backup NOW! 4.7-->"C:\Program Files\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
PhotoInPress BookDesigner-->C:\Program Files\PhotoInPress\Uninstall.exe
PhotoScape-->"C:\Program Files\PhotoScape\uninstall.exe"
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\Setup.EXE" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
SightSpeed (remove only)-->"C:\Program Files\SightSpeed\uninst.exe"
Skype web features-->MsiExec.exe /I{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SMSC Fast Infrared Driver-->C:\Program Files\InstallShield Installation Information\{1AEC7728-1640-4E98-AABC-5EBE3FB57FE4}\setup.exe -runfromtemp -l0x0009 -removeonly
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Hosts File======

127.0.0.1 localhost

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Kelly-PC
Event Code: 4
Message: Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 199126
Source Name: bcm4sbxp
Time Written: 20090727160553.415600-000
Event Type: Warning
User:

Computer Name: Kelly-PC
Event Code: 4
Message: Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 199112
Source Name: bcm4sbxp
Time Written: 20090727135803.805600-000
Event Type: Warning
User:

Computer Name: Kelly-PC
Event Code: 4
Message: Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 199105
Source Name: bcm4sbxp
Time Written: 20090727050104.518400-000
Event Type: Warning
User:

Computer Name: Kelly-PC
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 0018DE37B9FE. The following error occurred:
The operation was canceled by the user.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 199095
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090727023314.000000-000
Event Type: Warning
User:

Computer Name: Kelly-PC
Event Code: 4
Message: Broadcom 440x 10/100 Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.
Record Number: 199086
Source Name: bcm4sbxp
Time Written: 20090727023100.518400-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Kelly-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {781a878f-37db-4311-8e2b-ee79ba4dfc7b}
Record Number: 554
Source Name: VSS
Time Written: 20070201141035.000000-000
Event Type: Error
User:

Computer Name: Kelly-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {781a878f-37db-4311-8e2b-ee79ba4dfc7b}
Record Number: 539
Source Name: VSS
Time Written: 20070201140746.000000-000
Event Type: Error
User:

Computer Name: Kelly-PC
Event Code: 3086
Message: The system locale has changed. Existing data will be deleted and the index must be recreated.

Context: Windows Application, SystemIndex Catalog

Record Number: 531
Source Name: Microsoft-Windows-Search
Time Written: 20070201140456.000000-000
Event Type: Warning
User:

Computer Name: Kelly-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 488
Source Name: Microsoft-Windows-Search
Time Written: 20070202135638.000000-000
Event Type: Warning
User:

Computer Name: LH-9DX4SW17R7K7
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 460
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20070202134627.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: Kelly-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: KELLY-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x288
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 56520
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090103195619.540758-000
Event Type: Audit Success
User:

Computer Name: Kelly-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 56519
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090103195619.525158-000
Event Type: Audit Success
User:

Computer Name: Kelly-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: KELLY-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x288
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 56518
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090103195619.525158-000
Event Type: Audit Success
User:

Computer Name: Kelly-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: KELLY-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x288
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 56517
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090103195619.525158-000
Event Type: Audit Success
User:

Computer Name: Kelly-PC
Event Code: 5032
Message: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

Error Code: 2
Record Number: 56516
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090103195618.433158-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Intel\WiFi\bin;C:\Program Files\jZip
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0e08
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

Related Solutions

#4
January 10, 2010 at 17:11:48
Please post the Combofix log located at C:\Combofix.txt

I don't see an antivirus program running, to continue you need to install one.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans.


Report •

#5
January 10, 2010 at 18:00:05
doesn't Microsoft Security Essentials show up? It is in my programs and says it is running. I was using AVG and changed it yesterday to Microsoft as AVG wasn't doing the job apparently

