Inactive Malware, IE5 Temporary Files Redirect, bad Drivers, Wininit

[Inactive] Malware, IE5 Temporary Files Redirect, bad Drivers, Wininit

I have a Dell computer (Desktop) XPS8000 and it will not run clean with clean installs. I have paid two companies to come out and fix my computer and they do not know what they are doing and it comes right back each time. I have been researching this for over 6 months now and I am in shock. First off, my C: drive says it is D: when I delete my partition and create a new one, format it and run a new version of Windows 7 Home Premium on it. The crazy thing is, however, my D: says it is my CDROM drive and it opens with a cmd.exe prompt. When I look at X:\Windows\setup.exe, it shows it as X:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\GameExplorer\*, X:\Windows\ServiceProfiles\NetworkService\AppDataRoaming\Microsoft\Windows\Cookies\*, X:\Windows\ServiceProfiles\NetworkService\Desktop*, \Documents\*, \Downloads\*, \Favorites\*, \Links\*, \Music\*, \Pictures\*, \SavedGames\*, X:\Windows\wpeprofiles\all.wpf, X:\Windows\wpeprofiles\core.wpf, \pending.xml, etc.

I notice my drivers when they download some are DRIVERS and some are drivers and it seems to be all preconfigured by commands, that are already preconfigured in my computer core. When I have looked in Portable Devices (for example; E: it reads C:\Windows\system32\DRIVERS\UMDF\WpdFs.dll. I don't know if I am suppose to have this either in my computer: C:\Windows\Prefetch\ReadyBoot.etl

I was working in a virtual game for a few years and I had to use the browser in IE to do some of my work and I feel that my desktop was hacked and is a shared desktop now. I was linked in a website account with Google Analytics, I noticed just recently, and I deleted my google account and I am not sure if this issue can be resolved? I have noticed that my Windows 7 Home Premium Disk(s)seem to just be of no use, since my CDROM is the command prompt and my computer browser is preconfigured with C:\Windows\system32\congif\systemprofile\AppData\Local\Microsoft\Windows\Tempory Internet Files\.Content.IE5\5IWAMOKE\*.*,

Of course, I quit working for him as soon as I noticed my desktop and two laptop computers, having "S-(numbers in red) going through them for just a few seconds. Also, I feel like my drivers at startup are strange, as some are "windows" lower-case and some are "Windows" upper-case and "DRIVERS" and "drivers ". I can see in my registry that it is not the default, but REG_EXPAND_SZ, with the root "system32" showing as C:\Windows\system32\config\default, \config\sam, config\security, config\software\, config\Journal\*.*, \config\systemprofile\*.*, \AppData\*.*, \Local\*.*,

The owner of the website was very familiar with interfaces, java, dlls, etc. and I feel that I am not even on the correct framework with Windows. I feel my drivers, redirection in browser (which is obvious when I save things to desktop)or click run, as its IE5 or SPAWNWIND. I disabled my Windows Media Player, as I was not sure if he was into that too. My computer seems to be a shared remote desktop, if that makes any sense and I am using hard-wired access.

Can anyone assist me in this "root issue" I am having and also the browser redirect, which is preconfigured, with each clean install I have done (over 50). Also, when I registered with Bleeping Computers website, it came up in my browser as: http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register and I am not sure that is normal?

I do want to say, however, that I have had Microsoft in my computer remotely a few times and they were in shock. I have temporarily disabled my remote access, as after the "remote session" with Microsoft, it was pinned to my taskbar with a lock on it and it became a .dll after that. Also, my Environment Variables are showing a Comspec, Value C:\Windows\system32\cmd.exe and is TMP and TEMP (both are listed) with %USERPROFILE%\AppData\Local\Temp.

I do not seem to be the "Administrator" of my own account, but I have made myself the "Administrator" by the command prompt, when I was testing all of this mess.

Any suggestions or at least a fix on the redirect? Also, I have cleared my BIOS, however, everything seems to be in [ ] which means disabled in prior menu and I find that odd too. This computer was brand new and financially I can't pay anyone to come and run another clean install, as I can do that much, myself.

Any help would be greatly appreciated.

