PDA

View Full Version : another Google redirecting problem



Mike T
2009-11-28, 01:13
My loving 13 y/o daughter downloaded a "my web space" tool bar and proceeded to infect our home computer. Using a combination of McAfee, SpyBot S&D and Malwarebytes I thought I had been successful. There were two trojans on the computer - Artemis and one of the Generic droppers, both now gone.

I am now left with a Google redirecting problem in IE, but not in Firefox. Additionally I now get repeated messages that Internet Explorer and Windows Explorer have stopped working although everything appears to be working OK.

here is the HJT log from the HJT scan I just completed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:34 PM, on 11/27/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capolicepistol.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [Lexmark 5600-6600 Series Fax Server] "C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3372943625-3939100846-1810013705-1002\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Viki')
O4 - HKUS\S-1-5-21-3372943625-3939100846-1810013705-1002\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter (User 'Viki')
O4 - HKUS\S-1-5-21-3372943625-3939100846-1810013705-1002\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 Startup: Connect - Shortcut.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 User Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 User Startup: Connect - Shortcut.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe (User 'Viki')
O4 - S-1-5-21-3372943625-3939100846-1810013705-1002 User Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Viki')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9a44d2f2dfea7) (gupdate1c9a44d2f2dfea7) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: lxbc_device - - C:\Windows\system32\lxbccoms.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14592 bytes

Thanks for any help you can offer.

Mike

I forgot to add, there are four users with separate sign-ins on this computer. If that should make a difference in combating the problem.

Mike

peku006
2009-11-29, 20:28
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

1 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

2 - Status Check
Please reply with

the logs from RSIT (log.txt ,info.txt)

Thanks peku006

Mike T
2009-11-29, 20:57
Good Morning (or afternoon if appropriate) Peku006.

I have downloaded and run RSIT and below are both logs.

log.txt:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Mike at 2009-11-29 10:37:48
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 182 GB (80%) free of 228 GB
Total RAM: 2045 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:03 AM, on 11/29/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mike\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Mike.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capolicepistol.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [Lexmark 5600-6600 Series Fax Server] "C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9a44d2f2dfea7) (gupdate1c9a44d2f2dfea7) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: lxbc_device - - C:\Windows\system32\lxbccoms.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13179 bytes

======Scheduled tasks folder======

C:\Windows\tasks\EasyShare Registration Task.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\McAfee Cleanup.job
C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\User_Feed_Synchronization-{4B1749D9-88CB-4A33-81F2-E9E78D1B98D4}.job
C:\Windows\tasks\User_Feed_Synchronization-{9D83C039-4455-43FE-9639-F72933194517}.job
C:\Windows\tasks\User_Feed_Synchronization-{B0136D5F-0293-42B0-A82F-F0BC3FA7D4F6}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - c:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-04-19 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-11 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2006-11-17 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-09-10 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-18 1008184]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2006-09-29 151552]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2006-10-03 81920]
""= []
"CCUTRAYICON"=C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe [2006-11-18 182744]
"NMSSupport"=C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe [2006-09-26 423424]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2006-10-03 221184]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2007-11-15 16384]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2008-10-25 31072]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-05-26 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-07-13 292128]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-09-10 676520]
"lxduamon"=C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe [2008-09-10 16040]
"Lexmark 5600-6600 Series Fax Server"=C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe [2008-09-10 311976]
"WPCUMI"=C:\Windows\system32\WpcUmi.exe [2006-11-02 176128]
"SigmatelSysTrayApp"=C:\Windows\sttray.exe [2007-02-07 303104]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-04-14 13687328]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2009-04-14 92704]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-10 1233920]
"DellSupport"=C:\Program Files\DellSupport\DSAgnt.exe [2006-11-11 446976]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-04-25 68856]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"Uniblue RegistryBooster 2009"=c:\program files\uniblue\registrybooster\StartRegistryBooster.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Belkin Network USB Hub Control Center.lnk - C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"LogonHoursAction"=2
"DontDisplayLogonHoursWarnings"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-11-29 10:37:48 ----D---- C:\rsit
2009-11-27 14:54:08 ----D---- C:\Program Files\Trend Micro
2009-11-27 14:31:34 ----D---- C:\Windows\ERDNT
2009-11-27 14:30:46 ----D---- C:\Program Files\ERUNT
2009-11-27 09:56:14 ----A---- C:\Windows\system32\lxdupmui.dll
2009-11-27 09:56:13 ----A---- C:\Windows\system32\lxducomm.dll
2009-11-27 09:56:12 ----A---- C:\Windows\system32\lxduhbn3.dll
2009-11-27 09:56:12 ----A---- C:\Windows\system32\lxdugrd.dll
2009-11-27 09:56:12 ----A---- C:\Windows\system32\lxducfg.exe
2009-11-27 09:56:11 ----A---- C:\Windows\system32\lxduih.exe
2009-11-27 09:02:51 ----D---- C:\Users\Mike\AppData\Roaming\Malwarebytes
2009-11-27 08:44:09 ----D---- C:\Program Files\Windows Portable Devices
2009-11-27 08:22:20 ----A---- C:\Windows\system32\tzres.dll
2009-11-27 08:21:47 ----A---- C:\Windows\system32\UIAnimation.dll
2009-11-27 08:21:46 ----A---- C:\Windows\system32\UIRibbonRes.dll
2009-11-27 08:21:45 ----A---- C:\Windows\system32\UIRibbon.dll
2009-11-27 08:21:09 ----A---- C:\Windows\system32\WMPhoto.dll
2009-11-27 08:21:08 ----A---- C:\Windows\system32\cdd.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\XpsRasterService.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\XpsPrint.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\WindowsCodecs.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-11-27 08:21:07 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\OpcServices.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\dxdiagn.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\dxdiag.exe
2009-11-27 08:21:07 ----A---- C:\Windows\system32\d3d10warp.dll
2009-11-27 08:21:07 ----A---- C:\Windows\system32\d2d1.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\xpsservices.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\FntCache.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\dxgi.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\DWrite.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\d3d11.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\d3d10level9.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\d3d10core.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\d3d10_1core.dll
2009-11-27 08:21:06 ----A---- C:\Windows\system32\d3d10_1.dll
2009-11-27 08:21:04 ----A---- C:\Windows\system32\d3d10.dll
2009-11-27 08:20:13 ----A---- C:\Windows\system32\WPDShextAutoplay.exe
2009-11-27 08:20:13 ----A---- C:\Windows\system32\wpdbusenum.dll
2009-11-27 08:20:13 ----A---- C:\Windows\system32\BthMtpContextHandler.dll
2009-11-27 08:20:07 ----A---- C:\Windows\system32\PortableDeviceConnectApi.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\WPDSp.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\WPDShServiceObj.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\wpdshext.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\WpdMtpUS.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\WpdMtp.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\WpdConns.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\wpd_ci.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\PortableDeviceWMDRM.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\PortableDeviceTypes.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\PortableDeviceClassExtension.dll
2009-11-27 08:20:02 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2009-11-27 08:18:55 ----A---- C:\Windows\system32\oleaccrc.dll
2009-11-27 08:18:54 ----A---- C:\Windows\system32\UIAutomationCore.dll
2009-11-27 08:18:54 ----A---- C:\Windows\system32\oleacc.dll
2009-11-26 17:29:19 ----A---- C:\Windows\system32\msxml6.dll
2009-11-26 17:29:19 ----A---- C:\Windows\system32\msxml3.dll
2009-11-26 17:29:09 ----A---- C:\Windows\system32\WSDApi.dll
2009-11-26 14:40:08 ----D---- C:\ProgramData\Malwarebytes
2009-11-26 14:40:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-11-26 13:57:21 ----D---- C:\ProgramData\Office Genuine Advantage
2009-11-26 13:55:31 ----D---- C:\ProgramData\NVIDIA
2009-11-26 08:36:56 ----D---- C:\Program Files\Microsoft Silverlight
2009-11-23 18:58:21 ----D---- C:\Program Files\iPod(92)
2009-11-23 18:58:15 ----D---- C:\ProgramData\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-23 18:58:15 ----D---- C:\Program Files\iTunes(93)
2009-11-23 18:56:27 ----D---- C:\Program Files\QuickTime(104)
2009-11-19 23:35:18 ----A---- C:\ProgramData\SPL9CF1.tmp
2009-11-13 09:54:53 ----D---- C:\Users\Mike\AppData\Roaming\5600-6600 Series
2009-11-04 01:53:43 ----A---- C:\Windows\system32\mshtml.dll