Here's the log

mboFix 09-10-05.01 - Kelly 07/01/2010 19:35.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1013.358 [GMT -8:00]
Running from: c:\users\Kelly\AppData\Local\Temp\jZip\jZip1424C\jZipC1CC\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 03:37 . 2010-01-08 03:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 13:42 . 2010-01-07 13:42 -------- d-----w- c:\users\Kelly\AppData\Roaming\Malwarebytes
2010-01-07 13:41 . 2009-12-30 22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 13:41 . 2010-01-07 13:41 -------- d-----w- c:\programdata\Malwarebytes
2010-01-07 13:41 . 2010-01-07 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 13:41 . 2009-12-30 22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 21:52 . 2009-12-12 21:52 -------- d-----w- c:\program files\Common Files\Skype
2009-12-10 11:06 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 11:06 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 11:06 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 15:06 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 15:06 . 2009-11-21 06:40 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 15:05 . 2009-11-21 04:59 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-09 15:05 . 2009-11-21 06:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-12-09 15:05 . 2009-11-21 06:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-12-09 12:46 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 03:39 . 2007-02-02 22:24 -------- d-----w- c:\users\Kelly\AppData\Roaming\Skype
2010-01-08 00:44 . 2008-12-24 13:53 -------- d-----w- c:\users\Kelly\AppData\Roaming\skypePM
2010-01-08 00:05 . 2008-12-11 04:56 -------- d-----w- c:\programdata\Google Updater
2010-01-03 08:55 . 2007-02-16 18:34 -------- d-----w- c:\program files\Java
2009-12-27 01:05 . 2009-11-23 14:27 -------- d-----w- c:\program files\Windows Live
2009-12-26 17:17 . 2008-12-11 04:56 -------- d-----w- c:\program files\Google
2009-12-12 21:52 . 2007-02-02 22:24 -------- d-----r- c:\program files\Skype
2009-12-12 21:52 . 2007-02-02 22:24 -------- d-----w- c:\programdata\Skype
2009-12-10 19:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 11:06 . 2007-02-02 17:08 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 02:34 . 2008-06-21 20:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-25 19:29 . 2007-02-07 23:38 680 ----a-w- c:\users\Kelly\AppData\Local\d3d9caps.dat
2009-11-23 14:31 . 2009-11-23 14:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-23 14:29 . 2009-11-23 14:29 -------- d-----w- c:\program files\Microsoft
2009-11-23 14:28 . 2009-11-23 14:28 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 15:03 . 2009-11-17 15:03 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 04:42 . 2009-10-07 12:05 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-26 12:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 12:17 . 2008-12-13 18:05 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-05-02 151552]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0470Ext.ax"="c:\windows\system32\V0470Ext.ax" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-22 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-22 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-22 81920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-04 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\fluffy.exe" [2009-12-30 1389904]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-12-01 4186112]

