« previous next »
Pages: [1]   Go Down

Author Topic: OMG Now it is my computer too  (Read 937 times)

0 Members and 1 Guest are viewing this topic.

Offline debralcola

  • Newbie
  • *
  • Posts: 31
OMG Now it is my computer too
« on: February 08, 2011, 09:06:29 PM »
Hey guys. I am a little panicky (word?). I just helped my friend with her computer that wouldn't run anything and now my computer is doing some of the same things. When I open up Windows 7, my icons are all the MS Word folders. Even the icon for internet explorer down on the bottom of the screen in the task bar. Also, when I click on anything internet it opens up Word (2003)! I want to scream, but I am in the library on campus. It will do Avira update and Adobe update but not get on the internet. Same thing in safe mode. Please please please help. Also, again, will not run root repeal. I was going to run it and couldn't remember wich ones needed to be checked off, so I closed it. I went to find out and came back to run it but it is giving me all these funky error codes and sayinig it wont read the registry. So here are the rsit and security check logs.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Debra Lopez at 2011-02-08 16:32:19
Microsoft Windows 7 Home Premium 
System drive C: has 16 GB (44%) free of 37 GB
Total RAM: 512 MB (13% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:34:43 PM, on 2/8/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
E:\computer help\RSIT.exe
C:\Program Files\trend micro\Debra Lopez.exe
C:\Windows\system32\prevhost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {70a38074-97a6-45da-b1a1-34b0a34dc3ff} - (no file)
R3 - URLSearchHook: (no name) - {90b49673-5506-483e-b92b-ca0265bd9ca8} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [DriverAccess] C:\Program Files\Driver Assure Corp\DriverAccess\DriverAccess.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbl_device -   - C:\Windows\system32\lxblcoms.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device -   - C:\Windows\system32\lxdpcoms.exe
O23 - Service: SmartLinkService (SLService) -   - C:\Windows\SYSTEM32\slserv.exe

--
End of file - 4810 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2010-09-22 61888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\Windows\SOUNDMAN.EXE [2003-12-19 65024]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-11-04 281768]
"DriverAccess"=C:\Program Files\Driver Assure Corp\DriverAccess\DriverAccess.exe []
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-09-23 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"1A:Stardock TrayMonitor"= []
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-11-17 421160]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DW6"= []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
C:\Windows\system32\Ati2mdxx.exe [2005-01-19 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\Windows\VM_STI.EXE [2003-01-21 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark Z2300 Series\ezprint.exe [2008-03-27 107176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\Chaddock\AppData\Local\Google\Update\GoogleUpdate.exe /c []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-11-17 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdpmon.exe]
C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe [2008-03-27 656040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\Windows\system32\\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotKeyDetect.lnk]
C:\Windows\HOTKEY~1.EXE [2006-05-24 163935]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SnapDetect.lnk]
C:\Windows\SNAPDE~1.EXE [2005-12-13 168021]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\Windows\system32\Ati2evxx.dll [2005-01-19 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2011-02-08 16:32:22 ----D---- C:\Program Files\trend micro
2011-02-08 16:32:19 ----D---- C:\rsit
2011-01-15 12:34:03 ----A---- C:\Windows\system32\bzpdf.dll
2011-01-15 12:33:34 ----D---- C:\Program Files\Bullzip
2011-01-15 11:47:54 ----A---- C:\Windows\system32\odbc32.dll

