PDA

View Full Version : Worst virus (malware?) I've ever had ....


dsc123
2009-11-05, 06:06
Not sure how my computer picked it up but here's a list of symptoms:
- Spybot, Hijackthis, Malwarebytes all run the first time for a brief second and then are disabled. Trying to run them a second time gives the "Windows cannot access the specified device ...."
- Browser (IE, Firefox, Chrome) navigation ends up redirecting to junk sites however search results are accessible by first entering through the 'cached' version.
- Computer will not boot normally - ONLY comes up in Safe Mode (with and without Network Support)
- My previous restore points have been wiped (or appear to be unavailable)
- I can boot off a Vista DVD and have run Spybot from the command line but two full runs have turned up nothing but a few benign tracking cookies
- DDS.scr does not run
- exeHelper runs but has no effect

My system is a Sony Vaio VGN-FW290 laptop running Vista Business

I have been searching though these forums for ideas and you are currently helping another poor soul who's virus symptoms sound very similar to mine. For reference, his username is Mirrabooka.
Based on the help you have provided him I ran Win32kDiag.exe. I've posted the log below an await your guidance on what to do next.

Thank-you ahead of time!

Win32kDiag log:
Running from: C:\Win32kDiag.exe

Log file at : C:\Users\Dave\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Found mount point : C:\Windows\AppPatch\Custom\Custom

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.GpmgmtLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Private.GpmgmtpLib\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\GAC_MSIL\Microsoft.GroupPolicy.GPOAdminGrid\2.0.0.0__31bf3856ad364e35\2.0.0.0__31bf3856ad364e35

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP23FD.tmp\ZAP23FD.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3255.tmp\ZAP3255.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP862F.tmp\ZAP862F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD6AF.tmp\ZAPD6AF.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD8E1.tmp\ZAPD8E1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE4F1.tmp\ZAPE4F1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-10-31 05:03:37 12 C:\Windows\bthservsdp.dat ()



Found mount point : C:\Windows\CSC\v2.0.6\namespace\namespace

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\CSC\v2.0.6\pq

[1] 2008-12-16 07:41:32 64 C:\Windows\CSC\v2.0.6\pq ()



Cannot access: C:\Windows\CSC\v2.0.6\temp\ea-{cdf09c82-cb87-11dd-9e8f-001dba80921b}

[1] 2008-12-16 07:41:32 0 C:\Windows\CSC\v2.0.6\temp\ea-{cdf09c82-cb87-11dd-9e8f-001dba80921b} ()



Found mount point : C:\Windows\Drivers\EXE\Audio Driver (Realtek)\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Drivers\EXE\Audio Driver (Realtek) (HDMI)\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Globalization\Globalization

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Help\Corporate\Corporate

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\0D756077321A70C3E844C138CE981581\8.0.50727\8.0.50727

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\50512592984F2284DAAF236CED4E1F41\8.0.6\8.0.6

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\52AA03B593FB4EB4F8EE1539B8BA12D4\8.0.135\8.0.135

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\52CB9D6ECBD08634E8A4D7EE0866C19D\8.0.148\8.0.148

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\6FBF530DFEDFD78498ACF6D90DB787F3\1.2.702\1.2.702

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\AC1F0757D610CA645B68DC4746E5BF25\8.0.211\8.0.211

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\E16AD44FD02797E478F16F6E823B2324\3.0.9358\3.0.9358

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Installer\$PatchCache$\Managed\FC62732BFB866A144ABE271FF278EF50\8.0.63\8.0.63

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\LiveKernelReports\LiveKernelReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Microsoft.NET\authman\authman

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ModemLogs\ModemLogs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\nap\configuration\configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Panther\setup.exe\setup.exe

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\PLA\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\pss\pss

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SchCache\SchCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\security\templates\templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\Tfs_DAV

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\Description Documents\Description Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\LocalService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Media Player\Art Cache\LocalMLS\LocalMLS

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\GameExplorer

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD\SCPD

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Quick Launch

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Network Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Printer Shortcuts

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\Templates

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Documents\Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Downloads\Downloads

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Links\Links

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Music\Music

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Pictures\Pictures

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Saved Games\Saved Games

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\ServiceProfiles\NetworkService\Videos\Videos

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18842_none_83af6d0646d60121

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\057d458a5288ce359a4a46636ed70a4e\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22933_none_8444da075fea9e51

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.16926_en-us_2185ec15e486221c

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6000.21125_en-us_220e60b8fda4dbd1

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.18330_en-us_235b5913e1ba36f4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6001.22520_en-us_23efc7b0facfb7f4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.18111_en-us_25586d03decf6ab4

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d\x86_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.0.6002.22223_en-us_25d93a76f7f3591d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.16926_en-us_dd0695ced5a51138

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6000.21125_en-us_dd8f0a71eec3caed

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.18330_en-us_dedc02ccd2d92610

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6001.22520_en-us_df707169ebeea710

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.18111_en-us_e0d916bccfee59d0

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839\x86_microsoft-windows-m..yer-setup.resources_31bf3856ad364e35_6.0.6002.22223_en-us_e159e42fe9124839

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16926_none_0973ec0f51fdf005

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.21125_none_09fc60b26b1ca9ba

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18330_none_0b49590d4f3204dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22520_none_0bddc7aa684785dd

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.18111_none_0d466cfd4c47389d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6002.22223_none_0dc73a70656b2706

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.16926_none_abfdf271d96f105d

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6000.21125_none_ac866714f28dca12

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.18330_none_add35f6fd6a32535

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6001.22520_none_ae67ce0cefb8a635

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.18111_none_afd0735fd3b858f5

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\Download\1abf59ad881ccbd69aeb722934f822df\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.0.6002.22223_none_b05140d2ecdc475e

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\PostRebootEventCache\PostRebootEventCache

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\SoftwareDistribution\ScanFile\ScanFile

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\System32\cngaudit.dll

[1] 2006-11-02 01:46:03 61952 C:\Windows\System32\cngaudit.dll ()

[2] 2006-11-02 01:46:03 11776 C:\Windows\System32\logevent.dll (Microsoft Corporation)

[1] 2006-11-02 01:46:03 11776 C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll (Microsoft Corporation)



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-11-04 19:41:21 77368 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-11-04 19:50:57 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl

[1] 2009-11-04 19:50:58 0 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-11-04 19:51:17 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-11-04 19:51:17 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl

[1] 2009-10-30 22:14:38 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMuroc System Trace.etl ()



Cannot access: C:\Windows\System32\mrt.exe

[1] 2009-10-02 11:01:58 25198016 C:\Windows\System32\mrt.exe ()

[1] 2008-01-20 18:25:19 52696 C:\Windows\winsxs\x86_microsoft-windows-malwareremovaltool_31bf3856ad364e35_6.0.6001.18000_none_d3909ca1dd6bb475\mrt.exe (Microsoft Corporation)



Cannot access: C:\Windows\System32\WerFault.exe

[1] 2009-04-10 22:28:11 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 18:24:31 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)

[1] 2008-01-20 18:24:31 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)

[1] 2008-09-19 20:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-10 22:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()



Found mount point : C:\Windows\Temp\BTN%Copy%1\BTN%Copy%2\BTN%Copy%2

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\Temp\SiteAdvisor\SiteAdvisor

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\tracing\tracing

Mount point destination : \Device\__max++>\^

Found mount point : C:\Windows\winsxs\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Cannot access: C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe

[1] 2009-04-10 22:28:11 217088 C:\Windows\System32\WerFault.exe ()

[1] 2008-01-20 18:24:31 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18000_none_70071ca23cc95139\WerFault.exe (Microsoft Corporation)

[1] 2008-01-20 18:24:31 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.18145_none_6fe0e04a3ce53cd7\WerFault.exe (Microsoft Corporation)

[1] 2008-09-19 20:00:16 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6001.22271_none_70460c29561ecb18\WerFault.exe (Microsoft Corporation)

[1] 2009-04-10 22:28:11 217088 C:\Windows\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6002.18005_none_71f295ae39eb1c85\WerFault.exe ()


Finished!
Blade81
2009-11-07, 17:01
Hi,

You shouldn't follow steps given to other user since these are unique cases and not one-fix-fits-all type instructions exists.

Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to move:
C:\Windows\System32\logevent.dll|C:\Windows\System32\cngaudit.dll
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.


Please save this (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe) file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the Open box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r
dsc123
2009-11-08, 23:39
Ok, ran things per your instructions, no problems. Here is the log:

Running from: C:\Users\Dave\Desktop\win32kdiag.exe

Log file at : C:\Users\Dave\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Microsoft-Windows-Backup.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl



Finished!
Blade81
2009-11-09, 07:04
Good. Let's continue :)

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.
dsc123
2009-11-09, 07:16
DDS ran fine here are the logs:

***********************************************
***********************************************
***********************************************
DDS.TXT
***********************************************
***********************************************
***********************************************

DDS (Ver_09-10-26.01) - NTFSx86 NETWORK
Run by Dave at 22:09:20.47 on Sun 11/08/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2526.1525 [GMT -8:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Users\Dave\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dave\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dave\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dave\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dave\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = Preserve
uStart Page = hxxp://www.sony.com/vaiopeople_f08
uDefault_Page_URL = hxxp://www.sony.com/vaiopeople_f08
mStart Page = hxxp://www.sony.com/vaiopeople_f08
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople_f08
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot\TeaTimer.exe
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SmartWiHelper] "c:\program files\sony corporation\smartwi connection utility\SmartWiHelper.exe" /WindowsStartup
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Cleanup] C:\cleanup.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\cf3rdum9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-3-11 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2009-3-11 971552]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-10-30 4232704]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-8-14 9344]
S2 gupdate1c9a536773d1a80;Google Update Service (gupdate1c9a536773d1a80);c:\program files\google\update\GoogleUpdate.exe [2009-3-14 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 IOGEARServerService;IOGEARServerService;c:\program files\iogear\iogearusbserver\IOGEARServerService.exe [2008-3-17 188416]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 92296]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-8-14 104992]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot\SDWinSec.exe [2009-11-5 1153368]
S2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2008-12-23 185640]
S2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-8-14 411488]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-8-14 29736]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 IOGEARPNPX_1868Server;IOGEAR Network USB Device;c:\windows\system32\drivers\IOGEAR_PnpX_Server.sys [2008-3-12 140288]
S3 isftrm;isftrm;c:\windows\system32\isftrm.sys [2009-10-31 4096]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-11-08 22:21:34 19286 ----a-w- C:\cleanup.exe
2009-11-07 11:35:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-07 09:02:28 65536 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TM.blf
2009-11-07 09:02:28 524288 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TMContainer00000000000000000002.regtrans-ms
2009-11-07 09:02:28 524288 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TMContainer00000000000000000001.regtrans-ms
2009-11-07 08:25:33 65536 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TM.blf
2009-11-07 08:25:33 524288 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TMContainer00000000000000000002.regtrans-ms
2009-11-07 08:25:33 524288 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TMContainer00000000000000000001.regtrans-ms
2009-11-06 05:26:43 0 d-----w- c:\program files\Spybot
2009-11-05 09:55:02 77312 ----a-w- c:\windows\MBR.exe
2009-11-05 09:55:00 98816 ----a-w- c:\windows\sed.exe
2009-11-05 09:55:00 267264 ----a-w- c:\windows\PEV.exe
2009-11-05 09:55:00 161792 ----a-w- c:\windows\SWREG.exe
2009-11-05 09:40:25 0 d-----w- C:\7e40d48354485e73247e56200942f7
2009-11-05 08:12:50 135168 ----a-w- C:\zip.exe
2009-11-05 04:17:16 47616 ----a-w- C:\Win32kDiag.exe
2009-11-04 11:55:41 0 d-----w- C:\_OTL
2009-11-04 10:26:30 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-04 10:21:59 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-04 10:01:06 0 dc----w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 09:39:47 0 d-----w- c:\program files\HJT
2009-11-02 06:24:31 574 ----a-w- C:\cleanup.bat
2009-10-31 21:51:05 1673 ----a-w- C:\avexport.bat
2009-10-31 21:34:53 0 d-----w- C:\setacl-cmdline-2.0.3.0-binary-x86
2009-10-31 14:26:28 0 d--h--w- c:\windows\PIF
2009-10-31 14:18:54 0 d-----w- c:\program files\Windows Journal
2009-10-31 13:29:29 4096 ----a-w- c:\windows\system32\isftrm.sys
2009-10-31 13:24:43 0 d-----w- c:\program files\ZeroWave
2009-10-31 13:19:37 0 d-----w- c:\program files\WinPcap
2009-10-31 07:03:39 0 d-----w- c:\users\dave\appdata\roaming\Malwarebytes
2009-10-31 07:03:32 0 d-----w- c:\programdata\Malwarebytes
2009-10-31 06:48:50 0 d-----w- c:\program files\Trend Micro
2009-10-31 06:25:52 0 d-----w- c:\programdata\Yahoo! Companion
2009-10-31 06:25:51 0 d-----w- c:\program files\Yahoo!
2009-10-31 03:38:39 4232704 ----a-w- c:\windows\system32\drivers\NETw5v32.sys
2009-10-31 03:38:38 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-10-30 06:38:19 0 d-----w- C:\found.001
2009-10-30 06:18:32 10216 ----a-w- c:\windows\system32\drivers\DMICall.sys
2009-10-29 16:37:27 0 d-----w- c:\program files\Windows Portable Devices
2009-10-29 16:37:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 16:37:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 16:36:22 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 16:36:20 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 16:36:20 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 16:34:02 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-29 16:34:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-29 16:34:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 16:33:24 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2009-10-29 16:33:22 28274 ----a-w- c:\windows\system32\wbem\polprocl.mof
2009-10-29 16:22:36 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 08:27:15 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-29 08:27:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-29 07:46:37 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-10-29 07:46:37 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-10-28 04:28:17 0 d-----w- C:\found.000
2009-10-21 15:23:40 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-14 05:40:15 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:40:11 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:40:10 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