c:\users\Kelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-1 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(b):b8,41,7f,9e,6c,2f,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{300FC74B-2318-4D14-AC53-306200A8835E}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{47C39F74-3446-4FB4-B64D-B39E7559E330}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2FBF41B3-C15F-47CD-AF87-864E11C32808}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{31B5C57C-2D10-4DD0-B668-A20C98414908}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6D86A96E-A480-44E2-B87E-BBF41344DF38}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{07FDE742-7B88-4327-8C90-3973EED5A671}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{331ABA9C-5419-4DFD-BC1F-133322C4C160}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2B95A098-C99E-4BA7-B4B2-0E0232F182AF}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{7CDB3774-3BF5-475C-9E92-C6E679AADE29}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{71DEB4CD-FEA3-447B-9629-E3CEED08D4BB}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2F1D7F1B-D87A-4FC8-AF01-B175ACC6E19C}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{21B700DE-A247-4D1A-9FD5-186C330C2518}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{6DB19A25-4011-4A7B-BB80-CD8362A5E1C6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. The whole world can talk for free.
"UDP Query User{E4DFB90C-A219-4C55-BFF1-FB8C58A571A5}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. The whole world can talk for free.
"{15CC2FDC-C6EE-4352-883D-BB92641A7A2E}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{03458EBC-41FB-4824-8625-F07BCE9B3732}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{89F32CFC-DF43-452D-8DA6-FE3F034FD0DD}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{819D6957-7F89-4350-9735-F9B7F1795C19}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{9A5FB121-9151-4137-847C-494F57E567F6}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{9ECC0C21-109C-4F24-90A1-EDE1ABFA9E95}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{A18A3B55-4083-472C-9E66-B583EE9B126D}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{829E8ECE-58A1-42DA-A161-CFBC0CE2BD33}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{225A928B-2C57-496F-959F-51F535066A9D}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{AD91EDF3-88C6-456A-BC77-C4DEDDDC79C9}"= UDP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{E4CDC0BE-925A-4787-BD66-DFB90FAC524E}"= TCP:c:\program files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{3350CDF9-41D6-4622-9F32-C2A8A410B463}"= UDP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{DD7B1761-6F46-4E5C-9992-090B5AE6986C}"= TCP:c:\program files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"TCP Query User{3CC2E39B-2131-497D-B2E5-82A7BB9E045E}c:\\program files\\microsoft lifecam\\lifecam.exe"= UDP:c:\program files\microsoft lifecam\lifecam.exe:LifeCam.exe
"UDP Query User{1BB0C447-CCB0-4B8A-B987-1805DC420828}c:\\program files\\microsoft lifecam\\lifecam.exe"= TCP:c:\program files\microsoft lifecam\lifecam.exe:LifeCam.exe
"TCP Query User{4515D8DA-13CC-4062-A6E0-4875DFB171B1}c:\\program files\\shaw messenger\\bin\\smc.exe"= UDP:c:\program files\shaw messenger\bin\smc.exe:Shaw Messenger
"UDP Query User{9906C1A1-317D-4F49-A303-F95DEC3EC0FD}c:\\program files\\shaw messenger\\bin\\smc.exe"= TCP:c:\program files\shaw messenger\bin\smc.exe:Shaw Messenger
"TCP Query User{B0E0796A-D95F-4C69-B58F-AAF699664FC6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{B257262B-F182-4E15-8CBF-478DFF982E47}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{083983E9-0E32-4557-80AF-4613F585641E}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{2F70B26A-1A4F-497F-AF52-7F73C1F46D46}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{BB20A605-5EC4-44B2-A1F1-7BCBB9DE520E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9CD2710E-EDA3-4AF5-B298-711DDE37A90A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BC774553-873C-4E4C-BFB3-9FF358134939}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{257F2606-07BD-40E6-9628-9D4328569604}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{7E350577-E570-48F1-845D-396E8D1CB7C4}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{4B70C1F7-4CAA-44C9-9577-7ACDF9ACE3FB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{E28B4952-6D1C-43FA-8112-A6A487FE19DD}c:\\program files\\sightspeed\\sightspeed.exe"= UDP:c:\program files\sightspeed\sightspeed.exe:SightSpeed
"UDP Query User{36FE9669-B0F6-45FF-8A33-648A80AC9229}c:\\program files\\sightspeed\\sightspeed.exe"= TCP:c:\program files\sightspeed\sightspeed.exe:SightSpeed
"{499A4FB0-67DF-4354-A374-ECDD1B175763}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{4085EB69-E3D7-44B5-9CF5-EFC8720194A1}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [31/05/2009 10:57 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [31/05/2009 10:57 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/05/2009 10:57 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/05/2009 10:57 AM 297752]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 6:40 AM 3668480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 6:03 AM 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 2:25 AM 167936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [03/07/2008 5:56 AM 21504]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\System32\drivers\nx6000.sys [24/07/2009 7:28 PM 30560]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\System32\drivers\smscirda.sys [01/12/2006 10:13 PM 31232]
S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\System32\drivers\V0470Vid.sys [06/05/2009 7:04 AM 146720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60235a99-c788-11dd-905b-0016d4689814}]
\shell\AutoRun\command - F:\DPFMate.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9232fae-bc22-11dd-9bb1-0016d4689814}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c71c16ff-b1be-11dd-8bea-0016d4689814}]
\shell\AutoRun\command - F:\PortableVault.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2010-01-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-11 18:06]

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 14:03]

2010-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 14:03]

2010-01-08 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-04-05 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.shaw.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\6ggtzmpv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 19:40
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
.
Completion time: 2010-01-08 19:42
ComboFix-quarantined-files.txt 2010-01-08 03:42

Pre-Run: 16,932,384,768 bytes free
Post-Run: 16,996,581,376 bytes free

233 --- E O F --- 2010-01-07 19:13


Report •

#6
January 10, 2010 at 19:20:49
Go to start> run type in ComboFix /Uninstall (note the space after combofix is needed) the press ok. Give it a few minutes to run.

Navigate to and delete these files/folders if found after the uninstaller gets through running:


C:\Qoobox
C:\Combofix
C:\Combofix.txt
Combofix Desktop icon

Download Combofix with internet explorer instead of Firefox.

Remember..your Microsoft antivirus and Windows Defender must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#7
January 10, 2010 at 20:24:43
Go to start> run type in ComboFix /Uninstall (note the space after combofix is needed) the press ok. Give it a few minutes to run.