======List of files/folders modified in the last 1 months======

2011-02-08 16:34:41 ----D---- C:\Windows\system32\config
2011-02-08 16:34:11 ----D---- C:\Windows\Prefetch
2011-02-08 16:33:13 ----D---- C:\Windows\Temp
2011-02-08 16:32:22 ----RD---- C:\Program Files
2011-02-08 13:26:51 ----SHD---- C:\System Volume Information
2011-02-08 12:57:02 ----SD---- C:\Users\Debra Lopez\AppData\Roaming\Microsoft
2011-02-08 10:45:41 ----D---- C:\Windows\system32\LogFiles
2011-02-01 22:33:57 ----D---- C:\Windows\System32
2011-02-01 22:33:57 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-02-01 22:33:56 ----D---- C:\Windows\inf
2011-01-30 22:00:03 ----D---- C:\Windows\system32\wfp
2011-01-30 22:00:03 ----D---- C:\Windows\system32\DriverStore
2011-01-30 22:00:03 ----D---- C:\Windows\system32\catroot2
2011-01-30 22:00:03 ----D---- C:\Windows
2011-01-30 22:00:02 ----D---- C:\Windows\AppCompat
2011-01-30 21:59:59 ----D---- C:\Windows\system32\wbem
2011-01-30 21:59:59 ----D---- C:\Windows\registration
2011-01-30 19:28:34 ----SHD---- C:\Windows\Installer
2011-01-30 19:16:40 ----D---- C:\Windows\system32\Tasks
2011-01-30 19:16:00 ----D---- C:\Windows\Tasks
2011-01-24 18:38:15 ----D---- C:\Windows\system32\catroot
2011-01-24 18:37:20 ----D---- C:\Windows\winsxs
2011-01-19 05:57:20 ----D---- C:\Program Files\Microsoft Silverlight
2011-01-16 03:03:20 ----A---- C:\Windows\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R0 RecAgent;RecAgent; C:\Windows\system32\DRIVERS\RecAgent.sys [2003-10-28 14160]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2010-12-20 135096]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2010-11-22 61960]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2009-07-13 96768]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\Windows\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\Windows\system32\drivers\ALCXWDM.SYS [2003-12-19 541548]
R3 ati2mtag;ati2mtag; C:\Windows\system32\DRIVERS\ati2mtag.sys [2005-01-19 965632]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\Windows\system32\drivers\MODEMCSA.sys [2009-07-13 18432]
R3 Mtlmnt5;Mtlmnt5; C:\Windows\system32\DRIVERS\Mtlmnt5.sys [2003-10-28 226288]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2007-03-06 2595840]
R3 NSCIRDA;NSC Infrared Device Driver; C:\Windows\system32\DRIVERS\nscirda.sys [2008-01-19 30720]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\Windows\system32\DRIVERS\seehcri.sys [2010-08-12 27632]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\Windows\system32\DRIVERS\slntamr.sys [2003-11-08 566256]
R3 SlWdmSup;SlWdmSup; C:\Windows\system32\DRIVERS\SlWdmSup.sys [2003-10-28 15712]
R3 tiumfwl;tiumfwl; C:\Windows\system32\drivers\tiumfwl.sys [2003-02-18 42092]
R3 ZSMC301b;CMM PC Camera; C:\Windows\System32\Drivers\usbVM31b.sys [2003-11-27 90541]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 cpuz132;cpuz132; \??\C:\Users\Chaddock\AppData\Local\Temp\cpuz132\cpuz132_x32.sys []
S3 ggflt;SEMC USB Flash Driver Filter; C:\Windows\system32\DRIVERS\ggflt.sys [2010-08-12 13224]
S3 ggsemc;SEMC USB Flash Driver; C:\Windows\system32\DRIVERS\ggsemc.sys [2010-08-12 25512]
S3 KMWDFILTERx86;HIDServiceDesc; C:\Windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]
S3 Mtlstrm;Mtlstrm; C:\Windows\system32\DRIVERS\Mtlstrm.sys [2003-11-03 1299976]
S3 NtMtlFax;NtMtlFax; C:\Windows\system32\DRIVERS\NtMtlFax.sys [2003-10-28 180368]
S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 SlNtHal;SlNtHal; C:\Windows\system32\DRIVERS\Slnthal.sys [2003-10-28 87656]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2009-07-13 34944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2010-12-12 267944]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-10-07 345376]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 lxbl_device;lxbl_device; C:\Windows\system32\lxblcoms.exe [2007-04-20 537520]
R2 lxdp_device;lxdp_device; C:\Windows\system32\lxdpcoms.exe [2008-02-27 594600]
R2 SLService;SmartLinkService; C:\Windows\system32\slserv.exe [2003-10-28 45056]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-11-17 820008]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [2005-01-19 344064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-09-30 135664]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe [2009-04-28 94208]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-06-03 1343400]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.08 2011-02-08 16:35:11

