Google redirects

[BooBoo]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:01 PM, on 1/27/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Windows\System32\mobsync.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] c:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [HeavyWeatherPublisher] C:\HeavyWeather\HeavyWeatherPublisher.exe -minimized
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: heavy weather.lnk = C:\HeavyWeather\heavy weather.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: DisplayKEY eSYNC Info.lnk = C:\Program Files\GE Security Supra\SyncInfoApp.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.bing.com
O15 - Trusted Zone: *.doccentral.com
O15 - Trusted Zone: *.fnismls.com
O15 - Trusted Zone: *.getmedianow.com
O15 - Trusted Zone: *.live.com
O15 - Trusted Zone: *.rdesk.com
O15 - Trusted Zone: *.rexplorer.net
O15 - Trusted Zone: *.safemls.net
O15 - Trusted Zone: *.showingtime.com
O15 - Trusted Zone: *.sitexdata.com
O15 - Trusted Zone: *.spellchecker.net
O15 - Trusted Zone: *.transactionpoint.com
O15 - Trusted Zone: *.trpoint.com
O15 - Trusted Zone: *.virtualearth.net
O15 - Trusted Zone: *.xmlsweb.com
O16 - DPF: ImageUploader - http://www.assetval.com/app/ImageUploader.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://samls.fnismls.com/Paragon/Cod...intControl.cab
O16 - DPF: {0CE0F418-1010-442D-871C-3454827DD539} - http://facefun.com/FaceFun_webinstall/FaceFun.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/reso...PUplden-us.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://samls.crsdata.com/realestate/...gaxctrlv65.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins...s/Copysafe.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.pyramidreo.com/ImageUploader4.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://pro.realquest.com/mapviewer/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30BBADAE-3AF0-48DB-BFFA-9AD645AF925A}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - c:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\Windows\system32\CSHelper.exe
O23 - Service: DkeySync - GE Security Supra - c:\program files\ge security supra\syncservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9bca6f4ea33cd) (gupdate1c9bca6f4ea33cd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SolidPDFPlusCreatorReadSpool (SPDFCreatorPlusReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIF8BC.tmp
O23 - Service: SolidPDFToolsCreatorReadSpool (SPDFToolsReadSpool) - Solid Documents, LLC - C:\Windows\Installer\MSIEE5E.tmp

--
End of file - 10823 bytes

[Blade81]

Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab and then scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (or archive into zip file and attach it if the log is very long) in your reply.

[BooBoo]

Attached all three logs in one zip file

[Blade81]

Hi,

Thanks for the logs. Next time, please paste contents of reports to your post instead of using attachments (unless log is too long to fit in post).

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[BooBoo]

Here is the combofix.txt. I can not run any programs on this computer now. When I try to run DDS, internet explorer and other programs I get the error "Illegal operation attempted on a registry key that had been marked for deletion".