======List of files/folders modified in the last 1 months======

2009-11-29 10:37:58 ----D---- C:\Windows\Temp
2009-11-29 10:37:19 ----D---- C:\Windows\System32
2009-11-29 10:37:19 ----D---- C:\Windows\inf
2009-11-29 10:37:19 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-11-29 10:36:52 ----D---- C:\ProgramData\Lx_cats
2009-11-29 10:36:50 ----HD---- C:\ProgramData
2009-11-29 10:32:23 ----D---- C:\Windows\Prefetch
2009-11-29 10:32:15 ----SD---- C:\Users\Mike\AppData\Roaming\Microsoft
2009-11-29 09:10:18 ----D---- C:\Windows
2009-11-28 15:21:34 ----D---- C:\Windows\Minidump
2009-11-27 14:54:08 ----RD---- C:\Program Files
2009-11-27 14:28:33 ----SHD---- C:\System Volume Information
2009-11-27 10:26:05 ----D---- C:\Windows\SoftwareDistribution
2009-11-27 10:00:52 ----D---- C:\Windows\system32\drivers
2009-11-27 10:00:43 ----D---- C:\Windows\system32\catroot
2009-11-27 09:59:57 ----SHD---- C:\Windows\Installer
2009-11-27 09:59:55 ----D---- C:\Windows\system32\zh-TW
2009-11-27 09:59:55 ----D---- C:\Windows\system32\zh-HK
2009-11-27 09:59:55 ----D---- C:\Windows\system32\tr-TR
2009-11-27 09:59:55 ----D---- C:\Windows\system32\sv-SE
2009-11-27 09:59:55 ----D---- C:\Windows\system32\pt-BR
2009-11-27 09:59:55 ----D---- C:\Windows\system32\nl-NL
2009-11-27 09:59:55 ----D---- C:\Windows\system32\nb-NO
2009-11-27 09:59:55 ----D---- C:\Windows\system32\ko-KR
2009-11-27 09:59:55 ----D---- C:\Windows\system32\it-IT
2009-11-27 09:59:55 ----D---- C:\Windows\system32\he-IL
2009-11-27 09:59:54 ----D---- C:\Windows\system32\fr-FR
2009-11-27 09:59:54 ----D---- C:\Windows\system32\fi-FI
2009-11-27 09:59:54 ----D---- C:\Windows\system32\es-ES
2009-11-27 09:59:54 ----D---- C:\Windows\system32\en-US
2009-11-27 09:59:54 ----D---- C:\Windows\system32\el-GR
2009-11-27 09:59:54 ----D---- C:\Windows\system32\de-DE
2009-11-27 09:59:54 ----D---- C:\Windows\system32\da-DK
2009-11-27 09:59:54 ----D---- C:\Windows\system32\ar-SA
2009-11-27 09:50:34 ----D---- C:\Program Files\Mozilla Firefox
2009-11-27 09:23:45 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-11-27 09:02:59 ----D---- C:\Windows\rescache
2009-11-27 08:58:50 ----D---- C:\Windows\system32\Tasks
2009-11-27 08:58:18 ----D---- C:\Windows\winsxs
2009-11-27 08:44:02 ----D---- C:\Windows\system32\wbem
2009-11-27 08:43:49 ----D---- C:\Windows\system32\bg-BG
2009-11-27 08:43:48 ----D---- C:\Windows\system32\uk-UA
2009-11-27 08:43:48 ----D---- C:\Windows\system32\sl-SI
2009-11-27 08:43:48 ----D---- C:\Windows\system32\pt-PT
2009-11-27 08:43:48 ----D---- C:\Windows\system32\pl-PL
2009-11-27 08:43:48 ----D---- C:\Windows\system32\hu-HU
2009-11-27 08:43:48 ----D---- C:\Windows\system32\hr-HR
2009-11-27 08:43:47 ----D---- C:\Windows\system32\th-TH
2009-11-27 08:43:47 ----D---- C:\Windows\system32\sr-Latn-CS
2009-11-27 08:43:47 ----D---- C:\Windows\system32\lv-LV
2009-11-27 08:43:47 ----D---- C:\Windows\system32\lt-LT
2009-11-27 08:43:46 ----D---- C:\Windows\system32\zh-CN
2009-11-27 08:43:46 ----D---- C:\Windows\system32\sk-SK
2009-11-27 08:43:46 ----D---- C:\Windows\system32\ru-RU
2009-11-27 08:43:46 ----D---- C:\Windows\system32\ro-RO
2009-11-27 08:43:46 ----D---- C:\Windows\system32\ja-JP
2009-11-27 08:43:46 ----D---- C:\Windows\system32\et-EE
2009-11-27 08:43:46 ----D---- C:\Windows\system32\cs-CZ
2009-11-27 08:43:37 ----D---- C:\Program Files\Windows Mail
2009-11-27 08:26:25 ----D---- C:\ProgramData\Microsoft Help
2009-11-27 08:23:15 ----D---- C:\Windows\system32\catroot2
2009-11-27 08:08:41 ----D---- C:\Program Files\McAfee
2009-11-26 17:18:25 ----D---- C:\Windows\system32\Msdtc
2009-11-26 17:17:21 ----D---- C:\Windows\system32\config
2009-11-26 17:15:40 ----D---- C:\Windows\Tasks
2009-11-26 17:15:40 ----D---- C:\Windows\system32\spool
2009-11-26 17:15:39 ----HD---- C:\Windows\system32\GroupPolicy
2009-11-26 17:15:39 ----D---- C:\Windows\system32\CodeIntegrity
2009-11-26 17:15:26 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-11-26 17:15:26 ----D---- C:\Program Files\QuickTime
2009-11-26 17:15:22 ----D---- C:\Program Files\iTunes
2009-11-26 17:15:15 ----D---- C:\Program Files\iPod
2009-11-26 17:15:14 ----D---- C:\Program Files\Common Files\Apple
2009-11-26 17:14:47 ----D---- C:\Windows\registration
2009-11-23 18:59:14 ----DC---- C:\Windows\system32\DRVSTORE
2009-11-23 13:39:57 ----D---- C:\Windows\Logs
2009-11-21 17:20:46 ----SD---- C:\Windows\Downloaded Program Files
2009-11-09 17:58:35 ----D---- C:\ProgramData\Adobe
2009-11-06 09:48:42 ----D---- C:\Program Files\Common Files\Adobe
