Hello,

I hope someone here can help. My laptop is infected with AntiVirus System Pro.

I am unable to run anti-spyware any my internet connection has been completely disabled. The search feature has also been disabled. I would like to post a log to this board for assistance but without internet access or the ability to run applications I'm not sure how. Is there a way around this?

My CPU usage is very high and there is a cli.exe running high. Should I end this process?

System Restore gives me a message box that says System Restore is not able to protect your computer. Please restart.

I am open to any suggestions to get started.

Thanks so much.

I'm sorry for the long delay but the site has been swamped with more requests for help than we can handle in a short period of time.
If you still need help please let me know, otherwise I'll go ahead and close your post as you've probably moved on by now.

Hello,

No problem on the wait. And yes, I would still love some help. I think I found the virus files based on the date and time of infection but I have no idea how to get rid of them or how to find out what else they have infected. They are below.

My internet connection (only the computer's ability to connect - I have a strong wireless signal) and my USB ports are still disabled by the virus so I am unable to get any new applications or diagnostic tools on my computer until I can get one of them working again. If this prevents you from helping, I understand. A few pay-for-services have already turned me down because of the lack of internet connectivity.

C:\Program Files\ossdsm
C:\WINDOWS\syssvc.exe
C:\WINDOWS\System32\iehelper.dll

Thanks so much!

Hi Amy,


I'm guessing or assuming you already have MBAM installed, if not then let me know.
STEP 01
Restore Access to Programs

• Please download the following tool: Inherit.exe and save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.
• Click on START -> RUN and Copy then Paste the following text (including the quote " marks) into the Run box and click OK
• "%userprofile%\desktop\Inherit.exe" ""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe""
• You can also Drag-and-Drop any files onto inherit.exe if you want.
• Repeat for any other files you get an access denied message

STEP 02
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Update
• When the update is complete, select the Scanner tab
• Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

STEP 03
Please download the following scanning tool. GMER

• Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
• Double click on random named exe file and run it.
• It may take a minute to load and become available.
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

Please post an update on this.

Thanks.

Is this a work computer or a home computer? Do you have full Admin access to it?

Are you still with us Amy?

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Post re-opened at user request.

Please see if you can burn these items onto a CD and transfer them to the infected PC

Do you have the Windows installation CD ?

Please go ahead and post your logs here and I'll take a look

Hi and thank you!

This is a home computer and I am the only administrator.

I do have the Windows installation CD. I hoped that I would be able to save my files, pictures and Quickbooks but if that is not an option, I can start from scratch.

I will buy CD's tomorrow, try it after work and post the logs if I can get that to work.

In the meantime, I was able to run a couple logs a few weeks ago while by running in safe mode. I will send them in my next post.

Using the logs and since I know what day and time (9/28/2009 around 19:30) I got the virus I was also able to locate a couple suspect files. Should I delete them?

C:\WINDOWS\syssvc.exe
C:\Program Files\ossdsm

My processes are running a CLI.exe file and numerous svchost.exe files. Also ati2evxx.exe, rundll32.exe, csrss.exe, jqs.exe, ZCfgSvc.exe, tfswctl.exe among others. I include in case any of this is helpful.

Here are two logs run on 10/3/2009. I have not done anything with the computer since then. Please note that the virus became active on 2009/09/28.

OTL Extras logfile created on: 10/3/2009 10:41:15 PM - Run 1
OTL by OldTimer - Version 3.0.18.2 Folder = F:\
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)

1022.37 Mb Total Physical Memory | 830.14 Mb Available Physical Memory | 81.20% Memory free
2.40 Gb Paging File | 2.35 Gb Available in Paging File | 97.62% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.23 Gb Total Space | 18.01 Gb Free Space | 35.16% Space Free | Partition Type: NTFS
Drive D: | 17.21 Gb Total Space | 17.14 Gb Free Space | 99.62% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1.87 Gb Total Space | 0.02 Gb Free Space | 0.99% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Documents and Settings\AMH\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"67:UDP" = 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE
"{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1" = Spy Sweeper
"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 14
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Management Programs
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3B0F52AC-EF5C-4831-B221-06C782E41280}" = Quicken 2008
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = WIDCOMM Bluetooth Software
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{4667B940-BB01-428B-986E-A0CC46497BF7}" = ELIcon
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{62BD0AE0-4EB1-4BBB-8F43-B6400C8FEB2C}" = AOLIcon
"{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.7
"{6D5FCA42-1486-4E32-AFE8-1B7E2AA59D33}" = Digital Content Portal
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{728278A1-0BB7-45E4-AC5E-91D7C0FD1EDE}" = EarthLink setup files
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7A3F0566-5E05-4919-9C98-456F6B5CF831}" = Get High Speed Internet!
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{84031A18-BA9A-4156-A74F-E05B52DDFCE2}" = DING!
"{85D3CC30-8859-481A-9654-FD9B74310BEF}" = Musicmatch® Jukebox
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask.com Toolbar
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A9B8148-DDD7-448F-BD6C-358386D32354}" = Corel Photo Album 6
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91490409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Primary Interop Assemblies
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9A2F0810-3619-4E86-9072-973FBE1679C5}" = QuickBooks Simple Start 2009
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{A02ED372-22FA-448B-AB6A-1B0FC23B7D08}" = ATI Catalyst Control Center
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}" = Apple Software Update
"{A683A2C0-821C-486F-858C-FA634DB5E864}" = EducateU
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B0DF58A2-40DF-4465-AA56-38623EC9938C}" = Documentation & Support Launcher
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic RecordNow Copy
"{B6884A07-0305-47AE-9969-8F26FADC17DE}" = Games, Music, & Photos Launcher
"{B7F98125-4955-41E3-8A71-4CE11CE9C198}" = KODAK Gallery Upload Software
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C34FAEF3-4241-4C4E-9CFF-7BBD8BCEABE7}" = WebEx Support Manager for Internet Explorer
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}" = AnswerWorks 5.0 English Runtime
"{DF6A589A-7A1A-430C-9FF2-A0BDB42669DC}" = Search Assist
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"CentraClient" = Centra Client
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Dell Game Console" = Dell Game Console
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"ESPNMotion" = ESPNMotion
"Flickr Uploadr" = Flickr Uploadr 3.0.5
"Google Updater" = Google Updater
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"Picasa 3" = Picasa 3
"Portrait Professional 6_is1" = Portrait Professional 6.6
"ProInst" = Intel® PROSet/Wireless Software
"RealPlayer 6.0" = RealPlayer
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"Shutterfly Plugin" = Shutterfly Plugin
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"SystemRequirementsLab" = System Requirements Lab
"Viewpoint Manager" = Viewpoint Manager (Remove Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebCyberCoach_wtrb" = WebCyberCoach 3.2 Dell
"WIC" = Windows Imaging Component
"WildTangent CDA" = WildTangent Web Driver
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"WMFDist11" = Windows Media Format 11 runtime
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Zinio Reader" = Zinio Reader