ComboFix 10-02-03.08 - Mike 02/04/2010 9:12.14.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.1181 [GMT -7:00]
Running from: c:\users\Mike\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 16:22 . 2010-02-04 16:22 -------- d-----w- c:\users\The McNabs\AppData\Local\temp
2010-02-04 16:22 . 2010-02-04 16:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-04 16:22 . 2010-02-04 16:22 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-02-04 16:22 . 2010-02-04 16:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-04 09:43 . 2010-02-04 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000517\maindata.sys
2010-02-03 10:13 . 2010-02-03 08:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000516\maindata.sys
2010-02-02 09:52 . 2010-02-02 08:04 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000515\maindata.sys
2010-02-01 10:16 . 2010-02-01 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000514\maindata.sys
2010-01-31 10:02 . 2010-01-31 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000513\maindata.sys
2010-01-30 10:20 . 2010-01-30 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000512\maindata.sys
2010-01-29 09:45 . 2010-01-29 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000511\maindata.sys
2010-01-28 01:49 . 2010-01-28 01:49 -------- d-----w- c:\program files\Common Files\Java
2010-01-28 01:35 . 2010-01-28 01:35 -------- d-----w- c:\program files\ERUNT
2010-01-28 01:19 . 2010-02-04 16:22 -------- d-----w- c:\users\Mike\AppData\Local\temp
2010-01-26 10:07 . 2010-01-26 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000510\maindata.sys
2010-01-24 10:08 . 2010-01-24 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000509\maindata.sys
2010-01-23 10:11 . 2010-01-23 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000508\maindata.sys
2010-01-23 04:13 . 2010-01-27 04:13 -------- d-----w- c:\program files\SpywareBlaster
2010-01-22 10:12 . 2010-01-22 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000507\maindata.sys
2010-01-21 10:12 . 2010-01-21 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000506\maindata.sys
2010-01-20 10:11 . 2010-01-20 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000505\maindata.sys
2010-01-19 10:08 . 2010-01-19 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000504\maindata.sys
2010-01-18 10:09 . 2010-01-18 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000503\maindata.sys
2010-01-17 10:07 . 2010-01-17 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000502\maindata.sys
2010-01-16 10:45 . 2010-01-16 08:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000501\maindata.sys
2010-01-15 11:21 . 2010-01-15 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000500\maindata.sys
2010-01-14 10:52 . 2010-01-14 08:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000499\maindata.sys
2010-01-13 11:35 . 2010-01-13 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000498\maindata.sys
2010-01-13 01:05 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 01:05 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 10:12 . 2010-01-12 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000497\maindata.sys
2010-01-11 10:12 . 2010-01-11 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000496\maindata.sys
2010-01-10 10:12 . 2010-01-10 08:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000495\maindata.sys
2010-01-09 11:13 . 2010-01-09 08:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000494\maindata.sys
2010-01-08 11:22 . 2010-01-08 08:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000493\maindata.sys
2010-01-07 10:59 . 2010-01-07 08:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000492\maindata.sys
2010-01-06 12:04 . 2010-01-06 08:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000491\maindata.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-04 16:23 . 2007-12-11 02:23 -------- d-----w- c:\program files\Weather Watcher
2010-02-04 15:04 . 2009-02-26 15:01 -------- d-----w- c:\users\Mike\AppData\Roaming\SolidDocuments
2010-02-04 09:54 . 2009-05-21 19:54 -------- d-----w- c:\program files\GE Security Supra
2010-02-04 09:31 . 2007-10-10 14:53 -------- d-----w- c:\programdata\Google Updater
2010-02-01 14:17 . 2007-10-10 14:53 -------- d-----w- c:\program files\Google
2010-01-28 14:45 . 2007-10-11 00:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 01:49 . 2009-03-16 02:10 -------- d-----w- c:\program files\Java
2010-01-23 04:20 . 2009-12-19 03:47 -------- d-----w- c:\program files\PokerStars
2010-01-22 10:21 . 2008-07-20 15:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 18:58 . 2008-02-15 21:00 -------- d-----w- c:\users\Mike\AppData\Roaming\CoreFTP
2010-01-16 16:37 . 2009-07-30 17:03 -------- d-----w- c:\program files\Citrix
2010-01-16 16:37 . 2007-10-08 22:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 18:12 . 2009-10-03 08:40 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-13 10:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-05 08:06 . 2010-01-05 10:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000490\maindata.sys
2010-01-04 08:03 . 2010-01-04 10:14 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000489\maindata.sys
2010-01-03 08:03 . 2010-01-03 10:15 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000488\maindata.sys
2010-01-02 08:01 . 2010-01-02 10:07 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000487\maindata.sys
2010-01-02 06:38 . 2010-01-21 23:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-01-21 23:20 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 06:32 . 2010-01-21 23:20 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 04:57 . 2010-01-21 23:20 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-01-01 08:02 . 2010-01-01 10:08 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000486\maindata.sys
2009-12-31 08:04 . 2009-12-31 10:14 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000485\maindata.sys
2009-12-28 08:04 . 2009-12-28 11:25 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000484\maindata.sys