2009-11-06 09:48:34 ----D---- C:\Program Files\Adobe
2009-11-05 09:36:21 ----A---- C:\Windows\system32\mrt.exe
2009-11-02 20:42:06 ----N---- C:\Windows\system32\MpSigStub.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-09-16 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R2 DLABMFSM;DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [2006-10-26 35096]
R2 DLABOIOM;DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [2006-10-26 32472]
R2 DLADResM;DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [2006-10-26 9400]
R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [2006-10-26 104536]
R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [2006-10-26 26296]
R2 DLAPoolM;DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [2006-10-26 14520]
R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [2006-10-26 97848]
R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [2006-10-26 94648]
R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 dsunidrv;dsunidrv; \??\C:\Program Files\DellSupport\Drivers\dsunidrv.sys [2006-08-17 7424]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 nmsgopro;GoProto Protocol Driver for NMS; C:\Windows\system32\DRIVERS\nmsgopro.sys [2006-09-27 28672]
R2 nmsunidr;UniDriver for NMS; C:\Windows\system32\DRIVERS\nmsunidr.sys [2006-10-19 7424]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys [2006-10-05 4736]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-18 220672]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-04-19 5504]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-09-16 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-09-16 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-09-16 40552]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-04-14 7766464]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-02-07 647680]
R3 sxuptp;SXUPTP Driver; C:\Windows\system32\DRIVERS\sxuptp.sys [2007-04-25 58368]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-18 35328]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-09-16 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-01 2028032]
S3 RT73;Belkin USB Network Adapter; C:\Windows\system32\DRIVERS\rt73.sys [2005-08-02 232192]
S3 SDDMI2;SDDMI2; \??\C:\Windows\system32\DDMI2.sys []
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys [2006-11-18 18904]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-07-09 39424]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 DQLWinService;DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [2006-10-29 208896]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2006-09-29 81920]
R2 LexBceS;LexBce Server; C:\Windows\System32\LEXBCES.EXE [2004-02-26 307200]
R2 lxbc_device;lxbc_device; C:\Windows\system32\lxbccoms.exe [2007-03-16 537520]
R2 lxdu_device;lxdu_device; C:\Windows\system32\lxducoms.exe [2009-10-16 589824]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-07-09 865832]
R2 McNASvc;McAfee Network Agent; c:\program files\common files\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-09-16 144704]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-04-14 207392]
R2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-13 201968]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 AlertService;Intel(R) Alert Service; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [2006-11-18 195032]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-07-13 542496]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-09-16 606736]
S2 gupdate1c9a44d2f2dfea7;Google Update Service (gupdate1c9a44d2f2dfea7); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-03-13 133104]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2006-11-07 70656]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-18 21504]
S3 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-11 168432]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ISSM;Intel(R) Software Services Manager; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [2006-11-18 81880]
S3 M1 Server;Intel(R) Viiv(TM) Media Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [2006-11-18 32216]
S3 MCLServiceATL;Intel(R) Application Tracker; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [2006-11-18 174552]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-09-16 365072]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Remote UI Service;Intel(R) Remoting Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [2006-11-18 550872]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]