Typed in ComboFix /Uninstall and windows says it can't find it


Report •

#8
January 10, 2010 at 21:48:09
Here's the ComboFix log
ComboFix 10-01-04.01 - Kelly 10/01/2010 21:21:14.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1013.311 [GMT -8:00]
Running from: c:\users\Kelly\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 05:31 . 2010-01-11 05:31 -------- d-----w- c:\users\Kelly\AppData\Local\temp
2010-01-11 05:31 . 2010-01-11 05:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-11 05:31 . 2010-01-11 05:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-11 00:46 . 2010-01-11 00:47 -------- d-----w- c:\program files\trend micro
2010-01-11 00:46 . 2010-01-11 00:47 -------- d-----w- C:\rsit
2010-01-10 04:22 . 2010-01-10 04:22 52224 ----a-w- c:\users\Kelly\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-10 04:22 . 2010-01-10 04:22 117760 ----a-w- c:\users\Kelly\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-10 04:20 . 2010-01-10 04:20 -------- d-----w- c:\users\Kelly\AppData\Roaming\SUPERAntiSpyware.com
2010-01-09 18:14 . 2010-01-10 15:00 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-01-09 05:45 . 2010-01-09 05:45 -------- d-----w- c:\users\Kelly\AppData\Local\Threat Expert
2010-01-08 16:02 . 2010-01-08 16:02 -------- d-----w- c:\users\Kelly\AppData\Roaming\Uniblue
2010-01-08 03:52 . 2010-01-08 16:18 -------- d-----w- c:\programdata\Lavasoft
2010-01-07 13:42 . 2010-01-07 13:42 -------- d-----w- c:\users\Kelly\AppData\Roaming\Malwarebytes
2009-12-12 21:52 . 2009-12-12 21:52 -------- d-----w- c:\program files\Common Files\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 05:33 . 2007-02-02 22:24 -------- d-----w- c:\users\Kelly\AppData\Roaming\Skype
2010-01-11 00:09 . 2008-12-24 13:53 -------- d-----w- c:\users\Kelly\AppData\Roaming\skypePM
2010-01-08 16:21 . 2008-12-11 04:56 -------- d-----w- c:\program files\Google
2010-01-03 08:55 . 2007-02-16 18:34 -------- d-----w- c:\program files\Java
2009-12-27 01:05 . 2009-11-23 14:27 -------- d-----w- c:\program files\Windows Live
2009-12-12 21:52 . 2007-02-02 22:24 -------- d-----r- c:\program files\Skype
2009-12-12 21:52 . 2007-02-02 22:24 -------- d-----w- c:\programdata\Skype
2009-12-10 19:16 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 11:06 . 2007-02-02 17:08 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 02:34 . 2008-06-21 20:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-25 19:29 . 2007-02-07 23:38 680 ----a-w- c:\users\Kelly\AppData\Local\d3d9caps.dat
2009-11-23 14:31 . 2009-11-23 14:31 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-11-23 14:29 . 2009-11-23 14:29 -------- d-----w- c:\program files\Microsoft
2009-11-23 14:28 . 2009-11-23 14:28 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-21 06:40 . 2009-12-09 15:06 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 15:05 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 15:05 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 15:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 15:03 . 2009-11-17 15:03 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 15:03 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-09 12:31 . 2009-12-10 11:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-10 11:06 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-10 11:06 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 04:42 . 2009-10-07 12:05 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-26 12:30 2048 ----a-w- c:\windows\system32\tzres.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Creative Live! Cam Manager"="c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [2007-05-02 151552]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c:\windows\system32\V0470Ext.ax"="c:\windows\system32\V0470Ext.ax" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-22 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-22 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-22 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-02-07 464168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"V0470Mon.exe"="c:\windows\V0470Mon.exe" [2007-06-04 32768]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]

c:\users\Kelly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-1 528384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e [?]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):b8,41,7f,9e,6c,2f,ca,01

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [18/06/2009 6:48 PM 42480]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 6:40 AM 3668480]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 2:25 AM 167936]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [03/07/2008 5:56 AM 21504]
S3 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/12/2009 6:03 AM 135664]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\System32\drivers\nx6000.sys [24/07/2009 7:28 PM 30560]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\System32\drivers\smscirda.sys [01/12/2006 10:13 PM 31232]
S3 VF0470Vid;Live! Cam Notebook (VF0470);c:\windows\System32\drivers\V0470Vid.sys [06/05/2009 7:04 AM 146720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 14:03]