Here are a few tests that show what my system currently is running. I have deleted some of the programs, however, they seem to appear automatically with each clean install, deleting/formatting a new partion and running a Windows 7 Home Premium Disk on it. It seems I am not able to write from my CDROM, as the command prompt shows D: (which is my CDROM) and also D: shows where my clean install with windows will be installed instead of C: drive. To simplify it, my C: drive installs on D: and my CDROM drive is also D: (with a cmd.exe going to it).

Please look below and any help after several months of working on this, has me at a loss. My computer was brand new and I saved up for over 5 years to get it and I did notice that some programs will let you put images on the CDROM and I am afraid that is what happened. The person, I was working for was into ads, but The Geek Squad, a private owner of a computer company just charged me hundreds of dollars to do the same thing I can do.

Any help would be appreciated and feel free to email me with the Redirect from IE5 Temporary cache file, I believe, bad drivers, dlls, registry fix, and how to get it out of my core of my computer. I have a CDROM with R+W and it is a DVD +-RW GH50N, but my bios shows everything in [brackets] meaning disabled. I thought I read my CDROM drive is an optical drive and I do have a media optical reader, but it does not appear to light up now.

Please help me and I will be forever grateful.

Reports Below:


----------------------------------------
Defogger Disable Log

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 20:59 on 10/11/2010 (My)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

----------------------------------------------------
DDS.txt Report


DDS (Ver_10-11-10.01) - NTFS_AMD64
Run by My at 18:36:53.52 on Wed 11/10/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8183.6960 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\My\Desktop\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\My\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=userinit.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
mRun-x64: [Skytel] C:\Program Files\Realtek\Audio\HDA\Skytel.exe
mRun-x64: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-11-6 92160]
R2 BrcmMgmtAgent;Broadcom Management Agent;C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2009-4-17 147456]
R3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2009-6-20 317480]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-11-6 1255736]

=============== Created Last 30 ================

2010-11-10 22:55:50 -------- d-----w- C:\Program Files (x86)\Belarc
2010-11-10 22:44:22 521448 ----a-w- C:\Windows\System32\deployJava1.dll
2010-11-08 18:47:33 -------- d-----w- C:\Users\My\AppData\Local\Eraser 6
2010-11-08 01:20:33 -------- d-----w- C:\Users\My\AppData\Roaming\Maxthon3
2010-11-08 01:16:16 -------- d-----w- C:\Program Files (x86)\a-squared Free
2010-11-07 06:49:46 -------- d-----w- C:\Users\My\AppData\Local\SecondLife
2010-11-07 06:47:56 -------- d-----w- C:\Program Files (x86)\Phoenix Viewer
2010-11-07 03:52:40 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2010-11-07 03:52:40 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2010-11-07 03:52:01 14336 ----a-w- C:\Windows\System32\drivers\sffp_sd.sys
2010-11-07 03:43:46 -------- d-----w- C:\Windows\SysWow64\Wat
2010-11-07 03:43:46 -------- d-----w- C:\Windows\System32\Wat
2010-11-07 03:09:30 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2010-11-07 03:09:30 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2010-11-07 03:09:30 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2010-11-07 03:09:30 444752 ----a-w- C:\Windows\System32\mscoree.dll
2010-11-07 03:09:30 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2010-11-07 03:09:30 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2010-11-07 03:09:30 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2010-11-07 03:09:30 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2010-11-07 03:09:30 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2010-11-07 03:09:30 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2010-11-07 03:05:21 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2010-11-07 03:02:58 954752 ----a-w- C:\Windows\SysWow64\mfc40.dll
2010-11-07 02:40:05 -------- d-----r- C:\Program Files\Microsoft IntelliPoint
2010-11-07 02:39:57 -------- d-----w- C:\Windows\PCHEALTH
2010-11-07 02:32:10 -------- d-----w- C:\Users\My\AppData\Local\ElevatedDiagnostics
2010-11-07 00:44:42 -------- d-----w- C:\Windows\Panther
2010-11-07 00:44:20 -------- d-----w- C:\Windows\System32\oem
2010-11-07 00:14:14 -------- d-----w- C:\Users\My\AppData\Local\Apps
2010-11-06 23:18:21 737072 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-11-06 23:18:07 4277016 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-11-06 23:17:54 42776 ----a-w- C:\PROGRA~3\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-11-06 23:16:48 8006480 ----a-w- C:\PROGRA~3\Microsoft\Windows Defender\Definition Updates\{409FDBCE-5E79-42A7-A13D-B19FB52E5F9C}\mpengine.dll
2010-11-06 23:16:47 270720 ------w- C:\Windows\System32\MpSigStub.exe
2010-11-06 23:04:58 -------- d-----w- C:\Users\My\AppData\Local\Diagnostics
2010-11-06 21:27:59 757760 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-11-06 21:27:59 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-11-06 21:27:59 65024 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ISBEW64.exe
2010-11-06 21:27:59 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\DotNetInstaller.exe
2010-11-06 21:27:59 331908 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-11-06 21:27:59 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2010-11-06 21:27:59 274432 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-11-06 21:27:59 204800 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-11-06 21:27:59 200836 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-11-06 21:27:52 -------- d-----w- C:\Program Files\Broadcom
2010-11-06 21:25:30 53248 ----a-w- C:\Windows\SysWow64\CSVer.dll
2010-11-06 21:25:26 -------- d-----w- C:\Intel
2010-11-06 21:25:25 -------- d-----w- C:\dell
2010-11-06 21:24:16 45056 ----a-r- C:\Users\My\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2010-11-06 21:24:15 -------- d-----w- C:\Windows\SysWow64\vmm32
2010-11-06 21:24:15 -------- d-----w- C:\Program Files (x86)\Dell
2010-11-06 21:24:03 -------- d-sh--w- C:\Windows\Installer
2010-11-06 20:51:57 -------- d-sh--w- C:\Recovery