-----------------EOF-----------------


Both logs make the message too long. The info.txt log will immediately follow.

Mike

Mike T
2009-11-29, 20:58
info.txt:
info.txt logfile of random's system information tool 1.06 2009-11-29 10:38:05

======Uninstall list======

-->"C:\Program Files\Dell Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\Dell Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\Dell Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\Dell Media Center Game Console\Uninstall.exe"
-->"C:\Program Files\Dell Games\FATE\Uninstall.exe"
-->"C:\Program Files\Dell Games\JEOPARDY\Uninstall.exe"
-->"C:\Program Files\Dell Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\Dell Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\Dell Games\SCRABBLE\Uninstall.exe"
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Adobe Shockwave Player 11.5-->"C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Apple Mobile Device Support-->MsiExec.exe /I{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Belkin Network USB Hub Control Center-->C:\Program Files\Belkin\Network USB Hub Control Center\Couninst.exe
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
Corel Paint Shop Pro Photo XI-->MsiExec.exe /I{93A1B09E-BAFA-4628-A5B6-921CB026955A}
Dell Games-->"C:\Program Files\Dell Games\Uninstall.exe"
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
DellSupport-->MsiExec.exe /X{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe -runfromtemp -l0x0009 -removeonly
Documentation & Support Launcher-->MsiExec.exe /I{89CEAE14-DD0F-448E-9554-15781EC9DB24}
Doom 3-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock-->MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink-->MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Games, Music, & Photos Launcher-->MsiExec.exe /I{3E25E350-949F-4DB7-8288-2A60E018B4C1}
getPlus(R) for Adobe-->"C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1
Google Earth-->MsiExec.exe /X{548EAC70-EE00-11DD-908C-005056806466}
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
Intel(R) Viiv(TM) Software-->MsiExec.exe /X{26C610BF-761B-4209-BD6A-A0F1B73D6DDE} /qb!
iTunes-->MsiExec.exe /I{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
kgcbaby-->MsiExec.exe /I{E18B549C-5D15-45DA-8D8F-8FD2BD946344}
kgcbase-->MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
kgchday-->MsiExec.exe /I{11F3F858-4131-4FFA-A560-3FE282933B6E}
kgchlwn-->MsiExec.exe /I{03EDED24-8375-407D-A721-4643D9768BE1}
kgcinvt-->MsiExec.exe /I{9BD54685-1496-46A5-AB62-357CD140ED8B}
kgckids-->MsiExec.exe /I{693C08A7-9E76-43FF-B11E-9A58175474C4}
kgcmove-->MsiExec.exe /I{A1588373-1D86-4D44-86C9-78ABD190F9CC}
kgcvday-->MsiExec.exe /I{8A8664E1-84C8-4936-891C-BC1F07797549}
Kodak EasyShare software-->C:\ProgramData\Kodak\EasyShareSetup\$SETUP_140002_126ab4\Setup.exe /APR-REMOVE
Lexmark 5600-6600 Series-->C:\Program Files\Lexmark 5600-6600 Series\Install\x86\Uninst.exe
Lexmark Printable Web-->regsvr32.exe /s /u "C:\Program Files\Lexmark Printable Web\bho.dll"
Lexmark Tools for Office-->regsvr32.exe /s /u "C:\Program Files\Lexmark Tools for Office\CustomOfficeRibbon.dll"
Lexmark Z500-Z600 Series-->C:\Program Files\Lexmark Z500-Z600 Series\Install\x86\Uninst.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.5.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
Rugrats in Paris-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{136FD2EA-C01B-4351-90CA-1C7E49291CF0}\setup.exe"
Scholastic's I SPY School Days-->C:\PROGRA~1\SCHOLA~1\ISPYSC~1\UNWISE.EXE C:\PROGRA~1\SCHOLA~1\ISPYSC~1\INSTALL.LOG
Scholastic's I SPY Treasure Hunt-->C:\PROGRA~1\SCHOLA~1\ISPYTR~1\UNWISE.EXE C:\PROGRA~1\SCHOLA~1\ISPYTR~1\INSTALL.LOG
SeaWorld Adventure Park Tycoon-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48A6E89E-D2D3-4DA7-8A7C-FBB8F1083409}\setup.exe"
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
skin0001-->MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
staticcr-->MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
tooltips-->MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Access 2007 Help (KB963663)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office Infopath 2007 Help (KB963662)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {716B81B8-B13C-41DF-8EAC-7A2F656CAB63}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Outlook 2007 Help (KB963677)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {0451F231-E3E3-4943-AB9F-58EB96171784}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Publisher 2007 Help (KB963667)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2E40DE55-B289-4C8B-8901-5D369B16814F}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Update for Outlook 2007 Junk Email Filter (kb975960)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {F1AB1BED-7477-4D5A-BD0C-04C2109459A5}
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Wal-Mart® Mini Movie-->C:\Program Files\InstallShield Installation Information\{15FE4D77-D717-4632-8EA8-B6BB258CFC7D}\setup.exe -runfromtemp -l0x0009 -removeonly
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Wizard101-->"C:\Program Files\InstallShield Installation Information\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.exe" -runfromtemp -l0x0009 -removeonly