2010-01-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 14:03]

2010-01-10 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-04-05 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.shaw.ca/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kelly\AppData\Roaming\Mozilla\Firefox\Profiles\6ggtzmpv.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\fluffy.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 21:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2172)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-01-10 21:36:00
ComboFix-quarantined-files.txt 2010-01-11 05:35

Pre-Run: 16,687,124,480 bytes free
Post-Run: 16,727,363,584 bytes free

- - End Of File - - 2D029DE35A1FEBA4E500C8C4E6691873


Report •

#9
January 11, 2010 at 06:07:11
Have I done everything correctly so far?

Report •

#10
January 11, 2010 at 20:05:59
Yes, lets look for a TDSS rootkit.

Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. It will extract to an unzipped folder, drag TDSSKiller.exe out of that folder onto the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#11
January 12, 2010 at 02:19:32
Here it is. Sorry for the lateness . . .

02:20:46:156 6968 TDSS rootkit removing tool 2.2.0 Jan 11 2010 08:45:19
02:20:46:156 6968 ================================================================================
02:20:46:156 6968 SystemInfo:

02:20:46:156 6968 OS Version: 6.0.6002 ServicePack: 2.0
02:20:46:156 6968 Product type: Workstation
02:20:46:156 6968 ComputerName: KELLY-PC
02:20:46:156 6968 UserName: Kelly
02:20:46:156 6968 Windows directory: C:\Windows
02:20:46:156 6968 Processor architecture: Intel x86
02:20:46:156 6968 Number of processors: 2
02:20:46:156 6968 Page size: 0x1000
02:20:46:156 6968 Boot type: Normal boot
02:20:46:156 6968 ================================================================================
02:20:47:170 6968 UnloadDriverW: NtUnloadDriver error 2
02:20:47:170 6968 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
02:20:47:186 6968 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
02:21:09:166 6968 UtilityInit: KLMD drop and load success
02:21:09:166 6968 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
02:21:09:166 6968 UtilityInit: KLMD open success
02:21:09:166 6968 UtilityInit: Initialize success
02:21:09:166 6968
02:21:09:166 6968 Scanning Services ...
02:21:09:166 6968 CreateRegParser: Registry parser init started
02:21:09:213 6968 CreateRegParser: DisableWow64Redirection error
02:21:09:213 6968 wfopen_ex: Trying to open file C:\Windows\system32\config\system
02:21:09:213 6968 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
02:21:09:213 6968 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
02:21:09:213 6968 wfopen_ex: Trying to KLMD file open
02:21:09:213 6968 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
02:21:09:213 6968 wfopen_ex: File opened ok (Flags 2)
02:21:09:244 6968 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 23A1290
02:21:09:244 6968 wfopen_ex: Trying to open file C:\Windows\system32\config\software
02:21:09:244 6968 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
02:21:09:244 6968 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
02:21:09:244 6968 wfopen_ex: Trying to KLMD file open
02:21:09:244 6968 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
02:21:09:244 6968 wfopen_ex: File opened ok (Flags 2)
02:21:09:244 6968 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 23A12B8
02:21:09:244 6968 CreateRegParser: EnableWow64Redirection error
02:21:09:244 6968 CreateRegParser: RegParser init completed
02:21:12:957 6968 GetAdvancedServicesInfo: Raw services enum returned 453 services
02:21:12:957 6968 fclose_ex: Trying to close file C:\Windows\system32\config\system
02:21:12:957 6968 fclose_ex: Trying to close file C:\Windows\system32\config\software
02:21:12:957 6968
02:21:12:957 6968 Scanning Kernel memory ...
02:21:12:957 6968 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
02:21:12:957 6968 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84CC55F8
02:21:12:957 6968 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
02:21:12:957 6968
02:21:12:957 6968 DetectCureTDL3: DEVICE_OBJECT: 85125880
02:21:12:957 6968 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85125880
02:21:12:957 6968 DetectCureTDL3: DEVICE_OBJECT: 84B548A8
02:21:12:957 6968 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84B548A8
02:21:12:957 6968 DetectCureTDL3: DEVICE_OBJECT: 84AFDB98
02:21:12:957 6968 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84AFDB98
02:21:12:957 6968 KLMD_ReadMem: Trying to ReadMemory 0x84AFDB98[0x38]
02:21:12:957 6968 DetectCureTDL3: DRIVER_OBJECT: 8416FF38
02:21:12:957 6968 KLMD_ReadMem: Trying to ReadMemory 0x8416FF38[0xA8]
02:21:12:957 6968 KLMD_ReadMem: Trying to ReadMemory 0x84AE3008[0x1A]
02:21:12:957 6968 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
02:21:12:957 6968 DetectCureTDL3: IrpHandler (0) addr: 807D3140
02:21:12:957 6968 DetectCureTDL3: IrpHandler (1) addr: 8206B9D2
02:21:12:957 6968 DetectCureTDL3: IrpHandler (2) addr: 807D3140
02:21:12:957 6968 DetectCureTDL3: IrpHandler (3) addr: 8206B9D2
02:21:12:957 6968 DetectCureTDL3: IrpHandler (4) addr: 8206B9D2
02:21:12:957 6968 DetectCureTDL3: IrpHandler (5) addr: 8206B9D2
02:21:12:957 6968 DetectCureTDL3: IrpHandler (6) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (7) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (8) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (9) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (10) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (11) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (12) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (13) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (14) addr: 807C1A5A
02:21:12:972 6968 DetectCureTDL3: IrpHandler (15) addr: 807C1A2C
02:21:12:972 6968 DetectCureTDL3: IrpHandler (16) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (17) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (18) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (19) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (20) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (21) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (22) addr: 807C1A88
02:21:12:972 6968 DetectCureTDL3: IrpHandler (23) addr: 807CEB70
02:21:12:972 6968 DetectCureTDL3: IrpHandler (24) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (25) addr: 8206B9D2
02:21:12:972 6968 DetectCureTDL3: IrpHandler (26) addr: 8206B9D2
02:21:12:972 6968 TDL3_FileDetect: Processing driver: atapi
02:21:12:972 6968 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
02:21:12:972 6968 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
02:21:12:988 6968 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Clean
02:21:12:988 6968
02:21:12:988 6968 Completed
02:21:12:988 6968
02:21:12:988 6968 Results:
02:21:12:988 6968 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
02:21:12:988 6968 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
02:21:12:988 6968 File objects infected / cured / cured on reboot: 0 / 0 / 0
02:21:12:988 6968
02:21:12:988 6968 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status C0000043
02:21:12:988 6968 MyDeleteFileW: MyNtCreateFile (C:\Windows\system32\drivers\klmd.sys) error 32
02:21:12:988 6968 KLMD_Unload: MyDeleteFileW(C:\Windows\system32\drivers\klmd.sys) error 32
02:21:12:988 6968 UtilityDeinit: KLMD(ARK) unloaded successfully