2009-12-27 08:05 . 2009-12-27 11:12 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000483\maindata.sys
2009-12-26 08:04 . 2009-12-26 11:19 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000482\maindata.sys
2009-12-25 08:03 . 2009-12-25 10:18 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000481\maindata.sys
2009-12-24 08:02 . 2009-12-24 10:10 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000480\maindata.sys
2009-12-23 08:02 . 2009-12-23 10:07 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000479\maindata.sys
2009-12-22 08:01 . 2009-12-22 10:04 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000478\maindata.sys
2009-12-21 08:01 . 2009-12-21 10:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000477\maindata.sys
2009-12-20 08:04 . 2009-12-20 10:11 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000476\maindata.sys
2009-12-19 08:03 . 2009-12-19 10:13 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000475\maindata.sys
2009-12-18 08:03 . 2009-12-18 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000474\maindata.sys
2009-12-18 00:14 . 2009-03-16 02:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-17 08:03 . 2009-12-17 10:15 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000473\maindata.sys
2009-12-16 08:03 . 2009-12-16 10:13 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000472\maindata.sys
2009-12-15 08:02 . 2009-12-15 10:08 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000471\maindata.sys
2009-12-14 08:01 . 2009-12-14 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000470\maindata.sys
2009-12-13 08:04 . 2009-12-13 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000469\maindata.sys
2009-12-12 08:03 . 2009-12-12 10:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000468\maindata.sys
2009-12-11 08:02 . 2009-12-11 10:00 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000467\maindata.sys
2009-12-10 08:01 . 2009-12-10 10:03 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000466\maindata.sys
2009-12-09 08:01 . 2009-12-09 09:45 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000465\maindata.sys
2009-12-08 08:01 . 2009-12-08 09:57 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000464\maindata.sys
2009-12-07 08:00 . 2009-12-07 09:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000463\maindata.sys
2009-12-06 08:01 . 2009-12-06 09:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000462\maindata.sys
2009-12-05 08:01 . 2009-12-05 09:58 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000461\maindata.sys
2009-12-04 08:00 . 2009-12-04 09:55 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000460\maindata.sys
2009-12-03 08:03 . 2009-12-03 10:50 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000459\maindata.sys
2009-12-02 08:02 . 2009-12-02 10:53 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000458\maindata.sys
2009-12-01 08:03 . 2009-12-01 11:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000457\maindata.sys
2009-11-30 08:03 . 2009-11-30 10:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000456\maindata.sys
2009-11-29 08:06 . 2009-11-29 10:57 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000455\maindata.sys
2009-11-28 17:50 . 2009-09-21 17:50 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-28 08:07 . 2009-11-28 10:40 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000454\maindata.sys
2009-11-27 08:05 . 2009-11-27 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000453\maindata.sys
2009-11-26 08:03 . 2009-11-26 10:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000452\maindata.sys
2009-11-25 08:02 . 2009-11-25 09:59 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000451\maindata.sys
2009-11-25 02:40 . 2009-11-25 02:40 975648 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\qbpatch.exe
2009-11-25 02:40 . 2009-11-25 02:40 499712 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcp71.dll
2009-11-25 02:40 . 2009-11-25 02:40 348160 ----a-w- c:\programdata\Intuit\QuickBooks 2010\Components\DownloadQB20\Patch\msvcr71.dll
2009-11-24 08:04 . 2009-11-24 10:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000450\maindata.sys
2009-11-23 21:46 . 2007-10-08 21:09 229352 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-21 08:03 . 2009-11-21 10:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000449\maindata.sys
2009-11-20 08:04 . 2009-11-20 10:10 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000448\maindata.sys
2009-11-19 15:18 . 2009-11-19 15:18 1745 ----a-w- c:\programdata\Intuit\QuickBooks 2010\qbbackup.sys
2009-11-19 08:03 . 2009-11-19 10:02 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000447\maindata.sys
2009-11-18 08:01 . 2009-11-18 09:58 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000446\maindata.sys
2009-11-17 08:04 . 2009-11-17 10:05 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000445\maindata.sys
2009-11-16 08:02 . 2009-11-16 10:06 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000444\maindata.sys
2009-11-15 08:03 . 2009-11-15 10:08 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000443\maindata.sys
2009-11-14 08:01 . 2009-11-14 10:00 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000442\maindata.sys
2009-11-13 08:02 . 2009-11-13 11:41 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000441\maindata.sys
2009-11-12 08:03 . 2009-11-12 10:00 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000440\maindata.sys
2009-11-11 08:03 . 2009-11-11 10:01 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000439\maindata.sys
2009-11-10 08:03 . 2009-11-10 10:10 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000438\maindata.sys
2009-11-09 12:31 . 2009-12-09 23:58 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 23:58 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 23:58 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-09 08:03 . 2009-11-09 09:56 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000437\maindata.sys
2009-11-09 00:01 . 2009-11-09 00:01 79052 ----a-w- c:\windows\system32\drivers\AFS.SYS