======Security center information======

AS: Windows Defender (disabled)

======System event log======

Computer Name: Mike-PC
Event Code: 4
Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Record Number: 110334
Source Name: Microsoft-Windows-SpoolerWin32SPL
Time Written: 20090611021755.000000-000
Event Type: Warning
User:

Computer Name: Mike-PC
Event Code: 4
Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Record Number: 110333
Source Name: Microsoft-Windows-SpoolerWin32SPL
Time Written: 20090611021754.000000-000
Event Type: Warning
User:

Computer Name: Mike-PC
Event Code: 4
Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Record Number: 110332
Source Name: Microsoft-Windows-SpoolerWin32SPL
Time Written: 20090611021730.000000-000
Event Type: Warning
User:

Computer Name: Mike-PC
Event Code: 4
Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Record Number: 110331
Source Name: Microsoft-Windows-SpoolerWin32SPL
Time Written: 20090611021730.000000-000
Event Type: Warning
User:

Computer Name: Mike-PC
Event Code: 4
Message: The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-18\Printers\Connections. The print spooler could not open the registry key. This can occur if the registry key is corrupt or missing, or if the registry recently became unavailable.
Record Number: 110326
Source Name: Microsoft-Windows-SpoolerWin32SPL
Time Written: 20090611021401.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Mike-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
7 user registry handles leaked from \Registry\User\S-1-5-21-3372943625-3939100846-1810013705-1001:
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001\Software\Microsoft\SystemCertificates\CA
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001\Software\Microsoft\SystemCertificates\Root
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001\Software\Microsoft\SystemCertificates\trust
Process 1708 (\Device\HarddiskVolume3\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001\Software\Policies\Microsoft\SystemCertificates

Record Number: 489
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20070426045751.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Mike-PC
Event Code: 4621
Message: The COM+ Event System could not remove the EventSystem.EventSubscription object {400424CD-3BC8-4258-87BF-E31177353461}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}. The HRESULT was 80070005.
Record Number: 486
Source Name: Microsoft-Windows-EventSystem
Time Written: 20070426045749.000000-000
Event Type: Error
User:

Computer Name: Mike-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-3372943625-3939100846-1810013705-1001:
Process 532 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-3372943625-3939100846-1810013705-1001

Record Number: 441
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20070426044332.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Mike-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {c93900ce-e347-4760-934d-a73cc2ecdaa1}
Record Number: 434
Source Name: VSS
Time Written: 20070426043647.000000-000
Event Type: Error
User:

Computer Name: Mike-PC
Event Code: 1024
Message: Product: Google Toolbar for Internet Explorer - Update '{A4F0B12D-1A34-4CFD-8130-AA39D6D71916}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
Record Number: 429
Source Name: MsiInstaller
Time Written: 20070426043136.000000-000
Event Type: Error
User: Mike-PC\Mike

=====Security event log=====

Computer Name: Mike-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: MIKE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x294
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 175882
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090214080000.271386-000
Event Type: Audit Success
User:

Computer Name: Mike-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: MIKE-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x294
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 175881
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090214080000.271386-000
Event Type: Audit Success
User:

Computer Name: Mike-PC
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1b5effb

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 175880
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090214071925.516986-000
Event Type: Audit Success
User:

Computer Name: Mike-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1b5effb
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: CRAIG
Source Network Address: 192.168.2.7
Source Port: 2112

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 175879
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090214071925.516986-000
Event Type: Audit Success
User:

Computer Name: Mike-PC
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1b5efe9

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 175878
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090214071925.501386-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0f02
"NUMBER_OF_PROCESSORS"=2
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip

-----------------EOF-----------------

In reading through the last portion of the info.txt report I see that an unidentified computer accessed the wireless system. This may be my 13 y/o daughters Acer laptop, but I can't be certain at the moment.

Thanks for your assistance.

Mike

peku006
2009-11-29, 21:32
Hi Mike

it is almost night in Norway :D:

1 - Download and Run ComboFix

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you
Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)


Thanks peku006

Mike T
2009-11-29, 22:06
peku006,

I downloaded and attempted running combofix. Everything seemed to be going well and the first four stages completed. During the fifth stage the screen went bluw, and flashed a quick message that windows had encountered an unexpected error and would shut down.

The system automatically rebooted and I signed back in, with everything appearing normal at this point. I am sending this message from my laptop while the other continues spooling up.

What next? Try combofix again?

Mike

Mike T
2009-11-29, 22:22
Update:

I decided to attempt running combofix again. Seems to be running OK now, having completed stages 6 and 6A. Unknown why there was an unexpected error earlier.

Mike

peku006
2009-11-29, 22:22
Hi Mike

Yes, try combofix again

peku006

Mike T
2009-11-29, 22:41
OK peku, the second run of combofix worked just fine. After I restarted this computer I did not get the series of failed program messages I have been getting since the infection began so we are making definite headway.