==================== Find3M ====================

2009-10-31 14:20:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 14:20:26 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-31 14:20:25 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-31 14:20:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-29 07:46:34 800768 ----a-w- c:\windows\system32\advapi32.dll
2009-10-29 07:46:34 115712 ----a-w- c:\windows\system32\WinSCard.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 09:29:50 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 22:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:09:34.63 ===============

***********************************************
***********************************************
***********************************************
ATTACH.TXT
***********************************************
***********************************************
***********************************************
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume2
Install Date: 12/16/2008 7:42:56 AM
System Uptime: 11/8/2009 2:22:03 PM (8 hours ago)

Motherboard: Sony Corporation | | VAIO
Processor: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz | N/A | 2526/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 225 GiB total, 11.89 GiB free.
E: is Removable
H: is CDROM (CDFS)
Q: is Removable

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc1-810f-11d0-bec7-08002be2092f}
Description: RICOH OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_1180&DEV_0832&SUBSYS_9035104D&REV_05\4&2115C92E&0&18F0
Manufacturer: RICOH
Name: RICOH OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_1180&DEV_0832&SUBSYS_9035104D&REV_05\4&2115C92E&0&18F0
Service: ohci1394

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Acrobat.com
Acronis*True*Image*Home
Adobe AIR
Adobe Common File Installer
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Illustrator 10 Tryout
Adobe Photoshop 7.0
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Reader 9.1.3
Adobe SVG Viewer 3.0
Agent Ransack Version 1.7.3
Alps Pointing-device for VAIO
AnswerWorks 5.0 English Runtime
Apple Software Update
ArcSoft TotalMedia 3
ArcSoft WebCam Companion 2
ATI Catalyst Install Manager
BlackBerry Desktop Software 5.0
BlackBerry Desktop Software 5.0.1
BlackBerry Device Software v4.5.0 for the BlackBerry 8310 smartphone
BlackBerry v4.2.2 for the 8310 Series Wireless Handheld
BlackBerry® Media Sync
Brain Fitness Program
Canon MP Navigator EX 1.0
Canon MP610 series
Canon MP610 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Czech
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Greek
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Russian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
Choice Guard
CINEMA 4D XL Release 7
Click to Disc
Click to Disc Editor
Compatibility Pack for the 2007 Office system
Content Transfer
Dolby Control Center
FedEx Desktop
ffdshow [rev 2527] [2008-12-19]
FileAlyzer
FileZilla Client 3.2.0
Filtered Noise Generator 1.0
Google Chrome
Google Earth
Google Earth Plug-in
Google SketchUp 7
Google Update Helper
Google Updater
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Home Audiometer Hearing Test
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
In-Tune Multi-Instrument Tuner v1.97
Intel PROSet Wireless
Intel(R) PROSet/Wireless WiFi Software
interneTIFF 8.0-FREE (IE Browser)
IOGEAR USB Server
Java(TM) 6 Update 16
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
LimeWire 5.2.13
LocationFree Player
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Live Add-in 1.4
Microsoft Office Live Meeting 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.15)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Multi Tone Generator
Music Transfer
NCH Tone Generator
NWZ-S540 WALKMAN Guide
OGA Notifier 2.0.0048.0
OpenOffice.org 3.0
Pinnacle VideoSpin
PIXMA Extended Survey Program
Primo
PrimoPDF
QuickTime
Real Time Analyzer
RealPlayer
Realtek High Definition Audio Driver
RegAlyzer (OpenSBI Edition)
Rhinoceros 3.0
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Easy Media Creator 10 LJ
Roxio Easy Media Creator Home
Roxio Media Manager
RunAlyzer
Setting Utility Series
Skins
SmartWi Connection Utility
Sony Picture Utility
Sony Video Shared Library
Spybot - Search & Destroy
TeamViewer 4
Test Tone Generator 4.32
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VAIO Control Center
VAIO Data Restore Tool
VAIO DVD Menu Data Basic
VAIO Event Service
VAIO Help and Support
VAIO Launcher
VAIO OOBE and Welcome Center
VAIO Power Management
VAIO Presentation Support
VAIO Update 4
VAIO Wallpaper Contents
WIDCOMM Bluetooth Software 6.2.0.4100
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Movie Maker Beta
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
WinDVD for VAIO
WinPcap 4.0.2
WinRAR archiver
Yahoo! Toolbar
ZeroWave 2.0

==== Event Viewer Messages From Past Week ========

11/8/2009 2:42:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/8/2009 2:26:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/8/2009 2:24:37 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
11/8/2009 2:24:04 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: DMICall mfehidk spldr Wanarpv6
11/8/2009 2:24:04 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
11/8/2009 2:23:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
11/8/2009 2:23:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
11/8/2009 2:23:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/8/2009 2:23:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
11/8/2009 2:22:54 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\System32\IWMSSvc.dll Error Code: 21
11/8/2009 2:19:36 PM, Error: EventLog [6008] - The previous system shutdown at 2:12:27 PM on 11/8/2009 was unexpected.
11/8/2009 2:10:41 PM, Error: EventLog [6008] - The previous system shutdown at 2:06:54 PM on 11/8/2009 was unexpected.
11/8/2009 2:05:18 PM, Error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
11/8/2009 2:00:43 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 9 service to connect.
11/8/2009 2:00:43 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/8/2009 10:06:19 PM, Error: volsnap [20] - The shadow copies of volume \\?...b87-11dd-9e8f-806e6f6e6963} were aborted because of a failed free space computation.
11/8/2009 1:59:56 PM, Error: EventLog [6008] - The previous system shutdown at 3:36:57 AM on 11/7/2009 was unexpected.
11/8/2009 1:58:53 PM, Error: volmgr [46] - Crash dump initialization failed!
11/7/2009 4:24:13 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McShield with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
11/7/2009 3:45:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/7/2009 2:02:08 AM, Error: EventLog [6008] - The previous system shutdown at 12:51:55 AM on 11/7/2009 was unexpected.
11/7/2009 1:52:06 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB976749 (Update) into Staging(Staging) state
11/7/2009 1:52:06 AM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB976749 (Update) into Resolved(Resolved) state
11/7/2009 1:51:50 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 976749-2_neutral_GDR from package KB976749(Update) into Staging(Staging) state
11/7/2009 1:51:50 AM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 976749-1_neutral_LDR from package KB976749(Update) into Staging(Staging) state
11/7/2009 1:51:15 AM, Error: Service Control Manager [7016] - The IOGEARServerService service has reported an invalid current state 0.
11/7/2009 1:25:12 AM, Error: EventLog [6008] - The previous system shutdown at 12:23:03 AM on 11/7/2009 was unexpected.
11/5/2009 9:32:55 PM, Error: EventLog [6008] - The previous system shutdown at 2:05:27 AM on 11/5/2009 was unexpected.
11/5/2009 9:32:35 PM, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
11/5/2009 9:26:09 PM, Error: volsnap [14] - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
11/5/2009 3:00:47 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
11/5/2009 3:00:15 AM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
11/5/2009 2:43:43 AM, Error: EventLog [6008] - The previous system shutdown at 1:40:08 AM on 11/5/2009 was unexpected.
11/5/2009 2:16:59 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
11/5/2009 2:16:59 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/4/2009 8:52:55 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC DMICall mfehidk MPFP NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 8:52:47 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
11/4/2009 4:45:45 AM, Error: EventLog [6008] - The previous system shutdown at 3:44:14 AM on 11/4/2009 was unexpected.
11/4/2009 3:34:09 AM, Error: Service Control Manager [7031] - The Windows Defender service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/4/2009 3:33:57 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Remote Procedure Call (RPC) service, but this action failed with the following error: A system shutdown has already been scheduled.
11/4/2009 3:33:57 AM, Error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/4/2009 3:33:28 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
11/4/2009 3:33:28 AM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
11/4/2009 3:33:28 AM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

==== End Of File ===========================
Blade81
2009-11-09, 09:19
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.


LimeWire


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:

I see you've run ComboFix (and other fixing tools) by yourself that is not recommended. Post contents of c:\ComboFix.txt file, please.
dsc123
2009-11-09, 17:28
Ok. Here's what just happened, followed by the ComboFix Log:
1. Limewire uninstalled
2. Downloaded latest Combofix from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
3. Ran ComboFix starting in Safe Mode w/Networking
4. ComboFix popped up a window saying that Spybot was running and should be stopped. I fired up TaskMgr to do this but couldn't find the instance of Spybot (either as a Process or Service) so I clicked Ok to let ComboFix continue
5. Initial part of the run took about 3 minutes - then computer rebooted under control from ComboFix
6. Computer came back up normally!!!! (not in Safe Mode)
7. ComboFix window came back and the second half of the run took about 7 minutes and then completed without incident
8. Fired up Chrome browser to post this message and the ComboFix log but halfway through typing this message the computer froze
9. Waited a few minutes to see if it would come back - it didn't so I rebooted with the power button
10. On reboot I directed the computer back into Safe Mode w/Networking and now here I am.

Here's the ComboFix Log:
ComboFix 09-11-08.03 - Dave 11/09/2009 7:47.2.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2526.1631 [GMT -8:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-09 to 2009-11-09 )))))))))))))))))))))))))))))))
.