======Uninstall list======

Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin
Adobe Reader 9.4.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A94000000001}
Apple Application Support-->MsiExec.exe /I{EE6097DD-05F4-4178-9719-D3170BF098E8}
Apple Mobile Device Support-->MsiExec.exe /I{308B6AEA-DE50-4666-996D-0FA461719D6B}
Apple Software Update-->MsiExec.exe /I{C41300B9-185D-475E-BFEC-39EF732F19B1}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\Windows\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bonjour-->MsiExec.exe /X{2A981294-F14C-4F0F-9627-D793270922F8}
Bullzip PDF Printer 4.0.0.463-->"C:\Program Files\Bullzip\PDF Printer\unins000.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Google Chrome-->"C:\Program Files\Google\Chrome\Application\9.0.597.84\Installer\setup.exe"  --uninstall --system-level
Google Earth-->MsiExec.exe /X{4286E640-B5FB-11DF-AC4B-005056C00008}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
GPL Ghostscript Lite 8.70-->"C:\Program Files\Bullzip\PDF Printer\gs\unins000.exe"
Internet TV for Windows Media Center-->MsiExec.exe /X{9D318C86-AF4C-409F-A6AC-7183FF4CF424}
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
iTunes-->MsiExec.exe /I{FAE36873-1941-4076-A9A5-48812B5EA0B7}
Lexmark Z2300 Series-->C:\Program Files\Lexmark Z2300 Series\Install\x86\Uninst.exe
Lexmark Z700-P700 Series-->C:\Program Files\Lexmark Z700-P700 Series\Install\x86\Uninst.exe
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Nero - Burning Rom-->MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Netflix in Windows Media Center-->MsiExec.exe /X{0CA72D12-F6C6-4D43-A2A0-41F5AA17E2B6}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Print Artist Craft & Party Maker-->MsiExec.exe /I{6661C844-F72D-44ED-823A-24862F2D1650}
QuickTime-->MsiExec.exe /I{E7004147-2CCA-431C-AA05-2AB166B9785D}
The Weather Channel Desktop 6-->C:\Program Files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe
Windows 7 Upgrade Advisor-->MsiExec.exe /I{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}
Windows Driver Package - eMPIA Technology Inc, (emAudio) MEDIA  (04/27/2007 5.7.0427.0)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst32.exe /u C:\Windows\System32\DriverStore\FileRepository\emaudio.inf_x86_neutral_43fa14080fc3d063\emaudio.inf
Windows Driver Package - Orion Technology (DCamUSBET) Image  (05/10/2007 2.7.0510.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst32.exe /u C:\Windows\System32\DriverStore\FileRepository\etvideo.inf_x86_neutral_d24f19c8645754db\etvideo.inf
Windows Media Center Add-in for Flash-->MsiExec.exe /X{E2D09AC2-4153-4817-AAEB-24F92A8BCE88}
Windows Media Center Add-in for Silverlight-->MsiExec.exe /X{0EDBEB2B-7C8D-42E6-8312-0F84394A3223}

======System event log======

Computer Name: Chaddock-PC
Event Code: 1014
Message: Name resolution for the name wpad.launchmodem.com timed out after none of the configured DNS servers responded.
Record Number: 8938
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100626163859.124134-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Chaddock-PC
Event Code: 1014
Message: Name resolution for the name teredo.ipv6.microsoft.com timed out after none of the configured DNS servers responded.
Record Number: 8937
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100626163849.219892-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Chaddock-PC
Event Code: 1014
Message: Name resolution for the name wpad.launchmodem.com timed out after none of the configured DNS servers responded.
Record Number: 8936
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100626163704.128779-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Chaddock-PC
Event Code: 1014
Message: Name resolution for the name BULLFROG.launchmodem.com timed out after none of the configured DNS servers responded.
Record Number: 8935
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100626163257.233761-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Chaddock-PC
Event Code: 1014
Message: Name resolution for the name BULLFROG.launchmodem.com timed out after none of the configured DNS servers responded.
Record Number: 8904
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20100626161527.627243-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

=====Application event log=====

Computer Name: Chaddock-PC
Event Code: 11
Message: Possible Memory Leak.  Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 784) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)].  [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked.  The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (10).  User Action: Contact your application vendor for an updated version of the application.
Record Number: 279
Source Name: Microsoft-Windows-RPC-Events
Time Written: 20100603020454.763544-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: Chaddock-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 6 user registry handles leaked from \Registry\User\S-1-5-21-2900886733-2756886438-1531266901-1000:
Process 372 (\Device\HarddiskVolume1\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000\Software\Policies
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000\Software
Process 1064 (\Device\HarddiskVolume1\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2900886733-2756886438-1531266901-1000\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Record Number: 197
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20100603002944.807964-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Chaddock-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {85839acd-5d58-43a2-9c9c-d13a182bb8da}
Record Number: 189
Source Name: VSS
Time Written: 20100603001724.000000-000
Event Type: Error
User:

Computer Name: Chaddock-PC
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 153
Source Name: Microsoft-Windows-Search
Time Written: 20100602235549.000000-000
Event Type: Warning
User:

Computer Name: 37L4247D28-05
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 144
Source Name: Microsoft-Windows-Search
Time Written: 20100602234957.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: 37L4247D28-05
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7