2009-11-08 08:02 . 2009-11-08 09:54 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000436\maindata.sys
2009-11-07 08:03 . 2009-11-07 09:55 1109 ----a-w- c:\users\Mike\AppData\Roaming\Genie-Soft\GBMHome8\Jobs\Backup Job\00000435\maindata.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-01-23_01.58.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-27 14:53 . 2009-12-10 13:03 69120 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22963_none_84246a436002f224\iecompat.dll
+ 2010-01-27 14:53 . 2009-12-10 05:05 69120 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18872_none_838efd4246ee54f4\iecompat.dll
+ 2007-10-08 21:43 . 2010-01-27 03:53 50456 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-02-03 22:32 61250 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-10-08 21:10 . 2010-02-03 22:32 13718 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1304129043-3560768821-2314269622-1000_UserData.bin
- 2009-02-07 18:00 . 2009-06-01 17:51 15688 c:\windows\System32\lsdelete.exe
+ 2009-02-07 18:00 . 2009-09-21 17:51 15688 c:\windows\System32\lsdelete.exe
+ 2006-11-02 13:02 . 2010-02-04 16:03 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2010-01-23 01:12 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2010-02-04 16:03 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2010-01-23 01:12 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-04 00:42 . 2010-01-22 20:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-04 00:42 . 2010-02-04 09:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-12-25 15:13 . 2010-01-21 03:05 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-25 15:13 . 2010-01-27 22:19 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-25 15:13 . 2010-01-27 22:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2009-12-25 15:13 . 2010-01-21 03:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-12-25 15:13 . 2010-01-27 22:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2009-12-25 15:13 . 2010-01-21 03:05 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2008-06-04 00:42 . 2010-01-22 20:12 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-04 00:42 . 2010-02-04 09:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-04 00:42 . 2010-02-04 09:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-04 00:42 . 2010-01-22 20:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-02-01 14:18 . 2010-02-01 14:18 25214 c:\windows\Installer\{2EAF7E61-068E-11DF-953C-005056806466}\ARPPRODUCTICON.exe
+ 2010-01-28 01:21 . 2010-02-04 09:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-22 10:21 . 2010-01-22 20:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-22 10:21 . 2010-01-22 20:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-28 01:21 . 2010-02-04 09:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-28 01:49 . 2009-12-18 00:14 153376 c:\windows\System32\javaws.exe
- 2009-12-20 17:43 . 2009-12-20 17:43 145184 c:\windows\System32\javaw.exe
+ 2010-01-28 01:49 . 2009-12-18 00:14 145184 c:\windows\System32\javaw.exe
- 2009-12-20 17:43 . 2009-12-20 17:43 145184 c:\windows\System32\java.exe
+ 2010-01-28 01:49 . 2009-12-18 00:14 145184 c:\windows\System32\java.exe
+ 2009-05-29 16:02 . 2010-02-04 15:54 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-29 16:02 . 2010-01-23 01:12 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 13:02 . 2010-01-23 01:12 409600 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2010-02-04 16:03 409600 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-01-28 01:49 . 2010-01-28 01:49 178176 c:\windows\Installer\18e6cf.msi
+ 2010-01-28 14:47 . 2010-01-28 14:47 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A82000000003}\SC_Reader.exe
+ 2010-02-04 14:09 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-4-2010\ERDNT.EXE
+ 2010-02-03 22:31 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\2-3-2010\ERDNT.EXE
+ 2010-01-28 14:41 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\1-28-2010\ERDNT.EXE
+ 2010-01-28 01:36 . 2005-10-20 19:02 163328 c:\windows\ERDNT\1-27-2010\ERDNT.EXE
- 2006-11-02 10:22 . 2010-01-22 10:20 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2010-01-27 14:51 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-01-28 14:47 . 2010-01-28 14:47 4272128 c:\windows\Installer\2465b.msi
+ 2010-02-01 14:18 . 2010-02-01 14:18 1262080 c:\windows\Installer\11847974.msi
+ 2010-02-04 14:09 . 2010-02-04 14:09 5296128 c:\windows\ERDNT\AutoBackup\2-4-2010\Users\00000002\UsrClass.dat
+ 2010-02-04 14:09 . 2010-02-04 14:09 7979008 c:\windows\ERDNT\AutoBackup\2-4-2010\Users\00000001\NTUSER.DAT
+ 2010-02-03 22:30 . 2010-02-03 22:30 5287936 c:\windows\ERDNT\AutoBackup\2-3-2010\Users\00000002\UsrClass.dat
+ 2010-02-03 22:30 . 2010-02-03 22:30 7979008 c:\windows\ERDNT\AutoBackup\2-3-2010\Users\00000001\NTUSER.DAT
+ 2010-01-28 14:41 . 2010-01-28 14:41 5218304 c:\windows\ERDNT\AutoBackup\1-28-2010\Users\00000002\UsrClass.dat
+ 2010-01-28 14:41 . 2010-01-28 14:41 7921664 c:\windows\ERDNT\AutoBackup\1-28-2010\Users\00000001\NTUSER.DAT
+ 2009-05-02 10:01 . 2010-01-27 14:51 241543861 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WeatherWatcher"="c:\program files\Weather Watcher\ww.exe" [2007-09-24 1024000]
"HeavyWeatherPublisher"="c:\heavyweather\HeavyWeatherPublisher.exe" [2004-02-23 1302528]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-10 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-12-18 622592]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-08-31 996616]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
heavy weather.lnk - c:\heavyweather\heavy weather.exe [2008-5-29 781312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-10-16 267520]
DisplayKEY eSYNC Info.lnk - c:\program files\GE Security Supra\SyncInfoApp.exe [2009-5-21 102400]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-12-25 66864]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-3 1153824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d6,05,a9,7a,15,33,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1304129043-3560768821-2314269622-1000]
"EnableNotificationsRef"=dword:00000002