2009-11-09 15:50 . 2009-11-09 15:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-07 11:34 . 2009-11-07 11:34 -------- d-----w- c:\windows\Sun
2009-11-06 05:26 . 2009-11-06 05:29 8192 d-----w- c:\program files\Spybot
2009-11-05 09:40 . 2009-11-05 09:40 -------- d-----w- C:\7e40d48354485e73247e56200942f7
2009-11-05 08:12 . 2009-11-08 22:21 135168 ----a-w- C:\zip.exe
2009-11-05 04:17 . 2009-11-04 22:56 47616 ----a-w- C:\Win32kDiag.exe
2009-11-04 11:55 . 2009-11-04 11:55 -------- d-----w- C:\_OTL
2009-11-04 10:26 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-04 10:21 . 2009-11-04 10:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-04 09:39 . 2009-11-04 09:40 -------- d-----w- c:\program files\HJT
2009-11-02 06:24 . 2009-11-08 22:21 574 ----a-w- C:\cleanup.bat
2009-10-31 21:51 . 2009-11-02 06:52 1673 ----a-w- C:\avexport.bat
2009-10-31 21:34 . 2009-10-31 21:35 -------- d-----w- C:\setacl-cmdline-2.0.3.0-binary-x86
2009-10-31 14:26 . 2009-11-05 05:15 -------- d--h--w- c:\windows\PIF
2009-10-31 14:18 . 2009-10-31 14:18 4096 d-----w- c:\program files\Windows Journal
2009-10-31 13:29 . 2009-10-31 13:29 4096 ----a-w- c:\windows\system32\isftrm.sys
2009-10-31 13:24 . 2009-10-31 13:24 -------- d-----w- c:\program files\ZeroWave
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\program files\WinPcap
2009-10-31 07:03 . 2009-10-31 07:03 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2009-10-31 06:48 . 2009-10-31 06:48 -------- d-----w- c:\program files\Trend Micro
2009-10-31 06:25 . 2009-10-31 06:25 -------- d-----w- c:\users\Dave\AppData\Roaming\Yahoo!
2009-10-31 06:25 . 2009-10-31 06:25 -------- d-----w- c:\program files\Yahoo!
2009-10-31 04:46 . 2009-10-31 05:10 295638360 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\Extractor.exe
2009-10-31 03:38 . 2009-03-04 18:49 4232704 ----a-w- c:\windows\system32\drivers\NETw5v32.sys
2009-10-31 03:38 . 2008-06-20 17:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-10-30 06:38 . 2009-10-30 06:38 -------- d-----w- C:\found.001
2009-10-30 06:18 . 2008-07-11 23:42 10216 ----a-w- c:\windows\system32\drivers\DMICall.sys
2009-10-29 16:37 . 2009-10-29 16:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-29 16:36 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 16:36 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 16:36 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 16:34 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-29 16:34 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-29 16:34 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 16:33 . 2009-06-03 23:56 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2009-10-29 16:22 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 08:27 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-29 08:27 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-29 07:46 . 2009-04-11 04:42 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-10-29 07:46 . 2008-01-21 02:23 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-10-28 04:28 . 2009-10-28 04:28 -------- d-----w- C:\found.000
2009-10-21 15:23 . 2009-09-16 17:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-14 05:40 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:40 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:40 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-09 07:42 . 2009-04-06 03:52 1356 ----a-w- c:\users\Dave\AppData\Local\d3d9caps.dat
2009-11-05 08:56 . 2008-12-23 08:02 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 14:20 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 13:03 . 2008-08-14 17:27 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-30 11:39 . 2008-08-14 17:22 16384 d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 06:34 . 2008-12-22 20:53 4096 d-----w- c:\users\Dave\AppData\Roaming\Sony Corporation
2009-10-30 06:19 . 2008-08-14 18:57 4096 d-----w- c:\program files\Common Files\Sony Shared
2009-10-29 16:37 . 2009-10-29 16:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 16:37 . 2009-10-29 16:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 07:46 . 2009-06-01 06:41 800768 ----a-w- c:\windows\system32\advapi32.dll
2009-10-29 07:46 . 2009-06-01 06:41 115712 ----a-w- c:\windows\system32\WinSCard.dll
2009-10-26 15:43 . 2008-12-29 08:05 12288 d-----w- c:\users\Dave\AppData\Roaming\LimeWire
2009-10-21 15:31 . 2008-08-14 19:01 4096 d-----w- c:\program files\Java
2009-10-14 16:14 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-01 01:02 . 2009-10-29 16:35 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-29 16:35 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-29 16:35 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-29 16:35 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-29 16:35 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-29 16:35 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-29 16:35 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-29 16:35 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-29 16:35 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-29 16:35 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-29 16:35 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-29 16:35 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-29 16:35 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-29 16:35 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-29 16:35 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-10-01 01:01 . 2009-10-29 16:35 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-09-27 02:26 . 2009-09-27 02:26 -------- d-----w- c:\program files\Common Files\Vbox
2009-09-27 02:26 . 2008-08-14 19:00 4096 d-----w- c:\program files\Common Files\Adobe
2009-09-25 05:03 . 2008-08-14 19:01 8192 d-----w- c:\program files\Sony
2009-09-25 02:10 . 2009-10-29 16:35 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-29 16:35 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-29 16:35 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-29 16:35 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-29 16:35 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-29 16:35 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-29 16:35 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-29 16:35 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-29 16:35 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-29 16:35 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-29 16:35 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-29 16:35 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-29 16:35 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-29 16:35 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-29 16:35 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-29 16:35 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-29 16:35 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-29 16:35 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-29 16:35 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-29 16:35 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-29 16:35 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-29 16:35 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-29 16:35 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-29 16:35 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-29 16:35 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-29 16:35 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-29 16:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Home Audiometer
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Real Time Analyzer
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Filtered Noise Generator
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Test Tone Generator
2009-09-23 05:43 . 2009-09-23 05:43 4096 d-----w- c:\program files\Multi Tone Generator
2009-09-23 02:16 . 2009-03-15 06:21 4096 d-----w- c:\program files\Google
2009-09-16 17:22 . 2008-12-23 08:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2008-12-23 08:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2008-12-23 08:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2008-12-23 08:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 09:29 . 2009-10-14 05:39 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-08 09:39 . 2008-12-22 18:48 100928 ----a-w- c:\users\Dave\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-04 11:41 . 2009-10-14 05:39 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 18:54 . 2009-08-31 18:54 447832 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\BBDMUtil.dll
2009-08-31 18:54 . 2009-08-31 18:54 382296 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\BlackBerrySetup.exe
2009-08-31 18:54 . 2009-08-31 18:54 2246808 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\FLEXnet_patch_Q113020.exe
2009-08-29 00:27 . 2009-09-03 03:37 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 03:37 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 05:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 05:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 05:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 05:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 00:39 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 00:38 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 00:38 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 00:38 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 00:38 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 00:38 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 00:38 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 00:38 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 00:38 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 00:38 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 00:38 105984 ----a-w- c:\windows\system32\netiohlp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-07_08.15.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-11-09 15:55 52192 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-11-07 08:17 75490 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-11-09 15:55 75490 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-12-16 15:47 . 2009-11-09 15:58 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-16 15:47 . 2009-11-07 08:17 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-16 15:47 . 2009-11-09 15:58 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-16 15:47 . 2009-11-07 08:17 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-16 15:47 . 2009-11-07 08:17 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-16 15:47 . 2009-11-09 15:58 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-12-22 18:50 . 2009-11-09 15:55 8434 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2052172176-2512624384-1885053166-1000_UserData.bin
- 2009-11-07 08:13 . 2009-11-07 08:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-11-09 15:51 . 2009-11-09 15:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-11-07 08:13 . 2009-11-07 08:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-11-09 15:51 . 2009-11-09 15:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-01 06:27 . 2009-11-08 22:04 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-06-01 06:27 . 2009-11-05 09:49 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-11-07 11:35 . 2009-10-21 19:26 5943296 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.22942_none_f68c93f75132f82e\mshtml.dll
+ 2009-11-07 11:35 . 2009-10-21 10:40 5939712 c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.6001.18852_none_f5f82740381d7455\mshtml.dll
- 2006-11-02 10:22 . 2009-11-05 09:40 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-11-08 22:09 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-11-07 11:35 . 2009-10-21 10:40 5939712 c:\windows\System32\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-16 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2008-06-27 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-07-16 01:04 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):4e,80,5b,ef,86,e2,c9,01

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\System32\drivers\snman380.sys [3/11/2009 2:24 PM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\System32\drivers\tdrpm174.sys [3/11/2009 2:24 PM 971552]
R2 IOGEARServerService;IOGEARServerService;c:\program files\IOGEAR\IOGEARUSBServer\IOGEARServerService.exe [3/17/2008 6:08 PM 188416]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/23/2008 12:52 AM 92296]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [8/14/2008 9:28 AM 29736]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [10/30/2009 7:38 PM 4232704]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [8/14/2008 9:31 AM 9344]
S2 gupdate1c9a536773d1a80;Google Update Service (gupdate1c9a536773d1a80);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2009 10:22 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 6:24 PM 21504]
S3 IOGEARPNPX_1868Server;IOGEAR Network USB Device;c:\windows\System32\drivers\IOGEAR_PnpX_Server.sys [3/12/2008 4:30 PM 140288]
S3 isftrm;isftrm;c:\windows\System32\isftrm.sys [10/31/2009 5:29 AM 4096]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 12:22 PM 34064]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-15 10:50]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 06:22]

2009-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 06:22]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052172176-2512624384-1885053166-1000Core.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 23:19]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052172176-2512624384-1885053166-1000UA.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 23:19]

2009-09-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-10-31 c:\windows\Tasks\User_Feed_Synchronization-{3EFD6F16-8FFB-4574-9BCF-EB3E16DEE690}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople_f08
mStart Page = hxxp://www.sony.com/vaiopeople_f08
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\cf3rdum9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 07:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Dave\AppData\Roaming\Microsoft\Windows\Cookies\Low\dave@craigslist[2].txt 77 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5828)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\FileZilla FTP Client\fzshellext.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\RtkAudioService.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
c:\program files\TeamViewer\Version4\TeamViewer_Service.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Sony\VAIO Power Management\SPMService.exe
c:\windows\system32\DllHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Spybot\SDWinSec.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DllHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-11-09 8:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-09 16:00

Pre-Run: 12,830,736,384 bytes free
Post-Run: 10,201,821,184 bytes free

- - End Of File - - 1C621570D241E741559BF3A7D07A7478
dsc123
2009-11-09, 18:01
Not sure if this is relevant but here's more info:
1) After posting the previous message I restarted the computer (via software - the Start button, not by hardware - the Power button) and let it come back in Normal mode
2) On reboot the computer did an automatic CHKDSK which found a few things but ran surprisingly quickly. After the CHKDSK Windows came up smoothly and also surprisingly quickly
3) I started typing this message when the computer indicated that Java needed to update. I let it start and continued typing this message
4) About 30 seconds into the Java update the computer went, without warning, into a BSOD. I scrambled to get a pen and paper to write down info but the computer rebooted itself before I got any info written down

I guess that I'm not out of the woods yet :-(
dsc123
2009-11-09, 18:05
.... and of course I'm back in Safe Mode w/Networking and will stay here until you say it's ok to go back to Normal Mode.

Thanks for your help Blade !!!
Blade81
2009-11-09, 18:29
Hi,

What makes things more difficult here is that you had run tools by yourself before I began helping you. It's now difficult to get a clue of what bad items there were. That's why we have a warning topic about running fixes by oneself.

Try to reboot into normal mode and note down the error if one pops up.

To avoid automatic restart on error situation check that automatic restart is disabled:

1) Click on Start and then on Control Panel.

2) In the Control Panel double click to open System.

3) In the left panel under ‘Tasks’ click on Advanced system settings.

4) In the section labeled ‘Startup and Recovery’, click on the Settings button.

5) In the section labeled ‘System failure, remove the checkmark from ‘Automatically restart’.

6) Click Ok, OK to exit.
dsc123
2009-11-10, 00:00
I'm sorry about that. I'm typically pretty sulf-sufficient and so by the time I realized I was in over my head with this nasty virus/malware it was way too late. Also, I'm a dedicated PC guy but I'm currently getting a good deal of abuse from all my Mac 'friends' over this issue.