Privileges:      SeAssignPrimaryTokenPrivilege
         SeTcbPrivilege
         SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeAuditPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100602234159.776608-000
Event Type: Audit Success
User:

Computer Name: 37L4247D28-05
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      37L4247D28-05$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Logon Type:         5

New Logon:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x1b4
   Process Name:      C:\Windows\System32\services.exe

Network Information:
   Workstation Name:   
   Source Network Address:   -
   Source Port:      -

Detailed Authentication Information:
   Logon Process:      Advapi 
   Authentication Package:   Negotiate
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100602234159.776608-000
Event Type: Audit Success
User:

Computer Name: 37L4247D28-05
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements:   0
Policy ID:   0x237b4
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100602234158.825240-000
Event Type: Audit Success
User:

Computer Name: 37L4247D28-05
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-0-0
   Account Name:      -
   Account Domain:      -
   Logon ID:      0x0

Logon Type:         0

New Logon:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x4
   Process Name:      

Network Information:
   Workstation Name:   -
   Source Network Address:   -
   Source Port:      -

Detailed Authentication Information:
   Logon Process:      -
   Authentication Package:   -
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100602234155.089868-000
Event Type: Audit Success
User:

Computer Name: 37L4247D28-05
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100602234154.929638-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=1
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"asl.log"=Destination=file;OnFirstLog=command,environment
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