R0 AFS;AFS;c:\windows\System32\drivers\AFS.SYS [11/8/2009 5:01 PM 79052]
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/25/2009 10:51 AM 64160]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [11/4/2007 11:31 AM 1153368]
R2 SPDFCreatorPlusReadSpool;SolidPDFPlusCreatorReadSpool;c:\windows\Installer\MSIF8BC.tmp [2/26/2009 8:00 AM 189696]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\Installer\MSIEE5E.tmp [2/26/2009 8:18 AM 189696]
S2 CSHelper;CopySafe Helper Service;c:\windows\System32\CSHelper.exe [3/15/2009 6:58 PM 192512]
S2 gupdate1c9bca6f4ea33cd;Google Update Service (gupdate1c9bca6f4ea33cd);c:\program files\Google\Update\GoogleUpdate.exe [4/13/2009 7:16 PM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [6/5/2008 8:46 AM 21504]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 2:34 PM 1028432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:50]

2010-02-04 c:\windows\Tasks\GBM - Backup Job-Full.job
- c:\program files\Genie-Soft\GBMHome8\GBM8.exe [2007-10-08 12:28]

2010-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-10 06:07]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:15]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-14 02:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: bing.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: superior-host.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
TCP: {30BBADAE-3AF0-48DB-BFFA-9AD645AF925A} = 208.67.220.220,208.67.222.222
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: ImageUploader - hxxp://www.assetval.com/app/ImageUploader.CAB
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {0CE0F418-1010-442D-871C-3454827DD539} - hxxp://facefun.com/FaceFun_webinstall/FaceFun.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 09:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x85C1F8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x87da8d24
\Driver\ACPI -> acpi.sys @ 0x82494d68
\Driver\atapi -> atapi.sys @ 0x825a69b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SPDFCreatorPlusReadSpool]
"ImagePath"="c:\windows\Installer\MSIF8BC.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SPDFToolsReadSpool]
"ImagePath"="c:\windows\Installer\MSIEE5E.tmp"
.
Completion time: 2010-02-04 09:28:30
ComboFix-quarantined-files.txt 2010-02-04 16:28
ComboFix2.txt 2010-01-27 03:15
ComboFix3.txt 2010-01-27 02:42
ComboFix4.txt 2010-01-23 03:38
ComboFix5.txt 2010-01-28 00:39

Pre-Run: 43,786,268,672 bytes free
Post-Run: 43,770,880,000 bytes free

- - End Of File - - 10F690390AAADD4AE7378F6DE11D5602

[Blade81]

Hi,

Reboot and try to get DDS run after that.