Here is the combofix log:

ComboFix 09-11-29.02 - Mike 11/29/2009 12:17.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1364 [GMT -8:00]
Running from: c:\users\Mike\Downloads\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3372943625-3939100846-1810013705-1004
c:\$recycle.bin\S-1-5-21-3372943625-3939100846-1810013705-1006
c:\$recycle.bin\S-1-5-21-3372943625-3939100846-1810013705-500

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Mike\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Viki\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Michelle\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Michelle.Mike-PC\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Barbara\AppData\Local\temp
2009-11-29 20:27 . 2009-11-29 20:27 -------- d-----w- c:\users\Barbara.Mike-PC\AppData\Local\temp
2009-11-27 22:30 . 2009-11-27 22:30 4096 d-----w- c:\program files\ERUNT
2009-11-27 17:56 . 2009-10-17 00:06 651264 ----a-w- c:\windows\system32\lxdupmui.dll
2009-11-27 17:56 . 2009-10-17 00:06 376832 ----a-w- c:\windows\system32\lxducomm.dll
2009-11-27 17:56 . 2009-10-17 00:06 684032 ----a-w- c:\windows\system32\lxduhbn3.dll
2009-11-27 17:56 . 2009-10-17 00:06 364544 ----a-w- c:\windows\system32\lxducfg.exe
2009-11-27 17:56 . 2009-10-16 23:56 208896 ----a-w- c:\windows\system32\lxdugrd.dll
2009-11-27 17:56 . 2009-10-17 00:06 323584 ----a-w- c:\windows\system32\lxduih.exe
2009-11-27 17:02 . 2009-11-27 17:02 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
2009-11-27 16:44 . 2009-11-27 16:44 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-27 16:22 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-27 16:20 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-11-27 16:18 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-27 16:18 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-27 16:18 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-27 02:16 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 02:16 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 02:14 . 2009-11-19 19:48 43008 ----a-w- c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-27 02:14 . 2009-11-19 19:48 340480 ----a-w- c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-27 02:14 . 2009-11-19 19:48 346624 ----a-w- c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-27 02:14 . 2009-11-19 19:48 872960 ----a-w- c:\users\Viki\AppData\Roaming\Mozilla\Firefox\Profiles\geuuomh9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-27 01:29 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-27 01:29 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-27 01:29 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-27 01:29 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-26 22:40 . 2009-11-26 22:40 -------- d-----w- c:\users\Viki\AppData\Roaming\Malwarebytes
2009-11-26 22:40 . 2009-11-27 02:16 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-26 22:40 . 2009-11-26 22:40 -------- d-----w- c:\programdata\Malwarebytes
2009-11-26 21:57 . 2009-11-26 21:57 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-26 21:55 . 2009-11-27 18:43 -------- d-----w- c:\programdata\NVIDIA
2009-11-26 16:36 . 2009-11-26 16:36 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-24 02:58 . 2009-11-26 03:38 -------- d-----w- c:\program files\iPod(92)
2009-11-24 02:58 . 2009-11-26 21:31 4096 d-----w- c:\program files\iTunes(93)
2009-11-24 02:58 . 2009-11-24 02:59 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-11-24 02:56 . 2009-11-24 02:57 4096 d-----w- c:\program files\QuickTime(104)
2009-11-23 22:37 . 2009-11-23 22:37 680 ----a-w- c:\users\Viki\AppData\Local\d3d9caps.dat
2009-11-13 17:54 . 2009-11-13 17:55 -------- d-----w- c:\users\Mike\AppData\Roaming\5600-6600 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 18:36 . 2009-08-15 23:51 4096 d-----w- c:\programdata\Lx_cats
2009-11-28 00:53 . 2009-11-28 00:53 -------- d-----w- c:\users\Michelle.Mike-PC\AppData\Roaming\Malwarebytes
2009-11-27 22:54 . 2009-11-27 22:54 -------- d-----w- c:\program files\Trend Micro
2009-11-27 17:23 . 2008-11-29 22:25 24576 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-27 16:43 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-27 16:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 16:43 . 2009-11-27 16:43 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-27 16:42 . 2009-11-27 16:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-27 16:26 . 2008-05-28 07:02 12288 d-----w- c:\programdata\Microsoft Help
2009-11-27 16:08 . 2007-05-21 19:58 4096 d-----w- c:\program files\McAfee
2009-11-27 03:33 . 2007-04-19 21:54 250368 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-11-27 01:15 . 2009-07-27 03:30 4096 d-----w- c:\program files\QuickTime
2009-11-27 01:15 . 2008-11-29 22:25 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-27 01:15 . 2009-07-27 03:31 4096 d-----w- c:\program files\iTunes
2009-11-27 01:15 . 2009-07-27 03:31 -------- d-----w- c:\program files\iPod
2009-11-27 01:15 . 2009-07-27 03:26 4096 d-----w- c:\program files\Common Files\Apple
2009-11-24 04:03 . 2009-07-28 03:09 4096 d-----w- c:\users\Viki\AppData\Roaming\Apple Computer
2009-11-20 07:35 . 2009-11-20 07:35 63808 ----a-w- c:\programdata\SPL9CF1.tmp
2009-11-19 19:48 . 2009-11-28 04:03 872960 ----a-w- c:\users\Barbara.Mike-PC\AppData\Roaming\Mozilla\Firefox\Profiles\zc4d8ocb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-11-19 19:48 . 2009-11-28 04:03 43008 ----a-w- c:\users\Barbara.Mike-PC\AppData\Roaming\Mozilla\Firefox\Profiles\zc4d8ocb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-11-19 19:48 . 2009-11-28 04:03 340480 ----a-w- c:\users\Barbara.Mike-PC\AppData\Roaming\Mozilla\Firefox\Profiles\zc4d8ocb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-11-19 19:48 . 2009-11-28 04:03 346624 ----a-w- c:\users\Barbara.Mike-PC\AppData\Roaming\Mozilla\Firefox\Profiles\zc4d8ocb.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-11-06 17:48 . 2009-04-30 01:13 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-03 04:42 . 2009-10-03 04:26 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-30 01:30 . 2009-10-30 01:30 -------- d-----w- c:\users\Michelle.Mike-PC\AppData\Roaming\Corel
2009-10-28 21:19 . 2009-10-28 21:19 -------- d-----w- c:\users\Barbara.Mike-PC\AppData\Roaming\Lexmark Productivity Studio