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/28/2009 4:05:05 PM | Computer Name = AMY | Source = Google Update | ID = 20
Description =

Error - 9/28/2009 5:05:05 PM | Computer Name = AMY | Source = Google Update | ID = 20
Description =

Error - 9/28/2009 5:05:05 PM | Computer Name = AMY | Source = Google Update | ID = 20
Description =

Error - 9/28/2009 8:26:18 PM | Computer Name = AMY | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 9/28/2009 8:45:29 PM | Computer Name = AMY | Source = Application Hang | ID = 1002
Description = Hanging application SpySweeperUI.exe, version 6.1.0.128, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/28/2009 8:45:29 PM | Computer Name = AMY | Source = Application Hang | ID = 1002
Description = Hanging application SpySweeperUI.exe, version 6.1.0.128, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/28/2009 9:08:32 PM | Computer Name = AMY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 9/28/2009 10:29:46 PM | Computer Name = AMY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 9/29/2009 7:10:21 PM | Computer Name = AMY | Source = JavaQuickStarterService | ID = 1
Description =

Error - 9/29/2009 7:31:37 PM | Computer Name = AMY | Source = MsiInstaller | ID = 11720
Description = Product: Ask.com Toolbar -- Error 1720.There is a problem with this
Windows Installer package. A script required for this install to complete could
not be run. Contact your support personnel or package vendor. Custom action vb_IS_FF_OPEN_UNINSTALL
script error -2146828218, Microsoft VBScript runtime error: Permission denied:
'GetObject' Line 9, Column 5,

[ System Events ]
Error - 10/3/2009 5:24:50 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 5:25:29 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 5:25:32 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 5:25:36 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 6:56:24 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 6:56:25 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 6:56:28 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 10/3/2009 7:30:03 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/3/2009 10:12:38 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 10/3/2009 10:12:46 PM | Computer Name = AMY | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}


< End of report >


OTListIT.txt

OTL logfile created on: 10/3/2009 10:41:15 PM - Run 1
OTL by OldTimer - Version 3.0.18.2 Folder = F:\
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)

1022.37 Mb Total Physical Memory | 830.14 Mb Available Physical Memory | 81.20% Memory free
2.40 Gb Paging File | 2.35 Gb Available in Paging File | 97.62% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.23 Gb Total Space | 18.01 Gb Free Space | 35.16% Space Free | Partition Type: NTFS
Drive D: | 17.21 Gb Total Space | 17.14 Gb Free Space | 99.62% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 1.87 Gb Total Space | 0.02 Gb Free Space | 0.99% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded


Current Boot Mode: SafeMode
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2007/06/13 06:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/10/03 22:20:44 | 00,519,168 | ---- | M] (OldTimer Tools) -- F:\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (0025061238551938mcinstcleanup [Auto | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/05/23 07:59:38 | 00,409,600 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Auto | Stopped])
SRV - [2006/05/24 19:21:28 | 00,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins [Auto | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2005/12/15 13:14:40 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Stopped])
SRV - [2005/08/05 14:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Stopped])
SRV - [2006/05/01 10:20:52 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/11 18:28:18 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c9a298b8d418ea [Auto | Stopped])
SRV - [2009/03/24 21:17:46 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2004/08/10 06:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Stopped])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2006/10/30 10:36:32 | 00,492,608 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Stopped])
SRV - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2005/08/05 14:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Stopped])
SRV - [2003/06/20 00:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Stopped])
SRV - [2004/08/10 05:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2007/05/17 17:45:33 | 00,271,720 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc [Auto | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2006/04/06 15:57:54 | 00,380,928 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe -- (NICCONFIGSVC [Auto | Stopped])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/02 20:40:12 | 00,174,656 | ---- | M] () -- C:\WINDOWS\System32\PSIService.exe -- (ProtexisLicensing [Auto | Stopped])
SRV - [2008/09/10 22:37:36 | 00,024,576 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService [Auto | Stopped])
SRV - [2008/08/08 21:10:46 | 00,061,440 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService [On_Demand | Stopped])
SRV - [2006/05/01 10:20:26 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Stopped])
SRV - [2006/05/01 10:22:42 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Stopped])
SRV - [2007/01/04 17:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Stopped])
SRV - [2009/04/21 18:26:52 | 04,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService [Auto | Stopped])
SRV - [2006/05/01 10:34:00 | 00,262,217 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- (WLANKEEPER [Auto | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 14:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2004/08/04 00:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2005/08/12 18:50:46 | 00,016,128 | ---- | M] (Dell Inc) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV [System | Stopped])
DRV - [2001/08/17 14:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 14:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2006/05/23 08:06:36 | 01,578,496 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2005/08/05 10:32:16 | 00,045,312 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Stopped])
DRV - [2006/05/24 19:04:04 | 00,851,434 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\DRIVERS\btkrnl.sys -- (BTKRNL [On_Demand | Stopped])
DRV - [2006/05/24 19:05:26 | 00,023,271 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\drivers\btserial.sys -- (BTSERIAL [Auto | Stopped])
DRV - [2006/05/24 19:00:50 | 00,066,488 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\System32\Drivers\btwusb.sys -- (BTWUSB [On_Demand | Stopped])
DRV - [2001/08/17 14:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 14:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2004/12/01 04:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb [Boot | Running])
DRV - [2004/11/23 03:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\drvnddm.sys -- (drvnddm [Auto | Stopped])
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
DRV - [2007/02/25 12:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\System32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Stopped])
DRV - [2001/08/17 13:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2009/01/15 12:19:36 | 00,023,848 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GearAspiWDM [On_Demand | Running])
DRV - [2004/08/12 18:45:54 | 00,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/07/21 21:01:08 | 00,201,600 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Stopped])
DRV - [2005/07/21 21:02:12 | 01,035,008 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Stopped])
DRV - [2004/03/16 21:04:14 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Stopped])
DRV - [2001/08/17 14:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2004/08/03 23:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2004/02/13 10:46:00 | 00,017,153 | ---- | M] (Dell Inc) -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci [System | Running])
DRV - [2004/08/10 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Stopped])
DRV - [2008/04/07 19:16:45 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 14:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 14:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 14:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2005/10/14 09:40:18 | 00,028,544 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys -- (rimmptsk [On_Demand | Running])
DRV - [2005/10/14 09:40:18 | 00,051,328 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys -- (rimsptsk [On_Demand | Running])
DRV - [2005/10/14 09:40:18 | 00,307,968 | ---- | M] (REDC) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys -- (rismxdp [On_Demand | Running])
DRV - [2006/05/01 10:52:02 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\s24trans.sys -- (s24trans [Auto | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/08/04 00:07:44 | 00,041,088 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2001/08/17 15:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2004/07/14 12:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\sscdbhk5.sys -- (sscdbhk5 [System | Running])
DRV - [2009/04/21 18:27:02 | 00,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd [Boot | Running])
DRV - [2009/04/21 18:27:04 | 00,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv [Boot | Running])
DRV - [2004/07/14 12:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\ssrtln.sys -- (ssrtln [System | Running])
DRV - [2006/03/24 17:34:30 | 01,156,648 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\System32\drivers\sthda.sys -- (STHDA [On_Demand | Stopped])
DRV - [2001/08/17 15:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 15:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 15:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 15:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2006/03/08 12:35:10 | 00,191,872 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2004/12/06 02:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnboio.sys -- (tfsnboio [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsncofs.sys -- (tfsncofs [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndrct.sys -- (tfsndrct [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsndres.sys -- (tfsndres [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnifs.sys -- (tfsnifs [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnopio.sys -- (tfsnopio [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnpool.sys -- (tfsnpool [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudf.sys -- (tfsnudf [Auto | Stopped])
DRV - [2004/12/06 02:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\dla\tfsnudfa.sys -- (tfsnudfa [Auto | Stopped])
DRV - [2001/08/17 14:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2004/08/04 00:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2007/04/10 17:46:48 | 01,966,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\VX3000.sys -- (VX3000 [On_Demand | Stopped])
DRV - [2006/04/26 17:13:04 | 01,429,632 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\System32\DRIVERS\w39n51.sys -- (w39n51 [On_Demand | Stopped])
DRV - [2005/07/21 21:01:00 | 00,717,952 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q="


FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/19 10:36:07 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 18:31:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/03 17:04:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/06/11 23:03:06 | 00,000,000 | ---D | M]

[2009/09/29 19:20:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AMH\Application Data\mozilla\Firefox\Profiles\0cfw65tr.default\extensions
[2009/09/24 23:04:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AMH\Application Data\mozilla\Firefox\Profiles\0cfw65tr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2006/09/29 23:07:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AMH\Application Data\mozilla\Firefox\Profiles\0cfw65tr.default\extensions\{2A10B180-05EF-11D9-8C50-444553540001}
[2009/09/28 20:41:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\AMH\Application Data\mozilla\Firefox\Profiles\0cfw65tr.default\extensions\toolbar@ask.com
[2009/09/27 20:04:44 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/11 23:03:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/31 16:02:19 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/07/12 19:55:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
[2009/06/11 23:03:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2009/06/11 23:02:47 | 00,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2009/06/11 23:02:47 | 00,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2009/06/11 23:02:47 | 00,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2009/06/11 23:02:48 | 00,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2009/06/11 23:02:48 | 00,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2009/05/21 11:33:58 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/06/11 23:03:02 | 00,022,656 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2007/03/22 20:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\NPOFFICE.DLL
[2006/10/09 20:33:58 | 00,144,872 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nppl3260.dll
[2006/10/09 20:34:07 | 00,024,621 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprjplug.dll
[2006/10/09 20:33:52 | 00,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\mozilla firefox\plugins\nprpjplug.dll
[2005/04/27 17:31:10 | 00,225,280 | ---- | M] (Asgard Software Inc.) -- C:\Program Files\mozilla firefox\plugins\NPUploader.dll
[2009/06/11 23:03:05 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/06/11 23:03:05 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/09/28 21:11:33 | 00,002,236 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\askcom.xml
[2009/06/11 23:03:05 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/06/11 23:03:05 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/06/11 23:03:05 | 00,002,351 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/03/31 22:18:02 | 00,002,221 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SafeSearch.xml
[2009/06/11 23:03:05 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (152 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
O1 - Hosts: 91.212.127.226 winshield2009.com
O1 - Hosts: 91.212.127.226 www.winshield2009.com
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (BHO) - {22E1EFF7-D8DD-4bbc-9CE8-87EDBE8C1A40} - C:\WINDOWS\System32\iehelper.dll ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Ask.com Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe (Corel, Inc.)
O4 - HKLM..\Run: [dla] C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - HKCU..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe ()
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\AMH\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites)
O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: kodakgallery.com ([www] http in Trusted sites)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/24.11/uploader2.cab (UploadListView Class)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab (Windows Live Safety Center Base Module)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get/flash...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} http://dlm.tools.akamai.com/dlmanager/vers...ivex-latest.cab (DownloadManager Control)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb2 - No CLSID value found
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O30 - LSA: Security Packages - (\ATI.ACE) - File not found
O30 - LSA: Security Packages - (m]) - File not found
O30 - LSA: Security Packages - ((microsoft) - File not found
O30 - LSA: Security Packages - (corpora) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 05:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{4255af27-c197-11dc-83f4-0015c5ad6540}\Shell\AutoRun\command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{4255af27-c197-11dc-83f4-0015c5ad6540}\Shell\Shell00\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{4255af27-c197-11dc-83f4-0015c5ad6540}\Shell\Shell01\Command - "" = F:\Autorun.exe -- File not found
O33 - MountPoints2\{4255af27-c197-11dc-83f4-0015c5ad6540}\Shell\Shell02\Command - "" = F:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/09 21:14:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton Installer
[2009/09/09 21:12:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/09/28 20:40:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2009/09/20 14:31:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Application Data\Centra
[2009/09/28 21:36:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Application Data\Norton Utilities 14
[2009/09/20 14:31:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Application Data\Saba
[2009/09/28 20:40:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Application Data\Webroot
[2009/09/28 20:46:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Local Settings\Application Data\AskToolbar
[2009/09/09 21:26:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\Local Settings\Application Data\PassMark
[4 C:\Documents and Settings\AMH\My Documents\*.tmp files]
[2009/09/20 14:31:09 | 00,000,000 | ---D | C] -- C:\Program Files\Centra
[2009/09/28 20:41:10 | 00,000,000 | ---D | C] -- C:\Program Files\MSSOAP
[2009/09/09 21:12:26 | 00,000,000 | ---D | C] -- C:\Program Files\Norton Utilities 14
[2009/09/28 19:37:03 | 00,000,000 | ---D | C] -- C:\Program Files\ossdsm
[2009/09/28 20:40:46 | 00,000,000 | ---D | C] -- C:\Program Files\Webroot
[2009/09/28 20:40:46 | 01,563,008 | ---- | C] (Webroot Software, Inc.) -- C:\WINDOWS\WRSetup.dll
[2009/09/09 21:29:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\pss
[2009/09/09 21:26:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\AMH\My Documents\PassMark
[2009/09/09 18:06:09 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll

========== Files - Modified Within 30 Days ==========

[18 C:\WINDOWS\System32\*.tmp files]
[4 C:\Documents and Settings\AMH\My Documents\*.tmp files]
[2009/10/03 22:42:49 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\AMH\Desktop\New Shortcut
[2009/10/03 22:34:17 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/03 16:07:03 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/03 16:01:02 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\AMH\My Documents\BChelp.exe
[2009/09/28 21:36:30 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/28 21:08:42 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/09/28 21:08:17 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/09/28 21:05:01 | 00,000,970 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006UA.job
[2009/09/28 21:05:00 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/09/28 21:01:01 | 00,000,230 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2009/09/28 20:46:08 | 00,000,152 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2009/09/28 20:46:01 | 00,001,640 | ---- | M] () -- C:\WINDOWS\tasks\wrSpySweeper_LB972090D19F8471A997B737CC49F7D5E.job
[2009/09/28 20:44:15 | 00,012,032 | ---- | M] () -- C:\WINDOWS\System32\iehelper.dll
[2009/09/28 20:41:40 | 00,001,669 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2009/09/28 20:40:22 | 00,000,164 | ---- | M] () -- C:\WINDOWS\install.dat
[2009/09/28 19:46:56 | 00,222,208 | ---- | M] () -- C:\WINDOWS\syssvc.exe
[2009/09/27 23:05:00 | 00,000,918 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006Core.job
[2009/09/26 19:06:23 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\AMH\My Documents\Book1.xls
[2009/09/20 21:04:55 | 00,013,824 | ---- | M] () -- C:\Documents and Settings\AMH\My Documents\Running.xls
[2009/09/15 22:06:40 | 00,002,268 | ---- | M] () -- C:\Documents and Settings\AMH\Desktop\Google Chrome.lnk
[2009/09/10 18:07:12 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/09 23:44:35 | 00,004,704 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/09/09 23:22:21 | 00,073,728 | ---- | M] () -- C:\Documents and Settings\AMH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/08 13:14:51 | 00,001,806 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Corel Paint Shop Pro X.lnk

========== Files - No Company Name ==========
[2009/10/03 22:42:49 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\AMH\Desktop\New Shortcut
[2009/10/03 17:23:56 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\AMH\My Documents\BChelp.exe
[2009/09/28 20:46:00 | 00,001,640 | ---- | C] () -- C:\WINDOWS\tasks\wrSpySweeper_LB972090D19F8471A997B737CC49F7D5E.job
[2009/09/28 20:41:40 | 00,001,669 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spy Sweeper.lnk
[2009/09/28 20:41:36 | 00,000,230 | ---- | C] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2009/09/28 20:40:20 | 00,000,164 | ---- | C] () -- C:\WINDOWS\install.dat
[2009/09/28 19:46:53 | 00,222,208 | ---- | C] () -- C:\WINDOWS\syssvc.exe
[2009/09/28 19:46:50 | 00,012,032 | ---- | C] () -- C:\WINDOWS\System32\iehelper.dll
[2009/09/20 21:04:55 | 00,013,824 | ---- | C] () -- C:\Documents and Settings\AMH\My Documents\Running.xls
[2008/12/25 18:15:50 | 00,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2008/10/31 22:23:51 | 00,000,095 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2007/10/13 23:37:07 | 00,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/12/27 22:21:22 | 00,073,728 | ---- | C] () -- C:\Documents and Settings\AMH\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/11/07 00:30:00 | 00,020,992 | ---- | C] () -- C:\WINDOWS\jestertb.dll
[2006/10/22 22:45:23 | 04,842,720 | -H-- | C] () -- C:\Documents and Settings\AMH\Local Settings\Application Data\IconCache.db
[2006/09/23 00:22:56 | 00,030,832 | ---- | C] () -- C:\Documents and Settings\AMH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2006/09/23 00:14:12 | 00,004,704 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2006/09/23 00:14:12 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\83A0AA6E42.sys
[2006/09/02 23:29:22 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\AMH\Application Data\desktop.ini
[2006/09/02 23:29:21 | 00,000,126 | ---- | C] () -- C:\Documents and Settings\AMH\Local Settings\Application Data\fusioncache.dat
[2006/09/02 22:43:29 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/08/24 22:33:10 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/24 22:17:45 | 00,712,704 | ---- | C] () -- C:\WINDOWS\System32\DellSystemRestore.dll
[2006/08/24 22:14:59 | 00,000,289 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/08/24 22:11:26 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/08/24 22:06:53 | 00,000,004 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare
[2006/08/24 21:38:18 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/08/24 21:36:49 | 00,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/05/24 19:16:22 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2005/08/16 05:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/16 05:33:24 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2005/08/16 05:18:43 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/16 05:18:41 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2005/08/05 15:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/09 11:04:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/02/17 13:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 13:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 14:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

Another update. I was able to get to my flash drive using the run... key and install Malwarebytes. I ran it and got the following pop-up:

An error occurred. Please report the following error to the Malwarebytes Anti-Malware support team.

Error code: 732 (0,0)

But it is currently scanning so I will post results once finished.

Is there any concern with copying the notepad .txt file to the flash drive and opening it on the uninfected machine in order to post the results?

Just means it was unable to update the database.
If you can update MBAM on another computer you can copy the rules.ref file to the infected computer and that will update the database.

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref



As for infecting the other computer it's always possible. Make sure it has live up to date Anti-Virus running on the other system.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/14/2009 11:11:17 PM
mbam-log-2009-10-14 (23-11-17).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 200020
Time elapsed: 45 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP298\A0063271.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP299\A0063285.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\syssvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

After reboot I got the following message...
Run time error '372':

Failed to load control 'vbalGrid" from vbalsgrid6ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Please see issue #15 from this post here: http://www.malwarebytes.org/forums/index.php?showtopic=10138

You might also need to do the following

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. mbam-clean.exe
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. mbam-setup.exe
Note: You will need to reactivate the program using the license you were sent
Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected.

Hello,

I was able to run Malwarebytes again when I got home tonight. Very strange but sometimes I can get certain apps to run and this was one of those moments. 0 files were detected and it said the computer is clean but nothing works.

I also ran and have a gmer log file. I saved it to my desktop and my flash drive. I was able to zip it on the desktop but have no way to get the zipped file to the flash drive. I can send the unzipped log file if you would like.

Given this status update, what should my next step be?

Thanks so much.

Okay please try to copy this file over to the affected PC and run it. Then copy back the log file and post it back here.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
   • Set to "Always ask me where to Save the files".
2. During the download, rename Combofix to Combo-Fix as follows:
   
   
   
   
   
   
3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
7. Double click on combo-Fix.exe & follow the prompts.
8. When finished, it will produce a report for you.
9. Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Great. I will do this tonight.