I'm at work right now but when I get home to my ailing computer I will turn off the automatic restart per your instructions and post the error messages back here.

Thanks again for your understanding, patience and sound advice!
dsc123
2009-11-10, 11:00
Hi Blade,

I've now gone through 5 reboot cycles in Normal Mode with no repeat of the BSOD, but the computer has been regularly freezing-up. The freezing does not seem to correlate with anything specific program or action.

Several times I have gotten a small error window popping up prior to the computer freezing. The error appears three different ways:

1) dwm.exe Application Error - The instruction at 0x00000000 referenced memory at 0x00000000. The memory could not be written. Click OK to terminate the program.

2) explorer.exe Application Error - The instruction at 0x7189e1d1 referenced memory at 0xffffffff. The memory could not be written. Click OK to terminate the program.

3) explorer.exe Application Error - The instruction at 0x718972ed referenced memory at 0x00000006. The memory could not be written. Click OK to terminate the program.

I have managed to run full virus/malware scans using the following programs:
- Kaspersky online scanner
- Spybot SD
- Malwarebytes
- TrendMicro Housecall
All of the above scans come up clean.

Am I virus-free and just dealing with the effects of the previous infection or is there something nasty still lurking in the shadows?

Thanks!
Blade81
2009-11-10, 16:01
Hi,

Do you recall having similar errors earlier before malware episode? Those errors could be caused by bad memory too.
dsc123
2009-11-10, 16:16
No, those errors are new. Before Malware my computer was great. After I posted my last message I downloaded Ad-Aware and ran a full scan. It found a few things. I'm posting the log below - can you tell if they were real threats or just false positives?

Logfile created: 11/10/2009 03:20:18
Lavasoft Ad-Aware version: 8.1.0
User performing scan: Dave

*********************** Definitions database information ***********************
Lavasoft definition file: 149.89
Genotype definition file version: 2009/09/30 07:18:14

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 214676
Objects detected: 13


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 4
Folders.........: 0
LSPs............: 0
Cookies.........: 9
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: C:\Users\Dave\Documents\FF\TVusbDongle\TVusbDongle.zip:TVusbDongle/x64/emmon.ex_ Family Name: Win32.Trojan.Harnig Engine: 1 Clean status: Success Item ID: 1219456 Family ID: 873 MD5: 0ff856dfc316a300c7a557b9da0c8d52
Description: C:\Users\Dave\Documents\From Old PC\TVusbDongle.zip:TVusbDongle/x64/emmon.ex_ Family Name: Win32.Trojan.Harnig Engine: 1 Clean status: Success Item ID: 1219456 Family ID: 873 MD5: 0ff856dfc316a300c7a557b9da0c8d52
Description: C:\Users\Dave\Downloads\atsc340u_V5.7.1119.071119.zip:atsc340u_5.7.1119.071119/x64/emmon.exe Family Name: Win32.Trojan.Harnig Engine: 1 Clean status: Success Item ID: 1219456 Family ID: 873 MD5: df458e1a9ed278356f4eb9520ae78d7a
Description: *live365* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408844 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *live365* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408844 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0

Quarantined items:
Description: C:\Qoobox\Quarantine\C\cleanup.exe.vir Family Name: Win32.Trojan.Zapchast Engine: 1 Clean status: Success Item ID: 1388379 Family ID: 518673 MD5: d5816bddd4382975c1693cce68547fcc

Scan and cleaning complete: Finished correctly after 5087 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\
ID: useantivirus, enabled:0, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true
ID: heuristicslevel, enabled:1, value: mild, domain: medium,mild,strict

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:0, value: Daily 1
ID: time, enabled:0, value: Tue Nov 10 03:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily2, enabled:0, value: Daily 2
ID: time, enabled:0, value: Tue Nov 10 09:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily3, enabled:0, value: Daily 3
ID: time, enabled:0, value: Tue Nov 10 15:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updatedaily4, enabled:0, value: Daily 4
ID: time, enabled:0, value: Tue Nov 10 21:13:00 2009
ID: frequency, enabled:0, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:0
ID: monday, enabled:0, value: false
ID: tuesday, enabled:0, value: false
ID: wednesday, enabled:0, value: false
ID: thursday, enabled:0, value: false
ID: friday, enabled:0, value: false
ID: saturday, enabled:0, value: false
ID: sunday, enabled:0, value: false
ID: monthly, enabled:0, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:0, value:
ID: auto_deal_with_infections, enabled:0, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Tue Nov 10 03:13:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: true
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: true
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:0, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: true
ID: networkprotection, enabled:0, value: true
ID: layers, enabled:1
ID: useantivirus, enabled:0, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: DAVE-PC
Processor name: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz
Processor identifier: x86 Family 6 Model 23 Stepping 6
Processor speed: ~2526MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5894, number of processors 2, processor features: [MMX,SSE,SSE2,SSE3]
Physical memory available: 1235300352 bytes
Physical memory total: 2648825856 bytes
Virtual memory available: 1963593728 bytes
Virtual memory total: 2147352576 bytes
Memory load: 53%
Microsoft Windows Vista Business Edition, 32-bit Service Pack 2 (build 6002)
Windows startup mode:

Running processes:
PID: 608 name: C:\Windows\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 684 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 752 name: C:\Windows\System32\wininit.exe owner: SYSTEM domain: NT AUTHORITY
PID: 760 name: C:\Windows\System32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 796 name: C:\Windows\System32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 808 name: C:\Windows\System32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 816 name: C:\Windows\System32\lsm.exe owner: SYSTEM domain: NT AUTHORITY
PID: 896 name: C:\Windows\System32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1024 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1084 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1120 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1232 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1252 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1276 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1288 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1420 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1468 name: C:\Windows\System32\SLsvc.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1512 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1600 name: C:\Windows\RTKAUDIOSERVICE.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1648 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1760 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1768 name: C:\Windows\System32\wlanext.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1900 name: C:\Windows\System32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1928 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1168 name: C:\Windows\System32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2076 name: C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2096 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2144 name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2204 name: C:\Program Files\Intel\WiFi\bin\EvtEng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2408 name: C:\Program Files\Canon\IJPLM\ijplmsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2444 name: C:\Program Files\IOGEAR\IOGEARUSBServer\IOGEARServerService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2492 name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2548 name: C:\Program Files\McAfee\SiteAdvisor\McSACore.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2612 name: C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2636 name: C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2644 name: C:\Windows\System32\rundll32.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2748 name: C:\Program Files\McAfee\MPF\MpfSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2788 name: C:\Windows\System32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 2876 name: C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3380 name: C:\Windows\System32\taskeng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3548 name: C:\Windows\System32\taskeng.exe owner: Dave domain: Dave-PC
PID: 3580 name: C:\Windows\System32\dwm.exe owner: Dave domain: Dave-PC
PID: 3652 name: C:\Windows\explorer.exe owner: Dave domain: Dave-PC
PID: 3712 name: C:\Windows\System32\taskeng.exe owner: Dave domain: Dave-PC
PID: 4044 name: C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe owner: Dave domain: Dave-PC
PID: 2388 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: Dave domain: Dave-PC
PID: 1524 name: C:\Program Files\McAfee.com\Agent\mcagent.exe owner: Dave domain: Dave-PC
PID: 3092 name: C:\Program Files\Sony\ISB Utility\ISBMgr.exe owner: Dave domain: Dave-PC
PID: 1380 name: C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe owner: Dave domain: Dave-PC
PID: 812 name: C:\Program Files\Apoint\Apoint.exe owner: Dave domain: Dave-PC
PID: 3200 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: Dave domain: Dave-PC
PID: 3216 name: C:\Program Files\Windows Sidebar\sidebar.exe owner: Dave domain: Dave-PC
PID: 3224 name: C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe owner: Dave domain: Dave-PC
PID: 3084 name: C:\Program Files\Spybot\TeaTimer.exe owner: Dave domain: Dave-PC
PID: 540 name: C:\Program Files\Windows Media Player\wmpnscfg.exe owner: Dave domain: Dave-PC
PID: 1548 name: C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe owner: Dave domain: Dave-PC
PID: 3600 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Dave domain: Dave-PC
PID: 2468 name: C:\Windows\System32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3708 name: C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1212 name: C:\Program Files\Sony\VAIO Event Service\VESMgr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3372 name: C:\Program Files\Sony\VAIO Power Management\SPMService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4004 name: C:\Windows\System32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3480 name: C:\Windows\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1780 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 3996 name: C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4116 name: C:\Windows\System32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4180 name: C:\Windows\System32\SearchIndexer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4252 name: C:\Windows\System32\drivers\XAudio.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4324 name: C:\Program Files\Spybot\SDWinSec.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4416 name: C:\Windows\System32\WUDFHost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 4888 name: C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 4332 name: C:\Windows\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5660 name: C:\Program Files\Windows Media Player\wmpnetwk.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 5732 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5704 name: C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2016 name: C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5032 name: C:\Program Files\Apoint\ApMsgFwd.exe owner: Dave domain: Dave-PC
PID: 4688 name: C:\Program Files\Apoint\ApntEx.exe owner: Dave domain: Dave-PC
PID: 6012 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Dave domain: Dave-PC
PID: 2988 name: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1408 name: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2252 name: C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 5528 name: C:\Windows\System32\msfeedssync.exe owner: Dave domain: Dave-PC
PID: 3012 name: C:\Windows\System32\wbem\WmiPrvSE.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 4400 name: C:\Windows\System32\wbem\WMIADAP.exe owner: SYSTEM domain: NT AUTHORITY