 Results of screen317's Security Check version 0.99.8 
 Windows 7  (UAC is enabled)
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 Avira AntiVir Personal - Free Antivirus
 WMI entry may not exist for antivirus; attempting automatic update.
 Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
 Adobe Flash Player 10.1.53.64 
Adobe Reader 9.4.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Avira Antivir avgnt.exe
 Avira Antivir avguard.exe
``````````End of Log````````````
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #1 on: February 08, 2011, 09:45:11 PM »
From Debra:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5715

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/8/2011 5:32:10 PM
mbam-log-2011-02-08 (17-32-10).txt

Scan type: Quick scan
Objects scanned: 151483
Time elapsed: 9 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (PUP.Dealio) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #2 on: February 08, 2011, 09:56:11 PM »
Hi, Debra.

I am not seeing signs of HDD Defragmenter, which is what the description sounds like.  

Let's start with System Restore.  The Windows 7 System Restore is much more robust than previous operating systems.  Since you posted your friend's log here on February 3, first try a System Restore to the end of January.  

Let me know if that is successful.

If System Restore does NOT solve the problem, please do the following:

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #3 on: February 08, 2011, 10:35:37 PM »
Corrine,
The problem with the system restore is that I tried to do that before I did any of the postings and it says there are no reference points to do it from..... sad, I know. So I will go ahead with the other option and let you know what I get.

Thanks,
Deb
Logged

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #4 on: February 08, 2011, 10:52:55 PM »
About the system restore...this computer was given to me by a relative so I need to log in as administrator and then see if there is a reference point. I will try that first. If that fails, then I have the links downloaded on flash drive and will work on that step.

Thanks,
Deb
Logged

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #5 on: February 08, 2011, 11:53:24 PM »
ok
so couldn't do the system restore. I went forward with the combofix and here are the logs.
btw
It didn't give me an info log this time for the hijack this.

ComboFix 11-02-08.02 - Debra Lopez 02/08/2011  19:18:08.1.1 - x86
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.512.122 [GMT -5:00]
Running from: c:\users\Debra Lopez\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chaddock\AppData\Local\Microsoft\Windows\Temporary Internet Files\install_flash_player_10_active_x.msi
c:\users\Debra Lopez\SecurityCheck.exe

.
(((((((((((((((((((((((((   Files Created from 2011-01-09 to 2011-02-09  )))))))))))))))))))))))))))))))
.

2011-02-08 22:17 . 2011-02-08 22:17   --------   d-----w-   c:\users\Debra Lopez\AppData\Roaming\Malwarebytes
2011-02-08 22:16 . 2010-12-20 23:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-08 22:16 . 2011-02-08 22:16   --------   d-----w-   c:\programdata\Malwarebytes
2011-02-08 22:16 . 2010-12-20 23:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-02-08 22:16 . 2011-02-08 22:16   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-02-08 21:35 . 2011-02-03 21:09   339991   ----a-w-   c:\users\Debra Lopez\RSIT.exe
2011-02-08 21:32 . 2011-02-08 21:34   --------   d-----w-   c:\program files\trend micro
2011-02-08 21:32 . 2011-02-08 21:35   --------   d-----w-   C:\rsit
2011-02-05 21:26 . 2011-01-13 09:41   5890896   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{1DCAC38A-0DFF-496D-912B-4F0D1D9FA440}\mpengine.dll
2011-01-30 19:57 . 2011-01-30 19:57   103864   ----a-w-   c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-01-15 17:36 . 2009-07-14 01:16   90624   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\LXKPTPRC.DLL
2011-01-15 17:34 . 2007-10-13 17:11   200704   ----a-w-   c:\windows\system32\bzpdf.dll
2011-01-15 17:33 . 1999-05-07 04:00   140288   ----a-w-   c:\windows\system32\comdlg32.OCX
2011-01-15 17:33 . 2011-01-15 17:33   --------   d-----w-   c:\program files\Bullzip
2011-01-15 16:47 . 2010-10-16 04:34   573440   ----a-w-   c:\windows\system32\odbc32.dll
2011-01-15 16:47 . 2010-10-16 04:33   372736   ----a-w-   c:\program files\Common Files\System\ado\msadox.dll
2011-01-15 16:47 . 2010-10-16 04:33   987136   ----a-w-   c:\program files\Common Files\System\ado\msado15.dll
2011-01-15 16:47 . 2010-10-16 04:33   352256   ----a-w-   c:\program files\Common Files\System\ado\msadomd.dll
2011-01-15 16:47 . 2010-10-16 04:33   208896   ----a-w-   c:\program files\Common Files\System\msadc\msadco.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 04:04 . 2010-06-04 00:04   135096   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2010-11-22 13:32 . 2010-06-04 00:04   61960   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-12-19 65024]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-04 281768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2010-7-27 49254]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotKeyDetect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HotKeyDetect.lnk
backup=c:\windows\pss\HotKeyDetect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SnapDetect.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\SnapDetect.lnk