It seems you had run ComboFix earlier too (not recommended to do so unless instructed). I need you to provide contents of c:\combofix\combofix4.txt file.

[BooBoo]

Here is the DDS logs. I can't find combofix4.txt, I do not have a directory called combofix and it is not in the root.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Mike at 10:27:32.18 on Thu 02/04/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2039.1291 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CSHelper.exe
c:\program files\ge security supra\syncservice.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\Installer\MSIF8BC.tmp
C:\Windows\Installer\MSIEE5E.tmp
C:\Program Files\GE Security Supra\ProxyDaemon.exe
C:\SSL\stunnel-4.10.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Weather Watcher\ww.exe
C:\HeavyWeather\HeavyWeatherPublisher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\GE Security Supra\SyncInfoApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\HeavyWeather\heavy weather.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Mike\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [WeatherWatcher] c:\program files\weather watcher\ww.exe
uRun: [HeavyWeatherPublisher] c:\heavyweather\HeavyWeatherPublisher.exe -minimized
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\users\mike\appdata\roaming\micros~1\windows\startm~1\programs\startup\heavyw~1.lnk - c:\heavyweather\heavy weather.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\displa~1.lnk - c:\program files\ge security supra\SyncInfoApp.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: bing.com
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: superior-host.com
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: ImageUploader - hxxp://www.assetval.com/app/ImageUploader.CAB
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://samls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {0CE0F418-1010-442D-871C-3454827DD539} - hxxp://facefun.com/FaceFun_webinstall/FaceFun.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://samls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://www.pyramidreo.com/ImageUploader4.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://pro.realquest.com/mapviewer/mapviewer.cab
TCP: {30BBADAE-3AF0-48DB-BFFA-9AD645AF925A} = 208.67.220.220,208.67.222.222
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 AFS;AFS;c:\windows\system32\drivers\AFS.SYS [2009-11-8 79052]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-25 64160]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-15 192512]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2007-11-4 1153368]
R2 SPDFCreatorPlusReadSpool;SolidPDFPlusCreatorReadSpool;c:\windows\installer\MSIF8BC.tmp [2009-2-26 189696]
R2 SPDFToolsReadSpool;SolidPDFToolsCreatorReadSpool;c:\windows\installer\MSIEE5E.tmp [2009-2-26 189696]
S2 gupdate1c9bca6f4ea33cd;Google Update Service (gupdate1c9bca6f4ea33cd);c:\program files\google\update\GoogleUpdate.exe [2009-4-13 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]

=============== Created Last 30 ================

2010-02-04 16:26:11 0 d-sh--w- C:\$RECYCLE.BIN
2010-01-28 01:49:48 0 d-----w- c:\programdata\Sun
2010-01-27 04:11:30 0 d---a-w- c:\programdata\TEMP
2010-01-23 04:13:42 0 d-----w- c:\program files\SpywareBlaster
2010-01-13 01:05:25 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 01:05:25 156672 ----a-w- c:\windows\system32\t2embed.dll

==================== Find3M ====================

2010-01-14 18:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-20 17:38:40 174 --sha-w- c:\program files\desktop.ini
2009-12-18 00:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 05:54:07 261632 ----a-w- c:\windows\PEV.exe
2009-11-09 12:31:42 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30:03 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-03 10:12:31 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-03 10:12:31 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-03 10:12:31 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-03 10:12:31 143360 ----a-w- c:\windows\inf\infstrng.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-01 05:52:25 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-08 05:12:34 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-08 13:24:51 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-08 13:24:51 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2009-07-08 13:24:51 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2009-07-08 13:24:51 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
2009-07-08 05:12:34 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-06-13 15:42:45 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 10:29:21.56 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 10/9/2007 2:02:05 PM
System Uptime: 2/4/2010 9:54:33 AM (1 hours ago)