2009-10-25 14:02 . 2009-10-23 01:59 -------- d-----w- c:\programdata\Lexmark 5600-6600 Series
2009-10-22 02:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-22 02:10 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-10-22 02:10 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-10-22 02:10 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-10-22 02:10 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-10-22 02:10 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-10-20 03:32 . 2009-10-20 03:32 34242 ----a-w- c:\programdata\SPLA20D.tmp
2009-10-17 00:06 . 2009-08-15 23:40 860160 ----a-w- c:\windows\system32\lxduusb1.dll
2009-10-17 00:06 . 2009-08-15 23:40 364544 ----a-w- c:\windows\system32\lxduinpa.dll
2009-10-17 00:06 . 2009-08-15 23:40 339968 ----a-w- c:\windows\system32\lxduiesc.dll
2009-10-17 00:06 . 2009-08-15 23:40 1069056 ----a-w- c:\windows\system32\lxduserv.dll
2009-10-17 00:06 . 2009-08-15 23:40 577536 ----a-w- c:\windows\system32\lxdulmpm.dll
2009-10-17 00:06 . 2009-08-15 23:40 589824 ----a-w- c:\windows\system32\lxducoms.exe
2009-10-17 00:06 . 2009-08-15 23:40 761856 ----a-w- c:\windows\system32\lxducomc.dll
2009-10-16 05:32 . 2009-10-16 05:32 409600 ----a-w- c:\windows\system32\lxducoin.dll
2009-10-15 14:10 . 2009-09-11 13:17 4096 d-----w- c:\users\Michelle.Mike-PC\AppData\Roaming\Apple Computer
2009-10-15 10:03 . 2007-04-19 14:20 24576 d-----w- c:\program files\Microsoft Works
2009-10-11 17:33 . 2009-07-27 03:26 -------- d-----w- c:\programdata\Apple
2009-10-01 01:02 . 2009-11-27 16:20 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-27 16:20 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-27 16:20 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-27 16:20 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-27 16:20 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-27 16:20 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-27 16:20 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-27 16:20 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-27 16:20 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-27 16:20 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-27 16:20 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-11-27 16:20 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-11-27 16:20 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-11-27 16:20 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-11-27 16:20 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-11-27 16:21 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-27 16:21 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-27 16:21 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-27 16:21 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-27 16:21 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-27 16:21 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-27 16:21 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-27 16:21 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-27 16:21 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-27 16:21 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-27 16:21 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-27 16:21 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-27 16:21 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-27 16:21 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-27 16:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-27 16:21 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-27 16:21 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-27 16:21 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-27 16:21 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-27 16:21 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-27 16:21 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-27 16:21 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-27 16:21 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-27 16:21 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-27 16:21 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-27 16:21 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-27 16:21 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-19 04:45 . 2009-08-20 04:27 0 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\MG_PotionMotion.dll
2009-09-19 04:45 . 2009-08-20 04:27 53248 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\MG_HotShots.dll
2009-09-19 04:45 . 2009-08-20 04:27 94208 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\MG_Dueling_Diego.dll
2009-09-19 04:45 . 2009-08-20 04:27 24576 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\MG_Concentration.dll
2009-09-19 04:45 . 2009-08-20 04:27 49152 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\MG_ChooChooZoo.dll
2009-09-19 04:45 . 2009-08-20 03:48 127656 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\Bin\BugReporter.exe
2009-09-19 04:45 . 2009-08-20 03:48 787112 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankB\WizardLauncher.exe
2009-09-19 04:45 . 2009-08-20 03:48 787112 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankA\WizardLauncher.exe
2009-09-19 04:45 . 2009-08-20 03:48 73728 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankB\PatchClientUIRsrc.dll
2009-09-19 04:45 . 2009-08-20 03:48 111272 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankB\Configurator.exe
2009-09-19 04:45 . 2009-08-20 03:48 73728 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankA\PatchClientUIRsrc.dll
2009-09-19 04:45 . 2009-08-20 03:48 111272 ----a-w- c:\programdata\KingsIsle Entertainment\Wizard101\PatchClient\BankA\Configurator.exe
2009-09-16 17:22 . 2007-05-21 19:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2007-04-19 21:53 . 2007-04-19 21:52 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2006-11-12 446976]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-26 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-11-18 182744]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2006-09-26 423424]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-09-10 676520]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-09-10 16040]
"Lexmark 5600-6600 Series Fax Server"="c:\program files\Lexmark 5600-6600 Series\fm3032.exe" [2008-09-10 311976]
"WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 92704]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-02-08 303104]