backup=c:\windows\pss\SnapDetect.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2005-01-20 03:21   25088   ----a-w-   c:\windows\System32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
2003-01-21 20:19   40960   ----a-w-   c:\windows\VM_STI.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2008-03-27 15:15   107176   ----a-w-   c:\program files\Lexmark Z2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 01:59   421160   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdpmon.exe]
2008-03-27 15:15   656040   ----a-w-   c:\program files\Lexmark Z2300 Series\lxdpmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50   155648   ----a-w-   c:\windows\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 135664]
R2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe [2009-04-28 94208]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2010-08-12 13224]
R3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-03 1343400]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]
S2 lxbl_device;lxbl_device;c:\windows\system32\lxblcoms.exe [2007-04-20 537520]
S2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe [2008-02-27 594600]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2007-03-07 2595840]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2010-08-12 27632]

.
Contents of the 'Scheduled Tasks' folder

2011-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 14:04]

2011-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-09-30 14:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{70a38074-97a6-45da-b1a1-34b0a34dc3ff} - (no file)
URLSearchHooks-{90b49673-5506-483e-b92b-ca0265bd9ca8} - (no file)
WebBrowser-{70A38074-97A6-45DA-B1A1-34B0A34DC3FF} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{90B49673-5506-483E-B92B-CA0265BD9CA8} - (no file)
HKCU-Run-DW6 - (no file)
HKLM-Run-DriverAccess - c:\program files\Driver Assure Corp\DriverAccess\DriverAccess.exe
HKLM-Run-1A:Stardock TrayMonitor - (no file)
MSConfigStartUp-Google Update - c:\users\Chaddock\AppData\Local\Google\Update\GoogleUpdate.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-02-08  19:35:54
ComboFix-quarantined-files.txt  2011-02-09 00:35

Pre-Run: 16,306,323,456 bytes free
Post-Run: 16,486,862,848 bytes free

- - End Of File - - E4288B83D7FD49CD940E18F04D3EA871

Logfile of random's system information tool 1.08 (written by random/random)
Run by Debra Lopez at 2011-02-08 19:46:54
Microsoft Windows 7 Home Premium 
System drive C: has 16 GB (43%) free of 37 GB
Total RAM: 512 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:47:53 PM, on 2/8/2011
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\explorer.exe
C:\Users\Debra Lopez\RSIT.exe
C:\Program Files\trend micro\Debra Lopez.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbl_device -   - C:\Windows\system32\lxblcoms.exe
O23 - Service: lxdpCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe
O23 - Service: lxdp_device -   - C:\Windows\system32\lxdpcoms.exe
O23 - Service: SmartLinkService (SLService) -   - C:\Windows\SYSTEM32\slserv.exe

--
End of file - 3710 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2010-09-22 61888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"=C:\Windows\SOUNDMAN.EXE [2003-12-19 65024]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2010-11-04 281768]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-01-31 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-11-17 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
C:\Windows\system32\Ati2mdxx.exe [2005-01-19 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
C:\Windows\VM_STI.EXE [2003-01-21 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
C:\Program Files\Lexmark Z2300 Series\ezprint.exe [2008-03-27 107176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-11-17 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdpmon.exe]
C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe [2008-03-27 656040]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\Windows\system32\\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2010-09-08 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HotKeyDetect.lnk]
C:\Windows\HOTKEY~1.EXE [2006-05-24 163935]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^SnapDetect.lnk]
C:\Windows\SNAPDE~1.EXE [2005-12-13 168021]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\Windows\system32\Ati2evxx.dll [2005-01-19 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\Windows\system32\webcheck.dll [2009-07-13 229376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\rootrepeal.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"PromptOnSecureDesktop"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2011-02-08 19:36:14 ----SHD---- C:\$RECYCLE.BIN
2011-02-08 19:35:55 ----A---- C:\ComboFix.txt
2011-02-08 19:13:12 ----A---- C:\Windows\zip.exe
2011-02-08 19:13:12 ----A---- C:\Windows\SWSC.exe
2011-02-08 19:13:12 ----A---- C:\Windows\SWREG.exe
2011-02-08 19:13:12 ----A---- C:\Windows\sed.exe
2011-02-08 19:13:12 ----A---- C:\Windows\PEV.exe
2011-02-08 19:13:12 ----A---- C:\Windows\NIRCMD.exe
2011-02-08 19:13:12 ----A---- C:\Windows\MBR.exe
2011-02-08 19:13:12 ----A---- C:\Windows\grep.exe
2011-02-08 19:12:56 ----D---- C:\Windows\ERDNT
2011-02-08 19:12:23 ----D---- C:\Qoobox
2011-02-08 19:12:02 ----A---- C:\Windows\SWXCACLS.exe
2011-02-08 17:17:00 ----D---- C:\Users\Debra Lopez\AppData\Roaming\Malwarebytes