Startup items:
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: Windows Defender
imagepath: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
Name: TkBellExe
imagepath: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Name: StartCCC
imagepath: "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Name: SmartWiHelper
imagepath: "C:\Program Files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" /WindowsStartup
Name: RoxWatchTray
imagepath: "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
Name: QuickTime Task
imagepath: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name: mcagent_exe
imagepath: "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
Name: ISBMgr.exe
imagepath: "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
Name: ContentTransferWMDetector.exe
imagepath: C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
Name: Apoint
imagepath: C:\Program Files\Apoint\Apoint.exe
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe"
Name:
imagepath: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Name:
location: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan.lnk
imagepath: C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
Name:
location: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
imagepath: C:\Program Files\Microsoft Office\Office10\OSA.EXE
Name:
imagepath: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: AcrSch2Svc
displayname: Acronis Scheduler2 Service
Name: AeLookupSvc
displayname: Application Experience
Name: Appinfo
displayname: Application Information
Name: Ati External Event Utility
displayname: Ati External Event Utility
Name: AudioEndpointBuilder
displayname: Windows Audio Endpoint Builder
Name: Audiosrv
displayname: Windows Audio
Name: BFE
displayname: Base Filtering Engine
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Browser
displayname: Computer Browser
Name: BthServ
displayname: Bluetooth Support Service
Name: btwdins
displayname: Bluetooth Service
Name: clr_optimization_v2.0.50727_32
displayname: Microsoft .NET Framework NGEN v2.0.50727_X86
Name: CryptSvc
displayname: Cryptographic Services
Name: CscService
displayname: Offline Files
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: Dnscache
displayname: DNS Client
Name: DPS
displayname: Diagnostic Policy Service
Name: EapHost
displayname: Extensible Authentication Protocol
Name: EMDMgmt
displayname: ReadyBoost
Name: Eventlog
displayname: Windows Event Log
Name: EventSystem
displayname: COM+ Event System
Name: EvtEng
displayname: Intel® PROSet/Wireless Event Log
Name: fdPHost
displayname: Function Discovery Provider Host
Name: FDResPub
displayname: Function Discovery Resource Publication
Name: gpsvc
displayname: Group Policy Client
Name: gusvc
displayname: Google Software Updater
Name: hidserv
displayname: Human Interface Device Access
Name: IJPLMSVC
displayname: PIXMA Extended Survey Program
Name: IKEEXT
displayname: IKE and AuthIP IPsec Keying Modules
Name: IOGEARServerService
displayname: IOGEARServerService
Name: IPBusEnum
displayname: PnP-X IP Bus Enumerator
Name: iphlpsvc
displayname: IP Helper
Name: IviRegMgr
displayname: IviRegMgr
Name: KeyIso
displayname: CNG Key Isolation
Name: KtmRm
displayname: KtmRm for Distributed Transaction Coordinator
Name: LanmanServer
displayname: Server
Name: LanmanWorkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: lmhosts
displayname: TCP/IP NetBIOS Helper
Name: McAfee SiteAdvisor Service
displayname: McAfee SiteAdvisor Service
Name: mcmscsvc
displayname: McAfee Services
Name: McNASvc
displayname: McAfee Network Agent
Name: McProxy
displayname: McAfee Proxy Service
Name: McShield
displayname: McAfee Real-time Scanner
Name: McSysmon
displayname: McAfee SystemGuards
Name: MMCSS
displayname: Multimedia Class Scheduler
Name: MpfService
displayname: McAfee Personal Firewall Service
Name: MpsSvc
displayname: Windows Firewall
Name: Netman
displayname: Network Connections
Name: netprofm
displayname: Network List Service
Name: NlaSvc
displayname: Network Location Awareness
Name: nsi
displayname: Network Store Interface Service
Name: PcaSvc
displayname: Program Compatibility Assistant Service
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPsec Policy Agent
Name: ProfSvc
displayname: User Profile Service
Name: RasMan
displayname: Remote Access Connection Manager
Name: RegSrvc
displayname: Intel® PROSet/Wireless Registry Service
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: RtkAudioService
displayname: Realtek Audio Service
Name: SamSs
displayname: Security Accounts Manager
Name: SBSDWSCService
displayname: SBSD Security Center Service
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification Service
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: slsvc
displayname: Software Licensing
Name: Spooler
displayname: Print Spooler
Name: SSDPSRV
displayname: SSDP Discovery
Name: SstpSvc
displayname: Secure Socket Tunneling Protocol Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: SysMain
displayname: Superfetch
Name: TabletInputService
displayname: Tablet PC Input Service
Name: TapiSrv
displayname: Telephony
Name: TeamViewer4
displayname: TeamViewer 4
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: upnphost
displayname: UPnP Device Host
Name: UxSms
displayname: Desktop Window Manager Session Manager
Name: VAIO Event Service
displayname: VAIO Event Service
Name: VAIO Power Management
displayname: VAIO Power Management
Name: W32Time
displayname: Windows Time
Name: WdiSystemHost
displayname: Diagnostic System Host
Name: WebClient
displayname: WebClient
Name: WerSvc
displayname: Windows Error Reporting Service
Name: WinDefend
displayname: Windows Defender
Name: WinHttpAutoProxySvc
displayname: WinHTTP Web Proxy Auto-Discovery Service
Name: Winmgmt
displayname: Windows Management Instrumentation
Name: Wlansvc
displayname: WLAN AutoConfig
Name: wlidsvc
displayname: Windows Live ID Sign-in Assistant
Name: WMPNetworkSvc
displayname: Windows Media Player Network Sharing Service
Name: WPDBusEnum
displayname: Portable Device Enumerator Service
Name: wscsvc
displayname: Security Center
Name: WSearch
displayname: Windows Search
Name: wuauserv
displayname: Windows Update
Name: wudfsvc
displayname: Windows Driver Foundation - User-mode Driver Framework
Name: XAudioService
displayname: XAudioService
Blade81
2009-11-10, 17:56
Quarantined item is the one that ComboFix had removed already. Those listed under "removed items" I don't know. Where had you got them? If legit source then probably false positive.

Uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



Upload c:\windows\explorer.exe file to http://www.virustotal.com and post back the results


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file check.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /s/a c:\windows\cngaudit.dll c:\windows\explorer.exe c:\windows\dwm.exe >Logit.txt
start Logit.txt
del %0

Double-click on check.bat file to execute it. Notepad should open up. Post back its contents, please.
dsc123
2009-11-11, 04:32
Combofix uninstall ran without incident.

Here's the Virus Total run log:
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.09 -
AhnLab-V3 5.0.0.2 2009.11.06 -
AntiVir 7.9.1.61 2009.11.09 -
Antiy-AVL 2.0.3.7 2009.11.09 -
Authentium 5.2.0.5 2009.11.08 -
Avast 4.8.1351.0 2009.11.08 -
AVG 8.5.0.423 2009.11.09 -
BitDefender 7.2 2009.11.09 -
CAT-QuickHeal 10.00 2009.11.09 -
ClamAV 0.94.1 2009.11.09 -
Comodo 2895 2009.11.09 -
DrWeb 5.0.0.12182 2009.11.09 -
eTrust-Vet 35.1.7111 2009.11.09 -
F-Prot 4.5.1.85 2009.11.08 -
F-Secure 9.0.15370.0 2009.11.09 -
Fortinet 3.120.0.0 2009.11.09 -
GData 19 2009.11.09 -
Ikarus T3.1.1.74.0 2009.11.09 -
Jiangmin 11.0.800 2009.11.09 -
K7AntiVirus 7.10.891 2009.11.07 -
Kaspersky 7.0.0.125 2009.11.09 -
McAfee 5796 2009.11.08 -
McAfee+Artemis 5796 2009.11.08 -
McAfee-GW-Edition 6.8.5 2009.11.09 -
Microsoft 1.5202 2009.11.09 -
NOD32 4587 2009.11.09 -
Norman 6.03.02 2009.11.09 -
nProtect 2009.1.8.0 2009.11.09 -
Panda 10.0.2.2 2009.11.08 -
PCTools 7.0.3.5 2009.11.09 -
Prevx 3.0 2009.11.09 -
Rising 22.21.00.05 2009.11.09 -
Sophos 4.47.0 2009.11.09 -
Sunbelt 3.2.1858.2 2009.11.08 -
Symantec 1.4.4.12 2009.11.09 -
TheHacker 6.5.0.2.063 2009.11.06 -
TrendMicro 9.0.0.1003 2009.11.09 -
VBA32 3.12.10.11 2009.11.09 -
ViRobot 2009.11.9.2027 2009.11.09 -
VirusBuster 4.6.5.0 2009.11.08 -
Additional information
File size: 2926592 bytes
MD5 : d07d4c3038f3578ffce1c0237f2a1253
SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
SHA256: 135dd05678c8997b45982d77298dbdd98061c9d4fe43d77866846012eb061a04
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x25E33
timedatestamp.....: 0x49E01DA5 (Sat Apr 11 06:33:41 2009)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6BD15 0x6BE00 6.42 65eba3253a27a14fe8b3534030b7be61
.data 0x6D000 0x2164 0x2000 0.83 8d2597b8ca27314e6e6987b53b153d90
.rsrc 0x70000 0x2566A0 0x256800 7.04 e9c988e2d7bc4683dcec8a4fcb4b5c6d
.reloc 0x2C7000 0x5A20 0x5C00 6.74 a3b567255330d05abe32eb8a34f61792

( 19 imports )