Is there any quick fix to restoring my internet connectivity? I read that viruses can disable you LAN settings but I checked mine and that does not seem to be the case. I ask because I am really afraid infecting the other computer with the back and forth flash drive. It would be nice if I could access this site from the infected computer and download these .exe files and logs directly.

Thanks.

You can try the following.

Click on START - RUN and copy / paste the entry below into the run line and click OK

Click on START - RUN and copy / paste the entry below into the run line and click OK

Click on START - RUN and copy / paste the entry below into the run line and click OK

Just checking in to see how it's going

Not great. I ran the three commands and each time the black screen briefly popped up and closed. Is there something further I should have done? The internet still does not work so I am still moving the flash drive between computers which makes me really nervous.

Combo-Fix:

The only way I could run combofix was from the flash drive (by using run and entering the command) since I have no way of getting it on the machine. Hopefully this okay? It's running now but so far it's just a blue screen that reads...

Please wait.
ComboFix is preparing to run.

Hopefully it will start soon.

What should I do with the GMER log if I can't zip it? Would you still like to see it?

Blue screen:
Attempting to create a new System Restore point

pop-up box:
Microsoft Windows Recovery Console

This machine does not have the "Microsoft Windows recovery console' installed

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click "Yes" to have ComboFix download/install it.

NOTE: this requires an active internet connection.

Go ahead and let it run as it is that's okay.

ComboFix 09-10-16.09 - AMH 10/18/2009 11:16.1.2 - NTFSx86
Running from: F:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\192c7593.msi
c:\windows\Installer\192c7594.msi
c:\windows\Installer\47e894a.msp
c:\windows\jestertb.dll
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\AMH\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\program files\MALB
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 21:20 . 2009-10-03 21:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-03 21:04 . 2009-10-03 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-03 20:52 . 2009-10-03 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-09-30 00:08 . 2009-09-30 00:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-29 01:36 . 2009-09-29 01:36 -------- d-----w- c:\documents and settings\AMH\Application Data\Norton Utilities 14
2009-09-29 00:46 . 2009-09-29 01:28 -------- d-----w- c:\documents and settings\AMH\Local Settings\Application Data\AskToolbar
2009-09-29 00:41 . 2009-09-29 00:41 -------- d-----w- c:\program files\MSSOAP
2009-09-29 00:40 . 2009-09-29 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\program files\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\documents and settings\AMH\Application Data\Webroot
2009-09-29 00:40 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-29 00:40 . 2009-09-29 00:40 164 ----a-w- c:\windows\install.dat
2009-09-28 23:37 . 2009-09-29 01:06 -------- d-----w- c:\program files\ossdsm
2009-09-20 18:31 . 2009-09-20 18:32 -------- d-----w- c:\documents and settings\AMH\Application Data\Saba
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Centra
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Centra

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 00:39 . 2009-09-10 01:12 -------- d-----w- c:\program files\Norton Utilities 14
2009-09-30 00:27 . 2009-09-10 01:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 19:18 . 2009-03-11 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-10 22:17 . 2009-01-20 21:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 03:44 . 2006-09-23 04:14 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 01:14 . 2009-09-10 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton Installer
2009-09-08 22:19 . 2006-08-25 02:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-08 22:18 . 2006-08-25 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-08 22:18 . 2009-04-01 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-08 22:17 . 2009-04-01 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-08 17:12 . 2007-03-08 01:40 -------- d-----w- c:\program files\MySpace
2009-08-15 20:31 . 2006-09-23 04:22 30832 ----a-w- c:\documents and settings\AMH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-12 03:02 . 2007-10-07 04:04 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-12 03:02 . 2007-10-07 04:04 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-12 03:02 . 2007-10-07 04:04 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-06-12 03:02 . 2007-10-07 04:04 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-06-12 03:02 . 2007-10-07 04:04 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-14 04:23 . 2006-09-23 04:14 88 --sh--r- c:\windows\system32\83A0AA6E42.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-27 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-10 185784]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\MALB\mbam.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\AMH\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-24 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 0025061238551938mcinstcleanup;McAfee Application Installer Cleanup (0025061238551938);c:\docume~1\AMH\LOCALS~1\Temp\002506~1.EXE [x]
R2 gupdate1c9a298b8d418ea;Google Update Service (gupdate1c9a298b8d418ea);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]

.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 01:17]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006Core.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006UA.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]

2009-09-29 c:\windows\Tasks\wrSpySweeper_LB972090D19F8471A997B737CC49F7D5E.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-09-29 19:40]

2009-09-29 c:\windows\Tasks\wrSpySweeper_LB972090D19F8471A997B737CC49F7D5E.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-09-29 19:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: kodakgallery.com \www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\AMH\Application Data\Mozilla\Firefox\Profiles\0cfw65tr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 11:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-18 11:24
ComboFix-quarantined-files.txt 2009-10-18 15:24

Pre-Run: 18,192,097,280 bytes free
Post-Run: 18,365,034,496 bytes free

163 --- E O F --- 2009-09-29 00:28

Make sure the McAfee firewall is not on blocking Internet Access.

Please run the following.

Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

VArestorepolicies.INF
• Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
• Unzip or open the file VArestorepolicies.zip
• Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

FixPolicies.exe
• Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
• Double-click FixPolicies.exe
• Click the "Install" button on the bottom toolbar of the box that will open
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
• A black box will briefly appear and then close
• These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

Then run this

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click on the Complete scan radio button.
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
• On the File types tab ensure you select All files
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
  • Do not change the Rename extension - default is: #??
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
• Log mode = Append
• Encoding = ANSI
• Details Leave Names of file packers and Statistics checked.
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
• On the General tab leave the Scan Priority on High
• Click the Apply button at the bottom, and then the OK button.
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
• Click 'Yes to all' if it asks if you want to cure/move the files.
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your Desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  

  

I had trouble downloading these files on the uninfected computer. I'll try it from a third machine tomorrow and hope for the best.

When you said to "Make sure the McAfee firewall is not on blocking Internet Access" - how would I do that? The McAfee software is an old program but I thought I removed from the machine last year.

I saw a piece of it left over is why. So is Symantec or Webroot your main Anti-Virus now?

Ah, that makes sense. I was using Norton AV 2009 but I think it too, is now uninstalled. I installed Webroot Spy Sweeper after I was infected while I was in a mild panic mode but it does not have the anti-virus component. I tried to remove it later but was unable to do so.

I was able to download VArestorepolices and Fixpolicies from the third computer but the Dr. Web CureIt won't work. I get a message that I need to go up a level? But going up a level opens the zip file so I'm not sure how I would later run it on the laptop.

I'll give you an update on the other two this evening when I get home.