2011-02-08 17:16:49 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2011-02-08 17:16:46 ----D---- C:\ProgramData\Malwarebytes
2011-02-08 17:16:43 ----A---- C:\Windows\system32\drivers\mbam.sys
2011-02-08 17:16:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-02-08 16:56:47 ----D---- C:\Config.Msi
2011-02-08 16:50:44 ----A---- C:\Windows\ntbtlog.txt
2011-02-08 16:49:41 ----A---- C:\RootRepeal report 02-08-11 (16-49-41).txt
2011-02-08 16:32:22 ----D---- C:\Program Files\trend micro
2011-02-08 16:32:19 ----D---- C:\rsit
2011-01-15 12:34:03 ----A---- C:\Windows\system32\bzpdf.dll
2011-01-15 12:33:34 ----D---- C:\Program Files\Bullzip
2011-01-15 11:47:54 ----A---- C:\Windows\system32\odbc32.dll

======List of files/folders modified in the last 1 months======

2011-02-08 19:47:50 ----D---- C:\Windows\Temp
2011-02-08 19:31:45 ----D---- C:\Windows
2011-02-08 19:31:45 ----A---- C:\Windows\system.ini
2011-02-08 19:31:25 ----D---- C:\Windows\system32\drivers\etc
2011-02-08 19:26:09 ----D---- C:\Windows\system32\drivers
2011-02-08 19:26:09 ----D---- C:\Windows\System32
2011-02-08 19:26:09 ----D---- C:\Windows\AppPatch
2011-02-08 19:26:08 ----D---- C:\Program Files\Common Files
2011-02-08 19:20:34 ----D---- C:\Windows\system32\config
2011-02-08 19:14:07 ----SHD---- C:\System Volume Information
2011-02-08 19:13:32 ----D---- C:\Windows\Prefetch
2011-02-08 19:10:25 ----D---- C:\Windows\system32\catroot2
2011-02-08 19:10:25 ----D---- C:\Windows\system32\catroot
2011-02-08 19:10:07 ----D---- C:\Windows\winsxs
2011-02-08 17:16:46 ----D---- C:\ProgramData
2011-02-08 17:16:42 ----RD---- C:\Program Files
2011-02-08 16:58:20 ----SHD---- C:\Windows\Installer
2011-02-08 12:57:02 ----SD---- C:\Users\Debra Lopez\AppData\Roaming\Microsoft
2011-02-08 10:45:41 ----D---- C:\Windows\system32\LogFiles
2011-02-01 22:33:57 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-02-01 22:33:56 ----D---- C:\Windows\inf
2011-01-30 22:00:03 ----D---- C:\Windows\system32\wfp
2011-01-30 22:00:03 ----D---- C:\Windows\system32\DriverStore
2011-01-30 22:00:02 ----D---- C:\Windows\AppCompat
2011-01-30 21:59:59 ----D---- C:\Windows\system32\wbem
2011-01-30 21:59:59 ----D---- C:\Windows\registration
2011-01-30 19:16:40 ----D---- C:\Windows\system32\Tasks
2011-01-30 19:16:00 ----D---- C:\Windows\Tasks
2011-01-19 05:57:20 ----D---- C:\Program Files\Microsoft Silverlight
2011-01-16 03:03:20 ----A---- C:\Windows\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 173648]
R0 RecAgent;RecAgent; C:\Windows\system32\DRIVERS\RecAgent.sys [2003-10-28 14160]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2010-12-20 135096]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2010-11-22 61960]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2009-07-13 96768]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\Windows\system32\drivers\ALCXSENS.SYS [2003-12-11 391424]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\Windows\system32\drivers\ALCXWDM.SYS [2003-12-19 541548]
R3 ati2mtag;ati2mtag; C:\Windows\system32\DRIVERS\ati2mtag.sys [2005-01-19 965632]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\Windows\system32\drivers\MODEMCSA.sys [2009-07-13 18432]
R3 Mtlmnt5;Mtlmnt5; C:\Windows\system32\DRIVERS\Mtlmnt5.sys [2003-10-28 226288]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2007-03-06 2595840]
R3 NSCIRDA;NSC Infrared Device Driver; C:\Windows\system32\DRIVERS\nscirda.sys [2008-01-19 30720]
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 seehcri;Sony Ericsson seehcri Device Driver; C:\Windows\system32\DRIVERS\seehcri.sys [2010-08-12 27632]
R3 Slntamr;SmartLink AMR_PCI Driver; C:\Windows\system32\DRIVERS\slntamr.sys [2003-11-08 566256]
R3 SlWdmSup;SlWdmSup; C:\Windows\system32\DRIVERS\SlWdmSup.sys [2003-10-28 15712]
R3 tiumfwl;tiumfwl; C:\Windows\system32\drivers\tiumfwl.sys [2003-02-18 42092]
R3 ZSMC301b;CMM PC Camera; C:\Windows\System32\Drivers\usbVM31b.sys [2003-11-27 90541]
S2 Parvdm;Parvdm; C:\Windows\system32\DRIVERS\parvdm.sys [2009-07-13 8704]
S3 aic78xx;aic78xx; C:\Windows\system32\DRIVERS\djsvs.sys [2009-07-13 70720]
S3 amdagp;AMD AGP Bus Filter Driver; C:\Windows\system32\DRIVERS\amdagp.sys [2009-07-13 53312]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60x.sys [2009-07-13 229888]
S3 catchme;catchme; \??\C:\Users\DEBRAL~1\AppData\Local\Temp\catchme.sys []
S3 cpuz132;cpuz132; \??\C:\Users\Chaddock\AppData\Local\Temp\cpuz132\cpuz132_x32.sys []
S3 ggflt;SEMC USB Flash Driver Filter; C:\Windows\system32\DRIVERS\ggflt.sys [2010-08-12 13224]
S3 ggsemc;SEMC USB Flash Driver; C:\Windows\system32\DRIVERS\ggsemc.sys [2010-08-12 25512]
S3 KMWDFILTERx86;HIDServiceDesc; C:\Windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]
S3 mbr;mbr; \??\C:\ComboFix\mbr.sys []
S3 Mtlstrm;Mtlstrm; C:\Windows\system32\DRIVERS\Mtlstrm.sys [2003-11-03 1299976]
S3 NtMtlFax;NtMtlFax; C:\Windows\system32\DRIVERS\NtMtlFax.sys [2003-10-28 180368]
S3 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12368]
S3 sisagp;SIS AGP Bus Filter; C:\Windows\system32\DRIVERS\sisagp.sys [2009-07-13 52304]
S3 SlNtHal;SlNtHal; C:\Windows\system32\DRIVERS\Slnthal.sys [2003-10-28 87656]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2009-07-13 35840]
S3 viaagp;VIA AGP Bus Filter; C:\Windows\system32\DRIVERS\viaagp.sys [2009-07-13 53328]
S3 ViaC7;VIA C7 Processor Driver; C:\Windows\system32\DRIVERS\viac7.sys [2009-07-13 52736]