> advapi32.dll: RegCloseKey, RegCreateKeyW, RegGetValueW, RegOpenKeyExW, GetTraceEnableFlags, GetTraceEnableLevel, GetTraceLoggerHandle, RegisterTraceGuidsW, UnregisterTraceGuids, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, EventWrite, EventEnabled, GetLengthSid, GetTokenInformation, OpenProcessToken, EventUnregister, EventRegister, GetUserNameW, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, TraceMessage, RegOpenKeyW, RegEnumKeyW, RegEnumValueW, CloseServiceHandle, OpenServiceW, OpenSCManagerW, QueryServiceStatus, CheckTokenMembership, ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, ConvertSidToStringSidW, StartServiceW, CreateWellKnownSid
> browseui.dll: -, -
> dwmapi.dll: DwmIsCompositionEnabled, -, DwmSetWindowAttribute, DwmEnableBlurBehindWindow, DwmQueryThumbnailSourceSize, DwmGetColorizationColor, DwmUpdateThumbnailProperties, DwmRegisterThumbnail, DwmUnregisterThumbnail
> gdi32.dll: GetStockObject, CombineRgn, GetLayout, CreatePatternBrush, OffsetViewportOrgEx, GdiAlphaBlend, GetTextExtentPoint32W, ExtTextOutW, SetWindowOrgEx, GetPixel, PatBlt, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, GetBkColor, CreateCompatibleBitmap, OffsetWindowOrgEx, SetBkColor, GetTextExtentPointW, GetClipBox, CreateDIBSection, CreateRectRgnIndirect, SetTextColor, SetBkMode, GetTextMetricsW, CreateFontIndirectW, CreateSolidBrush, GetObjectW, DeleteObject, CreateCompatibleDC, SelectObject, BitBlt, DeleteDC, GetDeviceCaps
> gdiplus.dll: GdiplusShutdown, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdiplusStartup, GdipCreateFromHDC, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromFileICM, GdipLoadImageFromFile, GdipDeleteGraphics, GdipFree, GdipAlloc, GdipSetCompositingMode
> kernel32.dll: GetSystemTime, GetFileAttributesW, FindClose, FindNextFileW, FindFirstFileW, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetLocaleInfoW, FlushInstructionCache, RaiseException, GetSystemWindowsDirectoryW, SetLastError, ReadFile, GetFileSize, CreateFileW, InterlockedCompareExchange, LoadLibraryA, SystemTimeToFileTime, ExpandEnvironmentStringsW, GlobalGetAtomNameW, MultiByteToWideChar, GetEnvironmentVariableW, GetCurrentProcessId, GetModuleHandleW, lstrlenW, OpenEventW, SetEvent, GetBinaryTypeW, EnterCriticalSection, LeaveCriticalSection, GetSystemTimeAsFileTime, CompareFileTime, GlobalFree, GetTickCount, MulDiv, GetUserDefaultLangID, GetPrivateProfileIntW, GetCurrentThread, GetThreadPriority, GetCurrentThreadId, SetThreadPriority, CompareStringOrdinal, lstrcmpiW, HeapSetInformation, SetErrorMode, CreateMutexW, ReleaseMutex, GetTimeZoneInformation, SetFilePointer, SetProcessShutdownParameters, GetSystemDirectoryW, CreateEventW, SetTermsrvAppInstallMode, RegisterApplicationRestart, ExitProcess, GetModuleFileNameW, GetPrivateProfileStringW, HeapDestroy, InitializeCriticalSection, DeleteCriticalSection, GetCurrentProcess, GetProcessHeap, HeapAlloc, QueryPerformanceFrequency, GetFileAttributesExW, QueueUserWorkItem, GetLongPathNameW, GetProcessTimes, TerminateThread, GetProcessId, CreateIoCompletionPort, GetQueuedCompletionStatus, GetWindowsDirectoryW, FormatMessageW, QueryFullProcessImageNameW, GlobalAlloc, DuplicateHandle, GetCurrentDirectoryW, WideCharToMultiByte, WriteFile, DeactivateActCtx, ActivateActCtx, ReleaseActCtx, CreateActCtxW, FindResourceExW, LoadResource, LockResource, GetUserDefaultUILanguage, LoadLibraryW, GetProcAddress, FreeLibrary, WaitForSingleObject, CreateProcessW, GetCommandLineW, GetStartupInfoW, CreateThread, AssignProcessToJobObject, ResumeThread, Sleep, QueryInformationJobObject, LocalAlloc, LocalFree, CloseHandle, OpenProcess, SetPriorityClass, GetPriorityClass, CreateJobObjectW, SetInformationJobObject, GetLastError, InterlockedDecrement, InterlockedIncrement, HeapFree, UnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetModuleHandleA, SetUnhandledExceptionFilter, InterlockedExchange, VirtualAlloc, VirtualFree, DelayLoadFailureHook
> msvcrt.dll: memset, _unlock, _ftol2_sse, _except_handler4_common, __set_app_type, memcpy, free, memmove, realloc, __dllonexit, _lock, _onexit, _terminate@@YAXXZ, _controlfp, _vsnwprintf, malloc, __wgetmainargs, _cexit, _exit, __p__fmode, _XcptFilter, exit, _wcmdln, _initterm, _amsg_exit, __setusermatherr, _adjust_fdiv, __p__commode
> ntdll.dll: NtOpenThreadToken, NtOpenProcessToken, RtlGetProductInfo, NtQueryInformationToken, NtClose, NtQueryInformationProcess, NtSetInformationProcess, WinSqmAddToStream, NtSetSystemInformation
> ole32.dll: CoTaskMemFree, CoCreateInstance, CoRegisterClassObject, CoRevokeClassObject, CoGetClassObject, OleInitialize, OleUninitialize, CoGetObject, StringFromGUID2, CoUninitialize, CoInitialize, RevokeDragDrop, RegisterDragDrop, CoRegisterMessageFilter, CoMarshalInterThreadInterfaceInStream, CoGetInterfaceAndReleaseStream, CoTaskMemAlloc, CoCreateFreeThreadedMarshaler, DoDragDrop, CoInitializeEx, CreateBindCtx, CoFreeUnusedLibraries, PropVariantClear
> oleaut32.dll: -, -, -, -, -, -
> powrprof.dll: GetPwrCapabilities
> propsys.dll: PSGetPropertyKeyFromName, PSPropertyKeyFromString, PSGetPropertyDescription, PSGetNameFromPropertyKey, VariantToBooleanWithDefault, VariantToInt32WithDefault, VariantToStringWithDefault, PSCreateMemoryPropertyStore, VariantToStringAlloc, PropVariantToStringAlloc
> rpcrt4.dll: RpcBindingFree, RpcStringFreeW, RpcBindingFromStringBindingW, NdrClientCall2, RpcStringBindingComposeW, I_RpcExceptionFilter, RpcBindingSetAuthInfoExW
> shdocvw.dll: -, -
> shell32.dll: -, -, -, -, -, -, -, -, SHGetDesktopFolder, -, SHBindToFolderIDListParent, -, -, -, -, -, -, SHGetIDListFromObject, -, -, -, -, -, -, SHCreateShellItemArrayFromIDLists, -, -, SHCreateItemFromIDList, SHCreateShellItemArrayFromShellItem, -, -, SHBindToFolderIDListParentEx, SHChangeNotify, SHAddToRecentDocs, DuplicateIcon, -, -, -, ShellExecuteW, -, -, SHGetPathFromIDListA, SHUpdateRecycleBinIcon, SHGetKnownFolderIDList, SHGetFolderPathEx, SHFileOperationW, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -, -, -, -, -, -, -, ExtractIconExW, -, -, -, -, SHGetSpecialFolderLocation, -, -, SHBindToParent, Shell_NotifyIconW, SHGetFolderPathAndSubDirW, Shell_GetCachedImageIndexW, SHGetFolderPathW, -, SHEvaluateSystemCommandTemplate, -, -, -, -, -, -, -, -, -, -, -, SHBindToObject, -, ShellExecuteExW, -, -, SHGetSpecialFolderPathW, -, SHParseDisplayName, -, SHGetFolderLocation, -, -, -, -, -
> shlwapi.dll: PathGetDriveNumberW, -, -, PathRemoveFileSpecW, -, -, SHRegGetUSValueW, -, StrDupW, PathQuoteSpacesW, -, -, -, -, StrChrIW, -, -, -, SHRegOpenUSKeyW, SHRegQueryUSValueW, StrCmpW, AssocQueryStringW, -, -, -, -, -, AssocQueryKeyW, PathParseIconLocationW, PathIsPrefixW, -, PathRemoveExtensionW, SHOpenRegStream2W, PathFileExistsW, -, -, -, -, PathFindExtensionW, SHQueryInfoKeyW, -, -, -, -, -, -, -, -, SHDeleteKeyW, PathAppendW, SHDeleteValueW, -, -, -, PathRemoveArgsW, PathRemoveBlanksW, StrCmpNIW, PathFindFileNameW, -, SHSetValueW, SHGetValueW, SHCreateThreadRef, SHSetThreadRef, -, -, PathCombineW, SHRegGetValueW, StrToIntW, -, -, -, PathGetArgsW, StrChrW, -, -, -, -, SHStrDupW, -, -, -, -, -, StrRetToBufW, -, -, -, -, -, -, StrRetToStrW, -, -, StrStrIW, -, -, PathMatchSpecW, PathIsRootW, PathIsNetworkPathW, SHQueryValueExW, AssocCreate, StrCmpIW, -, -, -, StrCmpNW, -, -, StrPBrkW, -, -, -, PathStripToRootW, -, PathIsDirectoryW, -
> slc.dll: SLGetWindowsInformationDWORD
> user32.dll: GetDlgItem, LoadCursorW, RegisterClassW, IsChild, SetTimer, MonitorFromRect, SetWindowTextW, SetClassLongW, GetClassInfoW, GetClassLongW, KillTimer, GetClassInfoExW, IsWindowEnabled, GetShellWindow, GetIconInfo, SetScrollInfo, GetLastActivePopup, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, IsWindowVisible, IsWindow, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, BeginDeferWindowPos, DeferWindowPos, EndDeferWindowPos, SetFocus, SetForegroundWindow, LoadMenuW, SetMenuInfo, SetMenuDefaultItem, GetSubMenu, TrackPopupMenuEx, LoadImageW, InsertMenuItemW, DestroyIcon, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharUpperBuffW, PostQuitMessage, LoadStringW, ShutdownBlockReasonCreate, GetWindowLongA, SetWindowLongW, UnregisterDeviceNotification, RegisterDeviceNotificationW, RegisterWindowMessageW, SetWindowPos, RegisterClassExW, GetDesktopWindow, UpdateWindow, InvalidateRect, BeginPaint, LoadBitmapW, SetLayeredWindowAttributes, EndPaint, ShowWindow, DefWindowProcW, MoveWindow, DestroyWindow, UnregisterClassW, SetProcessDPIAware, PeekMessageW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, GetKeyboardLayout, ActivateKeyboardLayout, IsProcessDPIAware, PrintWindow, GetDCEx, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, GetDlgCtrlID, ChildWindowFromPointEx, GetCapture, GetGUIThreadInfo, SetWindowLongA, CharUpperW, GetWindowDC, RegisterClipboardFormatW, UnhookWinEvent, SetWinEventHook, ReleaseCapture, GetUserObjectInformationW, GetProcessWindowStation, FlashWindowEx, GetForegroundWindow, PostMessageW, CreatePopupMenu, GetWindowThreadProcessId, MsgWaitForMultipleObjectsEx, CharPrevW, CharNextW, DispatchMessageW, TranslateMessage, GetMessageW, EqualRect, UnionRect, MapWindowPoints, GetClientRect, EnumWindows, EndTask, SetThreadDesktop, GetThreadDesktop, GetMenuItemID, IsHungAppWindow, DrawTextW, GetSysColor, TrackPopupMenu, SendMessageCallbackW, DeregisterShellHookWindow, EndDialog, IsDlgButtonChecked, LoadIconW, GetSysColorBrush, CloseDesktop, OpenInputDesktop, SetActiveWindow, IsRectEmpty, GetAsyncKeyState, RegisterShellHookWindow, FillRect, GetCursorPos, SetPropW, CopyRect, LockSetForegroundWindow, MonitorFromPoint, InflateRect, GetClassNameW, SubtractRect, RedrawWindow, EnumDisplayMonitors, OffsetRect, IntersectRect, SetWindowRgn, GetMenuState, GhostWindowFromHungWindow, HungWindowFromGhostWindow, GetWindowPlacement, RemovePropW, SendMessageTimeoutW, UnregisterHotKey, RegisterHotKey, InsertMenuW, ModifyMenuW, ClientToScreen, ScreenToClient, GetMenuItemCount, GetFocus, GetScrollInfo, InternalGetWindowText, GetKeyState, ChangeDisplaySettingsW, GetWindowLongW, EnumChildWindows, SendMessageW, GetWindow, GetWindowRect, PtInRect, SetCursor, ChildWindowFromPoint, SetCursorPos, GetMessagePos, LoadAcceleratorsW, WaitMessage, TranslateAcceleratorW, GetWindowRgnBox, GetActiveWindow, MessageBeep, SetWindowPlacement, SetRect, SendNotifyMessageW, UpdateLayeredWindow, GetLastInputInfo, SendDlgItemMessageW, AllowSetForegroundWindow, RemoveMenu, SetParent, CallWindowProcW, EnableWindow, GetDlgItemInt, SetDlgItemInt, CheckDlgButton, CopyIcon, DrawFocusRect, NotifyWinEvent, ExitWindowsEx, DrawEdge, WindowFromPoint, GetDoubleClickTime, SetCapture, TrackMouseEvent, LockWorkStation, AppendMenuW, GetParent, SetScrollPos, SetRectEmpty, AdjustWindowRectEx, BringWindowToTop, CascadeWindows, GetSystemMetrics, SystemParametersInfoW, FindWindowW, ReleaseDC, GetDC, DestroyMenu, GetMenuDefaultItem, TileWindows, GetAncestor, SwitchToThisWindow, CheckMenuItem, ShowWindowAsync
> uxtheme.dll: IsCompositionActive, IsAppThemed, GetThemeMargins, GetThemeRect, IsThemePartDefined, GetThemeBackgroundRegion, DrawThemeTextEx, GetThemeFont, GetThemeColor, GetThemeBool, GetThemeInt, SetWindowTheme, DrawThemeText, GetThemeTextExtent, DrawThemeBackground, CloseThemeData, OpenThemeData, DrawThemeParentBackground, GetThemePartSize, GetThemeMetric, GetThemeBackgroundContentRect

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md5=d07d4c3038f3578ffce1c0237f2a1253
ssdeep: 24576:5d8uxOc/QpDk5pGYCW5uXSA7jTeFadRsxFb/g/J/ulZl:TOcLC8A7/eFwY3l/
PEiD : -
RDS : NSRL Reference Data Set
-
dsc123
2009-11-11, 04:33
and here's the Logit run log:

Volume in drive C is Vista
Volume Serial Number is 66CF-C23A

Directory of c:\windows

04/10/2009 10:27 PM 2,926,592 explorer.exe
1 File(s) 2,926,592 bytes

Directory of c:\windows\ERDNT\cache

11/02/2006 01:46 AM 11,776 cngaudit.dll

Directory of c:\windows\ERDNT\cache

04/10/2009 10:27 PM 2,926,592 explorer.exe
2 File(s) 2,938,368 bytes

Directory of c:\windows\System32

11/02/2006 01:46 AM 11,776 cngaudit.dll

Directory of c:\windows\System32

04/10/2009 10:27 PM 81,920 dwm.exe
2 File(s) 93,696 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 01:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6001.18000_none_8da39414bd31fb37

01/20/2008 06:25 PM 81,920 dwm.exe
1 File(s) 81,920 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-d..pwindowmanager-core_31bf3856ad364e35_6.0.6002.18005_none_8f8f0d20ba53c683

04/10/2009 10:27 PM 81,920 dwm.exe
1 File(s) 81,920 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3

10/28/2008 10:20 PM 2,923,520 explorer.exe
1 File(s) 2,923,520 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b

10/27/2008 06:15 PM 2,923,520 explorer.exe
1 File(s) 2,923,520 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf

01/20/2008 06:24 PM 2,927,104 explorer.exe
1 File(s) 2,927,104 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8

10/28/2008 10:29 PM 2,927,104 explorer.exe
1 File(s) 2,927,104 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1

10/29/2008 07:59 PM 2,927,616 explorer.exe
1 File(s) 2,927,616 bytes

Directory of c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b

04/10/2009 10:27 PM 2,926,592 explorer.exe
1 File(s) 2,926,592 bytes

Total Files Listed:
14 File(s) 23,689,728 bytes
0 Dir(s) 9,279,184,896 bytes free
Blade81
2009-11-11, 08:35
Ok. Now please download ComboFix again from the link here > http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Open notepad and copy/paste the text in the quotebox below into it:



FCopy::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe|c:\windows\explorer.exe



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log.
dsc123
2009-11-11, 12:36
Ok, had some freezing issues but on the third try Combofix got all the way through. Log is below followed by the DDS log.