c:\users\Viki\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [2007-7-22 741494]
Connect - Shortcut.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [2007-7-22 741494]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Barbara.Mike-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Michelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Michelle.Mike-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Belkin Network USB Hub Control Center.lnk - c:\program files\Belkin\Network USB Hub Control Center\Connect.exe [2007-7-22 741494]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-8 111376]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-4-19 45056]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):41,f0,f9,c2,bd,52,ca,01

R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 6:03 AM 208896]
R2 lxbc_device;lxbc_device;c:\windows\system32\lxbccoms.exe -service --> c:\windows\system32\lxbccoms.exe -service [?]
R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxduserv.exe [5/23/2008 4:58 AM 94208]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/30/2008 7:50 AM 210216]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 1:37 PM 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 12:49 PM 7424]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [4/19/2007 6:17 AM 5504]
R3 sxuptp;SXUPTP Driver;c:\windows\System32\drivers\sxuptp.sys [7/22/2007 2:58 PM 58368]
S2 gupdate1c9a44d2f2dfea7;Google Update Service (gupdate1c9a44d2f2dfea7);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2009 6:32 PM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [9/19/2008 8:45 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]

2009-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 02:32]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 19:22]

2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{4B1749D9-88CB-4A33-81F2-E9E78D1B98D4}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]

2009-11-29 c:\windows\Tasks\User_Feed_Synchronization-{9D83C039-4455-43FE-9639-F72933194517}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]

2009-11-29 c:\windows\Tasks\User_Feed_Synchronization-{B0136D5F-0293-42B0-A82F-F0BC3FA7D4F6}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.capolicepistol.org/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\3gd24wwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.capolicepistol.org/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 12:27
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5648)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-11-29 12:30
ComboFix-quarantined-files.txt 2009-11-29 20:30

Pre-Run: 191,157,121,024 bytes free
Post-Run: 191,275,003,904 bytes free

- - End Of File - - 622BE1C377BCCC15D0E9515D09BE90C7

peku006
2009-11-30, 11:23
Hi Mike

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

How's the computer running now?

Thanks peku006

Mike T
2009-12-01, 10:04
Peku,

I got home from work about an hour ago. I have run the TFC with reboot and started running the EST online scanner. It has been running for 56 minutesw so far and is less than 50% complete as of right now. The EST scanner has so far located 40 files infected with the Win32/Bagle.gen.zip worm.

I'm not sure if that has been laying in hiding or if my wife or daughters used the computer this evening while I was working. But I do know that McAfee did not find that when I logged on after getting home and their virus library doesn't show any listing for that version of Win32/Bagle.

I am writing this from my laptop and just now the monitor on the infected computer went blank with a message that "1: analog input cannot display this video mode". Unknown if that is the EST scanner or something else. I am going to have to let the scanner run and I will have to get some sleep as I have to get up for work in four hours and I suspect the scanner needs to run at least another hour.

I will try to save the log before I leave in the morning and submit the log when I get home tomorrow evening. Worse case, I will have to rerun everything tomorrow when I get home.

What fun.

Mike

Mike T
2009-12-01, 15:11
peku,

I just got ready for work and found that EST had completed while I slept and the screen reactivated. I have saved the EST results log and will rerun HJT tonight when I get home and will post both logs then.

Mike

Mike T
2009-12-02, 03:53
OK peku,

Just got home from work and have run HJT. Attached are the logs for HJT and EST.

EST:

C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch108.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch110.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch111.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch114.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch115.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch116.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch119.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch129.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch153.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch156.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch223.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch224.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch225.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch226.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch227.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch228.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch229.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch253.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch108.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch110.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch111.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch114.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch115.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch116.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch119.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch129.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch153.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch156.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch223.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch224.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch225.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch226.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch227.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch228.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch229.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch253.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip Win32/Bagle.gen.zip worm


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:53 PM, on 12/1/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Windows\System32\wscript.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capolicepistol.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [Lexmark 5600-6600 Series Fax Server] "C:\Program Files\Lexmark 5600-6600 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [WPCUMI] C:\Windows\system32\WpcUmi.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9a44d2f2dfea7) (gupdate1c9a44d2f2dfea7) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: lxbc_device - - C:\Windows\system32\lxbccoms.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12210 bytes

Overall, the computer is running much better, but still a couple hickups. My wife reported that when she signed on yesterday she was unable to print a document and the computer froze. All I experienced was the black screen during the EST scan, which I think might have been the scan "tickling" the monitor drivers since everything worked fine in the morning.

Awaiting the next steps.
Mike

peku006
2009-12-02, 11:44
Hi Mike


The EST scanner has so far located 40 files infected with the Win32/Bagle.gen.zip worm.
do not worry they are no active, Spybot - Search & Destroy has "destroyed" them

Please delete the entire contents of these folders (not the folders themselves):

C:\ProgramData\Spybot - Search & Destroy\Recovery
C:\Users\All Users\Spybot - Search & Destroy\Recovery

Empty your Recycle Bin.

Logs are clean ,but we can check if some of the programs need updating

Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.

Thanks peku006

Mike T
2009-12-03, 09:53
Good evening (morning) peku.

I deleted 440 files from the C:\ProgramData\Spybot - Search & Destroy\Recovery but was unable to find the C:\Users\All Users\Spybot - Search & Destroy\Recovery folder anywhere in the C:drive. I don't know if that is a Vista thing or what. I did select "show hidden folders" just in case it was hidden. I will keep looking.

Here is the log for the security check:

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
McAfee SecurityCenter
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Scholastic's I SPY School Days
Scholastic's I SPY Treasure Hunt
Spybot - Search & Destroy
HijackThis 2.0.2
Java(TM) SE Runtime Environment 6
Adobe Flash Player 10
Adobe Reader 9.2
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
``````````````````````````````
DNS Vulnerability Check:
Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

`````````End of Log```````````

I think we're getting close to whipping this.

Mike

peku006
2009-12-04, 21:48
Hi Mike

Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Delete Security Check from your desktop.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

Mike T
2009-12-05, 02:24
peku,

All of the tools have been removed, the restore points has been reset and everything seems to be running fine.

My McAfee, Spybot and Windows are all current and updated (they normally are). My daughter has been educated about performing downloads when her mother or I are logged on (the kids are prevent from downloading on their accounts). I believe she has learned a lesson here, mainly because I wouldn't let anyone use this computer until it was cleaned so she couldn't use it for her homework, had to hand write everything.

With this post I feel we are safe to close and archive the thread.

Thanks for all the help peku.

Mike

peku006
2009-12-05, 09:05
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)