S3 WinUsb;WinUsb; C:\Windows\system32\DRIVERS\WinUsb.sys [2009-07-13 34944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-11-04 135336]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2010-12-12 267944]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-10-16 37664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-10-07 345376]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2009-07-13 20992]
R2 lxbl_device;lxbl_device; C:\Windows\system32\lxblcoms.exe [2007-04-20 537520]
R2 lxdp_device;lxdp_device; C:\Windows\system32\lxdpcoms.exe [2008-02-27 594600]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-11-17 820008]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\Windows\system32\Ati2evxx.exe [2005-01-19 344064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-09-30 135664]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdpserv.exe [2009-04-28 94208]
S2 SLService;SmartLinkService; C:\Windows\system32\slserv.exe [2003-10-28 45056]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2010-06-03 1343400]

-----------------EOF-----------------
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #6 on: February 09, 2011, 01:06:06 AM »
Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #7 on: February 10, 2011, 04:23:12 PM »
Just about to run ESET. Thing is, still cannot get online. Things still look funky. I will print screen so you can see what it looks like when I post my log for eset. I had to download smart security and save it onto my computer to run it. Hope that is just as good.
Deb
Logged

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #8 on: February 10, 2011, 04:51:32 PM »
ok, i uninstalled avira per instructions from smart security eset. when i did, it went to avira website and I was able to get on here via internet. so now i will just perform the online scan. (crossing fingers)
Deb
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #9 on: February 10, 2011, 10:35:28 PM »
Quote
ok, i uninstalled avira per instructions from smart security eset

The link I gave you was for the ESET online scanner not ESET Smart Security, which is a full blown antivirus software program.  The online scanner would not have you uninstall your regular antivirus software.  However, since you were able to get online after uninstalling Avira, that implies a problem with the Avira install.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #10 on: February 11, 2011, 03:23:02 PM »
ok. actually I didn't explain correctly. The reason I thought I would have to use the smart security was because I DID connect to the internet, but couldn't open Windows Internet Explorer or any other internet. Most programs will not open and go straight to word. For example, if I select to open paint, the computer opens Word instead and then it gives me a file conversion window where I have to select the language. So, when I uninstalled Avira (which has been on this computer since June) it had a popup window to the internet asking me why I was uninstalling it. Then I realized I could get on the internet through that means. So I then, opened Word and asked for help on line - bingo, I was able to go to ur website. Now I am running the online scan. Sorry for the miscommunication. So should I reinstall Avira?

Thanks,
Deb
Logged

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #11 on: February 11, 2011, 05:33:17 PM »
My computer is actually pretty much the same. I can't get into anything because it opens Word and doesn't do it right.
ESET Log
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
Deb
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #12 on: February 11, 2011, 06:52:37 PM »
Hi, Debra.

It sounds like you may have inadvertently selected Word (.doc) as the default for all file types and protocols it can open.  (This is done via Control Panel > Default Programs).

Let's try this for a start. 

-- Open Control Panel > All Control Panel Items > Default Programs > Set Associations
-- Scroll down to .url and click it to select the line.  (If the Name column isn't sorted, click the heading to sort it in alphabetical order.)
-- IF the Description is NOT Internet Shortcut, click Change program in the upper right.
-- A window should pop open with Recommended Programs.  Select Internet Browser.
-- (If Internet Browser is not an available option, select Browse to locate it.
-- Click OK. 

Now test launching Internet Explorer and let me know the results.

Yes, reinstall Avira.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline debralcola

  • Newbie
  • *
  • Posts: 31
Re: OMG Now it is my computer too
« Reply #13 on: February 14, 2011, 05:43:53 PM »
Turns out there wasn't a "virus" on my computer. The ESET scan showed nothing wrong. I did some digging and found out my problem of all my desktop icons being word and opening in word was something call a png bug? Anyway, I went to this forum and got the answer. It had something to do with IE7, itunes and quicktime... go figure.
http://idea15.wordpress.com/2009/06/17/fixing-the-png-bug-in-ie7/.
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: OMG Now it is my computer too
« Reply #14 on: February 14, 2011, 06:41:44 PM »
Glad you got it fixed, Debra.

It wouldn't be related to IE7 since you have IE8 installed.  More than likely, it was due to iTunes and/or QuickTime. 
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Pages: [1]   Go Up
« previous next »