*********************************************
**************** Combofix Log ****************
*********************************************
ComboFix 09-11-09.02 - Dave 11/11/2009 0:32.3.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2526.1362 [GMT -8:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-11 08:40 . 2009-11-11 08:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-11-11 08:40 . 2009-11-11 08:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-11 03:16 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 03:02 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:45 . 2009-11-10 11:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 11:13 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 11:13 . 2009-11-10 11:13 -------- dc----w- c:\windows\system32\DRVSTORE
2009-11-10 11:13 . 2009-11-10 11:13 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 11:11 . 2009-11-10 11:11 -------- d-----w- c:\program files\Lavasoft
2009-11-10 09:37 . 2009-11-10 09:37 -------- d-----w- C:\CDROM
2009-11-10 07:15 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 07:15 . 2009-11-10 07:15 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 07:15 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 06:41 . 2009-11-10 06:41 -------- d-----w- c:\program files\McAfee Security Scan
2009-11-10 06:32 . 2009-11-10 06:32 -------- d-----w- c:\program files\File Shredder
2009-11-10 04:23 . 2009-11-10 04:23 -------- d-----w- C:\found.003
2009-11-09 16:34 . 2009-11-09 16:34 -------- d-----w- C:\found.002
2009-11-07 11:34 . 2009-11-07 11:34 -------- d-----w- c:\windows\Sun
2009-11-06 05:26 . 2009-11-06 05:29 8192 d-----w- c:\program files\Spybot
2009-11-05 09:40 . 2009-11-05 09:40 -------- d-----w- C:\7e40d48354485e73247e56200942f7
2009-11-05 08:12 . 2009-11-08 22:21 135168 ----a-w- C:\zip.exe
2009-11-05 04:17 . 2009-11-04 22:56 47616 ----a-w- C:\Win32kDiag.exe
2009-11-04 11:55 . 2009-11-04 11:55 -------- d-----w- C:\_OTL
2009-11-04 10:21 . 2009-11-04 10:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-04 09:39 . 2009-11-04 09:40 -------- d-----w- c:\program files\HJT
2009-11-02 06:24 . 2009-11-08 22:21 574 ----a-w- C:\cleanup.bat
2009-10-31 21:51 . 2009-11-02 06:52 1673 ----a-w- C:\avexport.bat
2009-10-31 21:34 . 2009-10-31 21:35 -------- d-----w- C:\setacl-cmdline-2.0.3.0-binary-x86
2009-10-31 14:26 . 2009-11-05 05:15 -------- d--h--w- c:\windows\PIF
2009-10-31 14:18 . 2009-10-31 14:18 4096 d-----w- c:\program files\Windows Journal
2009-10-31 13:29 . 2009-10-31 13:29 4096 ----a-w- c:\windows\system32\isftrm.sys
2009-10-31 13:19 . 2009-10-31 13:19 -------- d-----w- c:\program files\WinPcap
2009-10-31 07:03 . 2009-10-31 07:03 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2009-10-31 06:48 . 2009-10-31 06:48 -------- d-----w- c:\program files\Trend Micro
2009-10-31 06:25 . 2009-10-31 06:25 -------- d-----w- c:\users\Dave\AppData\Roaming\Yahoo!
2009-10-31 06:25 . 2009-11-11 06:47 -------- d-----w- c:\program files\Yahoo!
2009-10-31 04:46 . 2009-10-31 05:10 295638360 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\Extractor.exe
2009-10-31 03:38 . 2009-03-04 18:49 4232704 ----a-w- c:\windows\system32\drivers\NETw5v32.sys
2009-10-31 03:38 . 2008-06-20 17:33 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-10-30 06:38 . 2009-10-30 06:38 -------- d-----w- C:\found.001
2009-10-30 06:18 . 2008-07-11 23:42 10216 ----a-w- c:\windows\system32\drivers\DMICall.sys
2009-10-29 16:37 . 2009-10-29 16:37 -------- d-----w- c:\program files\Windows Portable Devices
2009-10-29 16:36 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 16:36 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 16:36 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 16:34 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-29 16:34 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-29 16:34 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 16:33 . 2009-06-03 23:56 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2009-10-29 16:22 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 08:27 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-29 08:27 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-29 07:46 . 2009-04-11 04:42 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-10-29 07:46 . 2008-01-21 02:23 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-10-28 04:28 . 2009-10-28 04:28 -------- d-----w- C:\found.000
2009-10-21 15:23 . 2009-09-16 17:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-14 05:40 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:40 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:40 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 06:32 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-10 03:44 . 2008-08-14 19:01 4096 d-----w- c:\program files\Java
2009-11-10 03:24 . 2009-04-06 03:52 1356 ----a-w- c:\users\Dave\AppData\Local\d3d9caps.dat
2009-11-05 08:56 . 2008-12-23 08:02 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-31 14:20 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 13:03 . 2008-08-14 17:27 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-30 11:39 . 2008-08-14 17:22 16384 d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 06:34 . 2008-12-22 20:53 4096 d-----w- c:\users\Dave\AppData\Roaming\Sony Corporation
2009-10-30 06:19 . 2008-08-14 18:57 4096 d-----w- c:\program files\Common Files\Sony Shared
2009-10-29 16:37 . 2009-10-29 16:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 16:37 . 2009-10-29 16:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 07:46 . 2009-06-01 06:41 800768 ----a-w- c:\windows\system32\advapi32.dll
2009-10-29 07:46 . 2009-06-01 06:41 115712 ----a-w- c:\windows\system32\WinSCard.dll
2009-10-26 15:43 . 2008-12-29 08:05 12288 d-----w- c:\users\Dave\AppData\Roaming\LimeWire
2009-10-11 12:17 . 2008-12-23 06:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02 . 2009-10-29 16:35 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-10-29 16:35 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-10-29 16:35 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-10-29 16:35 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-10-29 16:35 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-10-29 16:35 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-10-29 16:35 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-10-29 16:35 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-10-29 16:35 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-10-29 16:35 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-10-29 16:35 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-10-29 16:35 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-10-29 16:35 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-10-29 16:35 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-10-29 16:35 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-10-01 01:01 . 2009-10-29 16:35 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-09-27 02:26 . 2009-09-27 02:26 -------- d-----w- c:\program files\Common Files\Vbox
2009-09-27 02:26 . 2008-08-14 19:00 4096 d-----w- c:\program files\Common Files\Adobe
2009-09-25 05:03 . 2008-08-14 19:01 8192 d-----w- c:\program files\Sony
2009-09-25 02:10 . 2009-10-29 16:35 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-10-29 16:35 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-10-29 16:35 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-10-29 16:35 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-10-29 16:35 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-10-29 16:35 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-10-29 16:35 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-10-29 16:35 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-10-29 16:35 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-10-29 16:35 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-10-29 16:35 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-10-29 16:35 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-10-29 16:35 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-10-29 16:35 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-10-29 16:35 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-10-29 16:35 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-10-29 16:35 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-10-29 16:35 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-10-29 16:35 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-10-29 16:35 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-10-29 16:35 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-10-29 16:35 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-10-29 16:35 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-10-29 16:35 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-10-29 16:35 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-10-29 16:35 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-10-29 16:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Home Audiometer
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Filtered Noise Generator
2009-09-23 05:46 . 2009-09-23 05:46 4096 d-----w- c:\program files\Test Tone Generator
2009-09-23 02:16 . 2009-03-15 06:21 4096 d-----w- c:\program files\Google
2009-09-16 17:22 . 2008-12-23 08:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2008-12-23 08:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2008-12-23 08:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2008-12-23 08:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 09:29 . 2009-10-14 05:39 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-08 09:39 . 2008-12-22 18:48 100928 ----a-w- c:\users\Dave\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-04 11:41 . 2009-10-14 05:39 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-31 18:54 . 2009-08-31 18:54 447832 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\BBDMUtil.dll
2009-08-31 18:54 . 2009-08-31 18:54 382296 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\BlackBerrySetup.exe
2009-08-31 18:54 . 2009-08-31 18:54 2246808 ----a-w- c:\users\Dave\AppData\Roaming\Research In Motion\BlackBerry\Updates\6852A378-7780-4e08-B655-343C8D2C36AE\FLEXnet_patch_Q113020.exe
2009-08-29 00:27 . 2009-09-03 03:37 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-03 03:37 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 05:39 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 05:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 05:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 05:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 22:09 . 2009-08-20 22:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-09 00:39 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 00:38 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 00:38 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 00:38 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 00:38 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 00:38 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 00:38 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 00:38 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 00:38 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 00:38 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 00:38 105984 ----a-w- c:\windows\system32\netiohlp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"SpybotSD TeaTimer"="c:\program files\Spybot\TeaTimer.exe" [2009-03-06 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-16 198160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2008-06-27 77824]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-07-30 497000]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-07-16 01:04 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):4e,80,5b,ef,86,e2,c9,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [11/10/2009 3:13 AM 64288]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\System32\drivers\snman380.sys [3/11/2009 2:24 PM 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\System32\drivers\tdrpm174.sys [3/11/2009 2:24 PM 971552]
R2 IOGEARServerService;IOGEARServerService;c:\program files\IOGEAR\IOGEARUSBServer\IOGEARServerService.exe [3/17/2008 6:08 PM 188416]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 3:17 AM 1179232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/23/2008 12:52 AM 92296]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [8/14/2008 9:22 AM 104992]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot\SDWinSec.exe [11/5/2009 9:26 PM 1153368]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [12/23/2008 4:44 AM 185640]
R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [8/14/2008 11:02 AM 411488]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE [3/30/2009 3:28 PM 1533808]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [8/14/2008 9:28 AM 29736]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [10/30/2009 7:38 PM 4232704]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [8/14/2008 9:31 AM 9344]
S2 gupdate1c9a536773d1a80;Google Update Service (gupdate1c9a536773d1a80);c:\program files\Google\Update\GoogleUpdate.exe [3/14/2009 10:22 PM 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 6:24 PM 21504]
S3 IOGEARPNPX_1868Server;IOGEAR Network USB Device;c:\windows\System32\drivers\IOGEAR_PnpX_Server.sys [3/12/2008 4:30 PM 140288]
S3 isftrm;isftrm;c:\windows\System32\isftrm.sys [10/31/2009 5:29 AM 4096]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [11/6/2007 12:22 PM 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-15 10:50]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 06:22]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 06:22]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052172176-2512624384-1885053166-1000Core.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 23:19]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2052172176-2512624384-1885053166-1000UA.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-30 23:19]

2009-09-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-10-31 c:\windows\Tasks\User_Feed_Synchronization-{3EFD6F16-8FFB-4574-9BCF-EB3E16DEE690}.job
- c:\windows\system32\msfeedssync.exe [2009-10-14 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople_f08
mStart Page = hxxp://www.sony.com/vaiopeople_f08
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\cf3rdum9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Dave\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe Digital Editions - c:\users\dave\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5124)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2009-11-11 1:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 09:26
ComboFix2.txt 2009-11-09 16:01