Now that you have seen some logs do you think the machine is salvageable? Good progress? Thank you again.

Hello,

I was not able to get any of the three to work. It does not allow me to extract the zipped files. However, I was able to run HiJack This. The log is below. Does this get us anywhere?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:53 PM, on 10/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
F:\FixPolicies.exe
F:\FixPolicies.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 winshield2009.microsoft.com
O1 - Hosts: 91.212.127.226 winshield2009.com
O1 - Hosts: 91.212.127.226 www.winshield2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] "C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" startup
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] "C:\WINDOWS\vVX3000.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MALB\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User '?')
O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - S-1-5-21-2470627812-1254077453-3360473131-1006 Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (User '?')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...ivex-latest.cab
O18 - Protocol: intu-help-qb2 - (no CLSID) - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0025061238551938) (0025061238551938mcinstcleanup) - Unknown owner - C:\DOCUME~1\AMH\LOCALS~1\Temp\002506~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9a298b8d418ea) (gupdate1c9a298b8d418ea) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10570 bytes

STEP 01
Click on START - RUN and type in the following one, by one and click OK to run them.





STEP 02
Let's try removing some of this stuff to help prevent it from bothering us while we clean up the system. We can put it back later if wanted or needed.

With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.

• O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
• O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
• O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
• O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
• O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
• O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
• O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
• O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
• O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
• O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\MALB\mbam.exe" /runcleanupscript
• O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
• O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
• O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
• O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User '?')
• O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
• O4 - HKUS\S-1-5-21-2470627812-1254077453-3360473131-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 (User '?')
• O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
• O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/24.11/uploader2.cab
• O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
• O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
• O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...ivex-latest.cab
• O18 - Protocol: intu-help-qb2 - (no CLSID) - (no file)
• O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
• O23 - Service: McAfee Application Installer Cleanup (0025061238551938) (0025061238551938mcinstcleanup) - Unknown owner - C:\DOCUME~1\AMH\LOCALS~1\Temp\002506~1.EXE (file missing)
• O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
  Then Quit All Browsers including the one you're reading this in now.
  Then click on Fix checked and then quit HJT

STEP 03
Please see if you can download a new copy of Combofix and delete your current version, and run the new one again now.
Then post back the log.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Good evening. I did both steps. Here is the combofix log and a new hijackthis log.


ComboFix 09-10-16.09 - AMH 10/22/2009 18:57.2.2 - NTFSx86
Running from: F:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.

2009-10-18 14:35 . 2009-10-18 15:24 -------- d-----w- C:\Combo-Fix
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\AMH\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\program files\MALB
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 21:20 . 2009-10-03 21:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-03 21:04 . 2009-10-03 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-03 20:52 . 2009-10-03 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-09-30 00:08 . 2009-09-30 00:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-29 01:36 . 2009-09-29 01:36 -------- d-----w- c:\documents and settings\AMH\Application Data\Norton Utilities 14
2009-09-29 00:46 . 2009-09-29 01:28 -------- d-----w- c:\documents and settings\AMH\Local Settings\Application Data\AskToolbar
2009-09-29 00:41 . 2009-09-29 00:41 -------- d-----w- c:\program files\MSSOAP
2009-09-29 00:40 . 2009-09-29 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\program files\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\documents and settings\AMH\Application Data\Webroot
2009-09-29 00:40 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-29 00:40 . 2009-09-29 00:40 164 ----a-w- c:\windows\install.dat
2009-09-28 23:37 . 2009-09-29 01:06 -------- d-----w- c:\program files\ossdsm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 22:53 . 2009-05-31 21:25 -------- d-----w- c:\program files\WebEx
2009-10-18 15:39 . 2009-03-11 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-30 00:39 . 2009-09-10 01:12 -------- d-----w- c:\program files\Norton Utilities 14
2009-09-30 00:27 . 2009-09-10 01:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 18:32 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Saba
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Centra
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Centra
2009-09-10 22:17 . 2009-01-20 21:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 03:44 . 2006-09-23 04:14 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 01:14 . 2009-09-10 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton Installer
2009-09-08 22:19 . 2006-08-25 02:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-08 22:18 . 2006-08-25 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-08 22:18 . 2009-04-01 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-08 22:17 . 2009-04-01 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-08 17:12 . 2007-03-08 01:40 -------- d-----w- c:\program files\MySpace
2009-08-15 20:31 . 2006-09-23 04:22 30832 ----a-w- c:\documents and settings\AMH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-12 03:02 . 2007-10-07 04:04 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-12 03:02 . 2007-10-07 04:04 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-12 03:02 . 2007-10-07 04:04 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-06-12 03:02 . 2007-10-07 04:04 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-06-12 03:02 . 2007-10-07 04:04 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-14 04:23 . 2006-09-23 04:14 88 --sh--r- c:\windows\system32\83A0AA6E42.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\AMH\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-24 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 0025061238551938mcinstcleanup;McAfee Application Installer Cleanup (0025061238551938);c:\docume~1\AMH\LOCALS~1\Temp\002506~1.EXE [x]
R2 gupdate1c9a298b8d418ea;Google Update Service (gupdate1c9a298b8d418ea);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]

.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 01:17]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006Core.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006UA.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: kodakgallery.com \www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\AMH\Application Data\Mozilla\Firefox\Profiles\0cfw65tr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 19:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1356)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-10-22 19:04
ComboFix-quarantined-files.txt 2009-10-22 23:04
ComboFix2.txt 2009-10-18 15:24

Pre-Run: 18,386,583,552 bytes free
Post-Run: 18,343,989,248 bytes free

141 --- E O F --- 2009-09-29 00:28


Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:09 PM, on 10/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] "C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe" startup
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] "C:\WINDOWS\vVX3000.exe"
O4 - S-1-5-21-2470627812-1254077453-3360473131-1006 Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (User '?')
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.kodakgallery.com
O18 - Protocol: intu-help-qb2 - (no CLSID) - (no file)
O23 - Service: McAfee Application Installer Cleanup (0025061238551938) (0025061238551938mcinstcleanup) - Unknown owner - C:\DOCUME~1\AMH\LOCALS~1\Temp\002506~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9a298b8d418ea) (gupdate1c9a298b8d418ea) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7406 bytes

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• Disconnect from the Internet.
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Click on START - RUN and type in the following on the run line and click OK

Click on START - RUN and type in the following on the run line and click OK


STEP 03
You may want to go here and look for an update network driver if the network is still not working on the system.
http://downloadcenter.intel.com/default.aspx

Or go to Dell.com if the system is a Dell and look for one you can reinstall

STEP 04
Please explain what issues you're currently having with this system.
What you see, what works or doesn't work, etc.

Thanks.

Thank you so much for the quick reply.