==================== Find3M ====================

2010-09-10 05:35:44 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2010-09-10 05:35:43 347648 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2010-09-08 05:36:17 1192960 ----a-w- C:\Windows\System32\wininet.dll
2010-09-08 05:34:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-09-08 04:30:04 978432 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-09-08 04:28:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-09-08 04:16:38 482816 ----a-w- C:\Windows\System32\html.iec
2010-09-08 03:35:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-09-08 03:22:31 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-09-08 02:48:16 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-09-01 05:12:09 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2010-09-01 04:23:49 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2010-09-01 02:58:34 3123712 ----a-w- C:\Windows\System32\win32k.sys
2010-08-31 04:32:30 954288 ----a-w- C:\Windows\SysWow64\mfc40u.dll
2010-08-27 06:14:02 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2010-08-27 05:46:48 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2010-08-27 03:38:04 463360 ----a-w- C:\Windows\System32\drivers\srv.sys
2010-08-27 03:37:48 402944 ----a-w- C:\Windows\System32\drivers\srv2.sys
2010-08-27 03:37:26 161792 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2010-08-26 05:27:28 148992 ----a-w- C:\Windows\System32\t2embed.dll
2010-08-26 04:39:58 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2010-08-21 06:38:47 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2010-08-21 06:36:49 340992 ----a-w- C:\Windows\System32\schannel.dll
2010-08-21 06:31:06 633856 ----a-w- C:\Windows\System32\comctl32.dll
2010-08-21 06:29:47 558592 ----a-w- C:\Windows\System32\spoolsv.exe
2010-08-21 05:36:33 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2010-08-21 05:36:24 224256 ----a-w- C:\Windows\SysWow64\schannel.dll
2010-08-21 05:33:24 530432 ----a-w- C:\Windows\SysWow64\comctl32.dll

============= FINISH: 18:37:10.25 ===============

ATTACH.TXT LOG


DDS (Ver_10-11-10.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2010 4:51:59 PM
System Uptime: 11/10/2010 4:39:54 PM (2 hours ago)