Pre-Run: 9,092,464,640 bytes free
Post-Run: 9,373,241,344 bytes free

- - End Of File - - 86359F9C3240166916200BFC2D4CA216




**********************************************
******************** DDS Log *****************
**********************************************

DDS (Ver_09-10-26.01) - NTFSx86
Run by Dave at 2:35:44.48 on Wed 11/11/2009
Internet Explorer: 8.0.6001.18828 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2526.1273 [GMT -8:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\RtkAudioService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot\SDWinSec.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Explorer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople_f08
mStart Page = hxxp://www.sony.com/vaiopeople_f08
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot\TeaTimer.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SmartWiHelper] "c:\program files\sony corporation\smartwi connection utility\SmartWiHelper.exe" /WindowsStartup
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\cf3rdum9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-10 64288]
R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [2009-3-11 134272]
R0 tdrpman174;Acronis Try&Decide and Restore Points filter (build 174);c:\windows\system32\drivers\tdrpm174.sys [2009-3-11 971552]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-23 92296]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 RtkAudioService;Realtek Audio Service;c:\windows\RTKAUDIOSERVICE.EXE [2008-8-14 104992]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot\SDWinSec.exe [2009-11-5 1153368]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2008-12-23 185640]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-8-14 411488]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-8-14 29736]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-10-30 4232704]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-8-14 9344]
S2 gupdate1c9a536773d1a80;Google Update Service (gupdate1c9a536773d1a80);c:\program files\google\update\GoogleUpdate.exe [2009-3-14 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 IOGEARServerService;IOGEARServerService;c:\program files\iogear\iogearusbserver\IOGEARServerService.exe [2008-3-17 188416]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 IOGEARPNPX_1868Server;IOGEAR Network USB Device;c:\windows\system32\drivers\IOGEAR_PnpX_Server.sys [2008-3-12 140288]
S3 isftrm;isftrm;c:\windows\system32\isftrm.sys [2009-10-31 4096]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-11-11 07:56:50 98816 ----a-w- c:\windows\sed.exe
2009-11-11 07:56:50 77312 ----a-w- c:\windows\MBR.exe
2009-11-11 07:56:50 267264 ----a-w- c:\windows\PEV.exe
2009-11-11 07:56:50 161792 ----a-w- c:\windows\SWREG.exe
2009-11-11 03:16:07 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 03:02:42 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 12:45:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-10 11:13:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-10 11:13:21 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-10 11:11:43 0 d-----w- c:\program files\Lavasoft
2009-11-10 11:11:42 0 d-----w- c:\programdata\Lavasoft
2009-11-10 10:55:09 0 d-----w- c:\programdata\Windows Genuine Advantage
2009-11-10 09:37:04 0 d-----w- C:\CDROM
2009-11-10 07:15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 07:15:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 07:15:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 06:41:57 0 d-----w- c:\programdata\McAfee Security Scan
2009-11-10 06:41:57 0 d-----w- c:\program files\McAfee Security Scan
2009-11-10 06:32:18 0 d-----w- c:\program files\File Shredder
2009-11-10 04:23:57 0 d-----w- C:\found.003
2009-11-09 16:34:58 0 d-----w- C:\found.002
2009-11-07 11:35:31 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-07 09:02:28 65536 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TM.blf
2009-11-07 09:02:28 524288 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TMContainer00000000000000000002.regtrans-ms
2009-11-07 09:02:28 524288 --sha-w- c:\users\dave\ntuser.dat{0d978bda-cb7c-11de-9e98-001dba80921b}.TMContainer00000000000000000001.regtrans-ms
2009-11-07 08:25:33 65536 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TM.blf
2009-11-07 08:25:33 524288 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TMContainer00000000000000000002.regtrans-ms
2009-11-07 08:25:33 524288 --sha-w- c:\users\dave\ntuser.dat{01f33501-cb77-11de-8fe3-001dba80921b}.TMContainer00000000000000000001.regtrans-ms
2009-11-06 05:26:43 0 d-----w- c:\program files\Spybot
2009-11-05 09:40:25 0 d-----w- C:\7e40d48354485e73247e56200942f7
2009-11-05 08:12:50 135168 ----a-w- C:\zip.exe
2009-11-05 04:17:16 47616 ----a-w- C:\Win32kDiag.exe
2009-11-04 11:55:41 0 d-----w- C:\_OTL
2009-11-04 10:21:59 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-04 10:01:06 0 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-04 09:39:47 0 d-----w- c:\program files\HJT
2009-11-02 06:24:31 574 ----a-w- C:\cleanup.bat
2009-10-31 21:51:05 1673 ----a-w- C:\avexport.bat
2009-10-31 21:34:53 0 d-----w- C:\setacl-cmdline-2.0.3.0-binary-x86
2009-10-31 14:26:28 0 d--h--w- c:\windows\PIF
2009-10-31 14:18:54 0 d-----w- c:\program files\Windows Journal
2009-10-31 13:29:29 4096 ----a-w- c:\windows\system32\isftrm.sys
2009-10-31 13:19:37 0 d-----w- c:\program files\WinPcap
2009-10-31 07:03:39 0 d-----w- c:\users\dave\appdata\roaming\Malwarebytes
2009-10-31 07:03:32 0 d-----w- c:\programdata\Malwarebytes
2009-10-31 06:48:50 0 d-----w- c:\program files\Trend Micro
2009-10-31 06:25:51 0 d-----w- c:\program files\Yahoo!
2009-10-31 03:38:39 4232704 ----a-w- c:\windows\system32\drivers\NETw5v32.sys
2009-10-31 03:38:38 2756608 ----a-w- c:\windows\system32\NETw5r32.dll
2009-10-30 06:38:19 0 d-----w- C:\found.001
2009-10-30 06:18:32 10216 ----a-w- c:\windows\system32\drivers\DMICall.sys
2009-10-29 16:37:27 0 d-----w- c:\program files\Windows Portable Devices
2009-10-29 16:37:17 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-10-29 16:37:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-10-29 16:36:22 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-10-29 16:36:20 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-10-29 16:36:20 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-10-29 16:34:02 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-29 16:34:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-29 16:34:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-29 16:33:24 675152 ----a-w- c:\windows\system32\gpprefcl.dll
2009-10-29 16:33:22 28274 ----a-w- c:\windows\system32\wbem\polprocl.mof
2009-10-29 16:22:36 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 08:27:15 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-29 08:27:13 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-29 07:46:37 561152 ----a-w- c:\windows\system32\drivers\hdaudbus.sys
2009-10-29 07:46:37 23552 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2009-10-28 04:28:17 0 d-----w- C:\found.000
2009-10-21 15:23:40 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-14 05:40:15 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:40:11 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:40:10 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe

==================== Find3M ====================

2009-10-31 14:20:26 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-31 14:20:26 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-31 14:20:25 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-31 14:20:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-29 07:46:34 800768 ----a-w- c:\windows\system32\advapi32.dll
2009-10-29 07:46:34 115712 ----a-w- c:\windows\system32\WinSCard.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 09:29:50 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 22:09:06 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 2:36:03.89 ===============
Blade81
2009-11-11, 15:01
Hi,

Upload c:\windows\system32\isftrm.sys file to http://www.virustotal.com and post back the results. What are current symptoms there?
dsc123
2009-11-12, 04:22
Ok, here it the Totalvirus Log:

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.11.12 -
AhnLab-V3 5.0.0.2 2009.11.11 -
AntiVir 7.9.1.65 2009.11.11 -
Antiy-AVL 2.0.3.7 2009.11.11 -
Authentium 5.2.0.5 2009.11.12 -
Avast 4.8.1351.0 2009.11.11 -
AVG 8.5.0.426 2009.11.11 -
BitDefender 7.2 2009.11.12 -
CAT-QuickHeal 10.00 2009.11.11 -
ClamAV 0.94.1 2009.11.12 -
Comodo 2922 2009.11.12 -
DrWeb 5.0.0.12182 2009.11.12 -
eSafe 7.0.17.0 2009.11.11 -
eTrust-Vet 35.1.7116 2009.11.11 -
F-Prot 4.5.1.85 2009.11.11 -
F-Secure 9.0.15370.0 2009.11.11 -
Fortinet 3.120.0.0 2009.11.11 -
GData 19 2009.11.11 -
Ikarus T3.1.1.74.0 2009.11.12 -
Jiangmin 11.0.800 2009.11.11 -
K7AntiVirus 7.10.894 2009.11.11 -
Kaspersky 7.0.0.125 2009.11.11 -
McAfee 5799 2009.11.11 -
McAfee+Artemis 5799 2009.11.11 -
McAfee-GW-Edition 6.8.5 2009.11.11 -
Microsoft 1.5202 2009.11.11 -
NOD32 4597 2009.11.11 -
Norman 6.03.02 2009.11.11 -
nProtect 2009.1.8.0 2009.11.11 -
Panda 10.0.2.2 2009.11.11 -
PCTools 7.0.3.5 2009.11.11 -
Prevx 3.0 2009.11.12 -
Rising 22.21.03.01 2009.11.12 -
Sophos 4.47.0 2009.11.11 -
Sunbelt 3.2.1858.2 2009.11.12 -
Symantec 1.4.4.12 2009.11.12 -
TheHacker 6.5.0.2.066 2009.11.11 -
TrendMicro 9.0.0.1003 2009.11.11 -
VBA32 3.12.10.11 2009.11.11 -
ViRobot 2009.11.12.2032 2009.11.12 -
VirusBuster 4.6.5.0 2009.11.11 -
Additional information
File size: 4096 bytes
MD5...: 8a0f7a7b693054319a2d3e6bdd9a5b16
SHA1..: 480f64cbc00cf8436abfb64908b6e2b8b97a3e5f
SHA256: 305893245c644ade47f2135b381a49af7c7c454df7fcd62702164d2ba7b0f968
ssdeep: 48:iTQ+gU6Z9am3IwRdkhHiSHcvXow3vr+yStVz4RS:qLd6v3IwRmhVHezX5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4005
timedatestamp.....: 0x46fa14da (Wed Sep 26 08:14:18 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2f1 0x400 4.58 da266b5817fc681f2e1bda5c3103ecf0
.rdata 0x2000 0xe1 0x200 2.34 0764cabd120f8b9902dbb7a4f1bc90aa
.data 0x3000 0x28 0x200 0.23 fadaf50a84c8799fcd7ab24c013d47e2
INIT 0x4000 0x16e 0x200 4.05 1fb90c278ba4c3da0728f376da13fbac
.reloc 0x5000 0x98 0x200 1.46 892a6f3fc72b2233bc1c1fff122a563f

( 1 imports )
> ntoskrnl.exe: IofCompleteRequest, ZwTerminateProcess, sprintf, ZwOpenProcess, IoDeleteDevice, IoDeleteSymbolicLink, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, KeTickCount

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
packers (Kaspersky): PE_Patch
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
Blade81
2009-11-12, 10:02
Hi,

EDIT: Ignore Avenger steps below (under ------). I didn't remember you had Acronis True Image installed there. Please take copies of your important documents to CD/DVD or removable storage drive and then restore system with Acronis to state before system got infected. That's best thing to do at this point since the issue causer appears to be hard to track down and we can't leave system to state in which it can't be trusted.


-----------
Skip first two steps if you still have Avenger present.

Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php).
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to move:
c:\iastor.sys|C:\Windows\system32\drivers\iastor.sys
In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.
dsc123
2009-11-17, 05:24
Blade,

My last Acronis backup image is way, way out of date. Any way I can safely back up my more recent data?
Blade81
2009-11-17, 15:38
Hi,

It's no use creating new image in current situation cos it wouldn't help in any way. As I said, it would be recommended to backup important stuff and then restore earlier image you have there.