Motherboard: ECS | | 945GCT-M
Processor: Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz | CPU 1 | 2200/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 40.657 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is FIXED (NTFS) - 932 GiB total, 390.111 GiB free.
P: is NetworkDisk (NTFS) - 149 GiB total, 97.738 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&16DB80C5&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&16DB80C5&0
Service: i8042prt

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMTSSTCORP_CD/DVDW_SH-S182M_______________SB03____\5&25517784&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: TSSTcorp CD/DVDW SH-S182M ATA Device
PNP Device ID: IDE\CDROMTSSTCORP_CD/DVDW_SH-S182M_______________SB03____\5&25517784&0&0.0.0
Service: cdrom

Class GUID: {4d36e965-e325-11ce-bfc1-08002be10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMIOMEGA_RRD______________________________74.B____\5&25517784&0&0.1.0
Manufacturer: (Standard CD-ROM drives)
Name: Iomega RRD ATA Device
PNP Device ID: IDE\CDROMIOMEGA_RRD______________________________74.B____\5&25517784&0&0.1.0
Service: cdrom

==== System Restore Points ===================


==== Installed Programs ======================

7-Zip 4.58 beta
AAA Logo 2009 Home Edition 3.0 Free Trial
Ad-Aware
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Color Common Settings
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe InDesign CS3
Adobe Reader 8.2.0
Adobe Setup
Aldelo For Restaurants
APC PowerChute Personal Edition
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Aurigma Image Uploader 5.7 Redistributable
Bonjour
Brother BRAdmin Professional 2.81
Brother Internet Print 1.65
CadStd
CAM UnZip 4.42
Compatibility Pack for the 2007 Office system
Core FTP LE 2.0
CP210x USB to UART Bridge Controller
DisplayKEY USB Cradle version 0.7.2
eChef
eFax Messenger
ERUNT 1.1j
ESET Online Scanner v3
ExpressPCB
Ez-Architect 4
Fast Plans 12
FormViewer
Garmin USB Drivers
Garmin WebUpdater
Gena PhotoStamper 2.1.6
Genie Backup Manager Home 8.0
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GoToMeeting 4.0.0.320
GSiteCrawler
Heavy Weather History File Editor
HeavyWeatherPublisher 1.0
HeavyWeatherReview 1.0
HijackThis 2.0.2
Home Plan Pro version 5.2.18.17
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Jasc Paint Shop Photo Album
Java Auto Updater
Java(TM) 6 Update 18
Label Magic
LightScribe Applications
LightScribe System Software 1.14.17.1
Logitech Desktop Messenger
Logitech Harmony Remote Software 7
Macromedia Shockwave Player
magicolor 2300 DL
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2000 Professional
Microsoft Office Live Meeting 2005
Microsoft Publisher 98
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Web Publishing Wizard 1.52
Microsoft Works 6-9 Converter
Microsoft WSE 3.0 Runtime
MPLAB Tools v7.60
MS Works Spreadsheet to XLS Converter
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
NetObjects Fusion 10.0
NetObjects Fusion 11.0
ODF Add-in for Microsoft Word
OGA Notifier 2.0.0048.0
OpenSSL 0.9.7f
Paint.NET v3.5.1
PanaVue ImageAssembler 3.5.0
PayPal Plug-In
PC Inspector File Recovery
PIC16F690 Lessons
PICkit2 v2.11
PokerStars
Professional Real Estate 2001
ProMash
PTGui 8.0.2
QuickBooks
QuickBooks Simple Start 2010 Free Edition
QuickTime
Remote Control USB Driver
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Solid PDF Creator Plus
Solid PDF Tools
Spybot - Search & Destroy
SpywareBlaster 4.2
The MultiForm Solution
The Print Shop 21
TourBuilder V3
UIWeather
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Weather Display 10.37O
Weather Watcher
Web CEO 8.0
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)

==== End Of File ===========================

[Blade81]

Please run windows search for ComboFix4.txt file.

[BooBoo]

It does not exsist? I can tell you I did not delete it myself.

[Blade81]

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file check.bat, change the Save as type to all files and save it to your desktop.

Code:

@echo off
dir /s/a c:\combofix*.txt >c:\logit.txt
start c:\logit.txt

Double-click on check.bat file to execute it. Notepad should open up. Post back its contents, please.