Report •

#12
January 12, 2010 at 03:42:01
Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#13
January 12, 2010 at 06:30:46
I downloaded and it started to scan and then got error message that said it could not scan. Tried to do a second time and it hung up at the updates . . .

Report •

#14
January 12, 2010 at 16:10:19
Turn off windows defender before running the script below, turn it back on afterwards. Click on This Link if you need help disabling Windows Defender.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Windows\system32\ActiveToolBand.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"=-
-[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#15
January 12, 2010 at 18:11:19
I confess I caved in and my computer is now with a techy getting fixed . . . I am clearly over my head.

I can't thank you enough for all your help. I have learned at lot but still don't know what I don't know . . .

Crazy question but do you live in Penticton?


Report •

#16
January 12, 2010 at 18:27:29
No but I was there once..30 years ago...sorry we could not be of more help.

Report •

#17
January 12, 2010 at 18:33:35
You people provide a tremendous service and if I had more time, I would have perservered. I have learned a lot and for that I am very appreciative. Thank you!

Report •

#18
January 12, 2010 at 18:38:04
Thanks for the kind words, if you need us again just start a thread.

Report •

#19
January 13, 2010 at 19:07:59
FYI - turned out the error message was not a virus but a real Google error - think it happened when I downloaded Google Earth - found some more viruses tho - - - when I got my computer back had an error "sound output device is not installed" so found the solution (#3) on a YouTube video!!!
Hilarious - - here's the link
http://www.youtube.com/watch?v=9lZz...

Have a great day!!!


Report •

Ask Question