I still do not have internet access and though I can gain access to an external drive I cannot copy from it. So I have no way to get anything on my desktop. I have been running everything from my flashdrive (F:). It sounds like I need to fix this before I can move on to the next steps.

The error message for the internet is: Intel® PROSet/Wireless Software was unable to detect a supported wireless adapter. I checked C:\Program Files\Intel\Wireless\Bin and found it was modified on 9/28/2009 at 9:29pm - about 2 hours after I was infected. But when I open the folder I do not see any modified files. Could this be why it is disabled? In step 3 you referenced intel drivers. I checked out the site but do you mind giving me a little more guidance on what I would be looking for? Can I download something from this site to the flash drive that might restore my connectivity?

Sorry I'm asking so many questions. And thanks again.

Well if you can't copy any files onto the system then none of that would help either.
If it is a Dell computer you should be able to locate a Service Tag number on it and then you can visit the Dell Support site and download the latest version of network drivers, but again not sure what good that would do if you can't copy them.

Does the system have a CD-ROM or DVD drive?
Do you have the Windows installation CD ?

Wow, I can't believe this worked but I was able to copy paste to My Documents, then paste to the Desktop. I have it running right now and will post shortly.

So should I also download a driver? I found two for Windows XP both dated 6/25/2009. Does it matter?

If you can click on Start - Run and type in devmgmt.msc and hit OK, that should start the device manager. Make sure the network card(s) are enabled and see what models they are.

If you can copy this file onto the system and run it then it might be able to help some.
Please copy the following program to your desktop or root of the C: drive. Close all other open applications and then run the program.
It will restore file permissions to the system and automatically restart the computer when done.
restoredefaultperms.exe

New Combofix log

ComboFix 09-10-21.02 - AMH 10/22/2009 20:46.3.2 - NTFSx86
Running from: c:\documents and settings\AMH\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\AMH\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\docume~1\AMH\LOCALS~1\Temp\002506~1.EXE"
"c:\windows\system32\83A0AA6E42.sys"
"c:\windows\system32\DRIVERS\ssfs0bbc.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\83A0AA6E42.sys
c:\windows\system32\DRIVERS\ssfs0bbc.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0025061238551938MCINSTCLEANUP
-------\Legacy_SSFS0BBC
-------\Service_0025061238551938mcinstcleanup
-------\Service_ssfs0bbc


((((((((((((((((((((((((( Files Created from 2009-09-23 to 2009-10-23 )))))))))))))))))))))))))))))))
.

2009-10-18 14:35 . 2009-10-18 15:24 -------- d-----w- C:\Combo-Fix
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\AMH\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\program files\MALB
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 21:20 . 2009-10-03 21:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-03 21:04 . 2009-10-03 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-03 20:52 . 2009-10-03 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-09-30 00:08 . 2009-09-30 00:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-29 01:36 . 2009-09-29 01:36 -------- d-----w- c:\documents and settings\AMH\Application Data\Norton Utilities 14
2009-09-29 00:46 . 2009-09-29 01:28 -------- d-----w- c:\documents and settings\AMH\Local Settings\Application Data\AskToolbar
2009-09-29 00:41 . 2009-09-29 00:41 -------- d-----w- c:\program files\MSSOAP
2009-09-29 00:40 . 2009-09-29 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\program files\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\documents and settings\AMH\Application Data\Webroot
2009-09-29 00:40 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-29 00:40 . 2009-09-29 00:40 164 ----a-w- c:\windows\install.dat
2009-09-28 23:37 . 2009-09-29 01:06 -------- d-----w- c:\program files\ossdsm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 23:20 . 2009-03-11 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-22 22:53 . 2009-05-31 21:25 -------- d-----w- c:\program files\WebEx
2009-09-30 00:39 . 2009-09-10 01:12 -------- d-----w- c:\program files\Norton Utilities 14
2009-09-30 00:27 . 2009-09-10 01:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 18:32 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Saba
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Centra
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Centra
2009-09-10 22:17 . 2009-01-20 21:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 03:44 . 2006-09-23 04:14 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 01:14 . 2009-09-10 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton Installer
2009-09-08 22:19 . 2006-08-25 02:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-08 22:18 . 2006-08-25 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-08 22:18 . 2009-04-01 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-08 22:17 . 2009-04-01 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-08 17:12 . 2007-03-08 01:40 -------- d-----w- c:\program files\MySpace
2009-08-15 20:31 . 2006-09-23 04:22 30832 ----a-w- c:\documents and settings\AMH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-12 03:02 . 2007-10-07 04:04 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-12 03:02 . 2007-10-07 04:04 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-12 03:02 . 2007-10-07 04:04 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-06-12 03:02 . 2007-10-07 04:04 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-06-12 03:02 . 2007-10-07 04:04 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((( SnapShot@2009-10-18_15.23.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-23 00:55 . 2009-10-23 00:55 16384 c:\windows\temp\Perflib_Perfdata_300.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 gupdate1c9a298b8d418ea;Google Update Service (gupdate1c9a298b8d418ea);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 01:17]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006Core.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006UA.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: kodakgallery.com \www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\AMH\Application Data\Mozilla\Firefox\Profiles\0cfw65tr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-22 20:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\combo-fix13139c\CF8248.exe
c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
c:\program files\Southwest Airlines\Ding\Ding.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\combo-fix13139c\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-23 20:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-23 00:58
ComboFix2.txt 2009-10-22 23:04
ComboFix3.txt 2009-10-18 15:24

Pre-Run: 18,326,880,256 bytes free
Post-Run: 18,219,569,152 bytes free

- - End Of File - - 0713DB16D8551E73338AB8281065BDE5

Please review the following article from Microsoft and see if you're able to correct the Cryptographic Servcies

You can also try to save the following to a new FIXWIN.BAT from a clean computer and copy it over to the infected computer and run it.
Copy all to a new notepad document (not wordpad) and save it as "FIXWIN.BAT" make sure it's not .txt - if you keep the quotes with the name it should save it as a batch file.

And here is an updated status. Some may not be relevant but I'll try to give you the full picture.

The laptop takes an abnormally long time to boot up after restarting - up to 20 minutes now. Used to start in less than 3.

There are still alot of processes running but the CPU Usage is down to 0-5% from 50%. CLI.exe which was accounting for a large part of usage is no longer running.

USB slots seem to be working again.

My Office files (word and excel) will open but I get an error pop-up: This document cannot be registered. It will not be possilbe to create links from other documents to this document. Does that suggest corruption?

Malwarebytes is running clean.

I opened the device manager and found the network adapters are enabled. The status says working properly. I clicked on Troubleshoot and got a pop message: An ActiveX control on this page is not safe. Your current security settings prohibit running unsafe controls on this page.

Please take a look at the 2 other posts I've posted since you last visited and run them.