Motherboard: Dell Inc. | | 0X231R
Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | CPU 1 | 1456/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 931 GiB total, 898.219 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: SM/xD-Picture
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD-PICTURE&REV_1.02#18E391066476&2#
Manufacturer: Generic-
Name: G:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SM#XD-PICTURE&REV_1.02#18E391066476&2#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Compact Flash
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#18E391066476&1#
Manufacturer: Generic-
Name: F:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_COMPACT_FLASH&REV_1.01#18E391066476&1#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: MS/MS-Pro
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#18E391066476&3#
Manufacturer: Generic-
Name: H:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_MS#MS-PRO&REV_1.03#18E391066476&3#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: SD/MMC
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#18E391066476&0#
Manufacturer: Generic-
Name: E:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC-&PROD_SD#MMC&REV_1.00#18E391066476&0#
Service: WUDFRd

==== System Restore Points ===================

RP1: 11/6/2010 5:24:06 PM - Installed Dell Resource CD.
RP2: 11/6/2010 5:27:18 PM - Installed Broadcom NetXtreme-I Netlink Driver and Management Installer.
RP3: 11/6/2010 5:28:55 PM - Installed NVIDIA PhysX
RP4: 11/6/2010 5:42:31 PM - Installed Microsoft Works
RP5: 11/6/2010 7:16:37 PM - Windows Update
RP6: 11/6/2010 8:17:25 PM - Windows Modules Installer
RP7: 11/6/2010 9:07:45 PM - Installed Microsoft Fix it 50202
RP8: 11/6/2010 10:05:01 PM - Windows Update
RP9: 11/6/2010 10:50:04 PM - Windows Update
RP10: 11/7/2010 4:22:18 PM - goodhere
RP11: 11/7/2010 7:53:44 PM - Restore Operation
RP12: 11/7/2010 8:12:00 PM - Installed Eraser 6.0.8.2273
RP13: 11/9/2010 11:17:03 AM - Removed Eraser 6.0.8.2273
RP14: 11/9/2010 11:17:44 AM - Removed NVIDIA PhysX
RP15: 11/9/2010 5:48:04 PM - Windows Update
RP16: 11/9/2010 6:00:29 PM - Restore Operation
RP17: 11/9/2010 6:34:19 PM - Removed NVIDIA PhysX
RP18: 11/10/2010 5:33:19 PM - Windows Update
RP19: 11/10/2010 5:44:08 PM - Installed Java(TM) 6 Update 22 (64-bit)
RP20: 11/10/2010 5:51:57 PM - afterdownloadingjava

==== Installed Programs ======================

Belarc Advisor 8.1
Compatibility Pack for the 2007 Office system
Dell Resource CD
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Works
Phoenix Viewer 1.5.1.373
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

==== Event Viewer Messages From Past Week ========

11/9/2010 6:02:27 PM, Error: Microsoft-Windows-Eventlog [106] - Corruption was detected in the log for the Microsoft-Windows-NetworkProfile/Operational channel and some data was erased.
11/8/2010 2:01:19 PM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolume2.
11/8/2010 1:50:12 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.
11/8/2010 1:33:47 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BFE service.
11/6/2010 8:33:51 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user MyComputer\My SID (S-1-5-21-2319974835-2710272195-695545603-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
11/6/2010 10:14:21 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB979688).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Update for Windows 7 for x64-based Systems (KB974431).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Update for Rights Management Services Client for Windows 7 for x64-based Systems (KB979099).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB981852).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB978886).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB978542).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB975467).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB972270).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for Windows 7 for x64-based Systems (KB2286198).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Security Update for .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB983590).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Microsoft .NET Framework 3.5 SP1 Security Update for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB979916).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Cumulative Update for Media Center for Windows 7 x64-based Systems (KB2284742).
11/6/2010 10:14:17 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f0902: Cumulative Security Update for ActiveX Killbits for Windows 7 for x64-based Systems (KB980195).

==== End Of File ===========================

 

I have file redirects in the Windows Shell Common for example; http://shell.windows.com/fileassoc/fileassoc.asp?Ext=cfx when I click to open it. I have several dlls that are also bad. I have iexplore.exe, which the description if NirCmd, I have a folder called SnapShot.cmd. which shows the following:

:SNAPSHOT
@SET SnapShot=

SWREG QUERY HKLM\Software\Swearware /v SnapShot >temp00
SED "/.* /!d; s///" temp00 >temp01
FOR /F "TOKENS=*" %%G IN ( temp01 ) DO @IF EXIST "%%~G.dat" (
GREP -Esq " {14}.:\\." "%%~G.dat" || DEL /A/F "%%~G.dat "
IF EXIST "%%~G.dat" SET "SnapShot=%%~G "
)
DEL /A/F/Q temp0?