Good morning.

I ran FIXWIN.BAT. It finished the process but I am not sure if it was successful. Should it have produced a log file?

I still need to follow the Microsoft steps and run restoredefaultperms.exe. I also need to download the appropriate driver from Intel to restore my network capability.

I've been wondering your take on how this is going. Do you think the computer is cleaned and it's just a matter of damage repair? At some point I want to back-up to an external drive but I want to make sure I'm clean first so I don't carry over infected files. Maybe I need to wait until we are finished with everything.

Well at this point I'm not sure why the Network card is not working. Normally running the reset options provided will restore the network once the infection is gone. I don't see anything obvious in the logs that would be blocking the network now, but I did see that some services were not set correctly.

Please download a NEW fresh copy of Combofix and run it again and post back the new log.

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe

Just wanted to give you a quick update. I'm out of town with limited internet access until Monday. I'll run a new combofix when I get back. Have a great weekend.

Okay, thanks. I'll check back tomorrow to see how you're coming along.

Please post an update. Thanks

Hello,

Here is the combo fix log. I had to delete a bunch that was under the heading: ((((((((((((((((((((((((((((( SnapShot@2009-10-18_15.23.14 ))))))))))))))))))))))))))))))))))))))))). The post was too long. I'll send that part in a second post.

ComboFix 09-10-26.01 - AMH 10/26/2009 22:53.4.2 - NTFSx86
Running from: F:\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-23 02:05 . 2009-10-27 02:47 -------- d-----w- c:\windows\system32\CatRoot2
2009-10-23 00:45 . 2009-10-23 01:12 -------- d-----w- C:\Combo-Fix13139C
2009-10-18 14:35 . 2009-10-18 15:24 -------- d-----w- C:\Combo-Fix
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\AMH\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 02:22 . 2009-10-27 01:36 -------- d-----w- c:\program files\MALB
2009-10-15 02:22 . 2009-10-15 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 02:22 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 21:20 . 2009-10-03 21:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-03 21:04 . 2009-10-03 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Talkback
2009-10-03 20:52 . 2009-10-03 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2009-09-30 00:08 . 2009-09-30 00:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-09-29 01:36 . 2009-09-29 01:36 -------- d-----w- c:\documents and settings\AMH\Application Data\Norton Utilities 14
2009-09-29 00:46 . 2009-09-29 01:28 -------- d-----w- c:\documents and settings\AMH\Local Settings\Application Data\AskToolbar
2009-09-29 00:41 . 2009-09-29 00:41 -------- d-----w- c:\program files\MSSOAP
2009-09-29 00:40 . 2009-09-29 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\program files\Webroot
2009-09-29 00:40 . 2009-09-29 00:40 -------- d-----w- c:\documents and settings\AMH\Application Data\Webroot
2009-09-29 00:40 . 2009-05-13 19:39 1563008 ----a-w- c:\windows\WRSetup.dll
2009-09-29 00:40 . 2009-09-29 00:40 164 ----a-w- c:\windows\install.dat
2009-09-28 23:37 . 2009-09-29 01:06 -------- d-----w- c:\program files\ossdsm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 01:38 . 2006-09-23 04:22 30832 ----a-w- c:\documents and settings\AMH\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-22 23:20 . 2009-03-11 22:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-22 22:53 . 2009-05-31 21:25 -------- d-----w- c:\program files\WebEx
2009-09-30 00:39 . 2009-09-10 01:12 -------- d-----w- c:\program files\Norton Utilities 14
2009-09-30 00:27 . 2009-09-10 01:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 18:32 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Saba
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\program files\Centra
2009-09-20 18:31 . 2009-09-20 18:31 -------- d-----w- c:\documents and settings\AMH\Application Data\Centra
2009-09-10 22:17 . 2009-01-20 21:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 03:44 . 2006-09-23 04:14 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-10 01:14 . 2009-09-10 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton Installer
2009-09-08 22:19 . 2006-08-25 02:16 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-08 22:18 . 2006-08-25 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-08 22:18 . 2009-04-01 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-08 22:17 . 2009-04-01 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-09-08 17:12 . 2007-03-08 01:40 -------- d-----w- c:\program files\MySpace
2009-08-05 09:11 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-06-12 03:02 . 2007-10-07 04:04 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-12 03:02 . 2007-10-07 04:04 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-12 03:02 . 2007-10-07 04:04 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-06-12 03:02 . 2007-10-07 04:04 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-06-12 03:02 . 2007-10-07 04:04 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-18_15.23.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-28 02:52 . 2008-04-14 00:12 18944 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\xrxscnui.dll
+ 2008-08-28 02:52 . 2008-04-14 00:12 11776 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\xolehlp.dll
+ 2008-08-28 02:52 . 2008-04-14 00:12 50176 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\xmlprovi.dll
+ 2008-08-28 02:52 . 2008-04-14 00:12 30720 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\xcopy.exe
+ 2008-08-28 02:52 . 2008-04-14 00:12 91648 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\xactsrv.dll
+ 2008-08-28 02:52 . 2008-04-14 00:12 52736 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\wzcsapi.dll
+ 2008-08-28 02:52 . 2004-08-04 02:29 19455 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\wvchntxx.sys
+ 2008-08-28 02:52 . 2008-04-14 00:12 32256 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\wups.dll
+ 2008-08-28 02:52 . 2008-04-14 00:12 18432 c:\windows\SoftwareDistributionOLD\Download\dd9ab5193501484cf5e6884fa1d22f9e\wtsapi32.dll

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\AMH\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-8-24 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R2 gupdate1c9a298b8d418ea;Google Update Service (gupdate1c9a298b8d418ea);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 133104]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-28 01:17]

2009-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-11 22:28]

2009-09-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006Core.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]

2009-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2470627812-1254077453-3360473131-1006UA.job
- c:\documents and settings\AMH\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-29 16:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: kodakgallery.com \www
Trusted Zone: musicmatch.com\online
FF - ProfilePath - c:\documents and settings\AMH\Application Data\Mozilla\Firefox\Profiles\0cfw65tr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WebrootSpySweeperService



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 22:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-27 22:59
ComboFix-quarantined-files.txt 2009-10-27 02:59
ComboFix2.txt 2009-10-23 01:12
ComboFix3.txt 2009-10-22 23:04
ComboFix4.txt 2009-10-18 15:24

Pre-Run: 18,182,832,128 bytes free
Post-Run: 18,144,587,776 bytes free

- - End Of File - - E7E77CEE07C7F2C0E38737291B3A5DD9

Running from: F:\Combo-Fix.exe

We really need to see if we can get this running from the C:\Documents and Settings\AMY\Desktop location or what your name is for your account.

If you can now copy/paste you should be able to copy it there.