@(
ECHO.%systemroot%\PEV.exe
ECHO.%systemroot%\SWXCACLS.exe
ECHO.%systemroot%\SWREG.exe
ECHO.%systemroot%\SWSC.exe
ECHO.%systemroot%\zip.exe
ECHO.%systemroot%\sed.exe
ECHO.%systemroot%\grep.exe
ECHO.%systemroot%\Nircmd.exe
ECHO.%systemroot%\MBR.exe
ECHO.%systemroot%\bootstat.dat
ECHO.%system%\SWSC.exe
ECHO.%systemroot%\erdnt\Hiv-backup\ERDNT.EXE
ECHO.%systemroot%\erdnt\subs\ERDNT.EXE
ECHO.%systemroot%\erdnt\cache\
IF EXIST W6432.dat ECHO.%systemroot%\erdnt\cache86\
IF EXIST W6432.dat ECHO.%systemroot%\erdnt\cache64\
)>SnapWhite


IF EXIST Vista.krl (
ECHO.%system%\config\systemprofile\ntuser.dat
ECHO.%systemroot%\ServiceProfiles\NetworkService\ntuser.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\ntuser.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
ECHO.%systemroot%\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
)>>SnapWhite


IF EXIST W6432.dat IF EXIST x64snapshot.00.dat (
TYPE x64snapshot.00.dat snapshot.00.dat | SORT /R > snapshot.00.dat.tmp
IF EXIST snapshot.00.dat.tmp SED -r "s/%sysnative:\=\\%/%sysdir:\=\\%/Ig" snapshot.00.dat.tmp > snapshot.00.dat
DEL x64snapshot.00.dat snapshot.00.dat.tmp
)

GREP -UFivf SnapWhite SnapShot.00.dat >temp00
SET "Hiv-backup=%systemroot:\=\\%\\erdnt\\(hiv-backup|sUBs)\\users\\000000[01][0-9]\\[^\\]*\.dat "
GREP -Evi "%Hiv-Backup%$|%system:\=\\%\\%kmd%$" temp00 >SnapShot.01.dat
SED "/./!d" SnapShot.01.dat > SnapShot.02.dat

PEV -rtf -c:##c# .\SnapShot.00.dat -output:temp01
SED "y/ :/_./; s/.*/@SET \x22DTime=&\x22/" temp01 >DTime.bat
CALL DTime.bat
@SETLOCAL

DEL /A/F/Q temp0? SnapWhite
SET Hiv-backup=



IF DEFINED SnapShot (
SED -r "/%systemroot:\=\\%/I!d; s/.*:\\//; /.{127}./s/.*(.{127})$/\1/" ComboFix.txt >SnapRef.dat
ECHO.::::>>SnapRef.dat
FINDSTR -EVILG:SnapRef.dat SnapShot.02.dat >temp00
GREP -Fvixf "%SnapShot%.dat" temp00 >SnapShot.dat ) && (
CALL :WUpdate
ECHO. "((((((((((((((((((((((((((((( %SnapShot:~10% ))))))))))))))))))))))))))))))))))))))))) "| SED "s/\x22//g "
ECHO..
GREP -Fivf MSnew.dat SnapShot.dat >temp02
SED "/:\\/!d; s/^/+ /" temp02 >temp03
ECHO.::::>temp04
SED "s/.* //" SnapShot.dat >>temp04
GREP -Fif temp04 "%SnapShot%.dat" >temp05
SED "/:\\/!d; s/^/- /" temp05 >>temp03
SORT /R /+64 temp03
ECHO..
DEL /A/F/Q SnapShot.dat temp0?
)>>ComboFix.txt

GREP -Ec "^[+-] [0-9]" ComboFix.txt | GREP -Evq "^[1-4][0-9]$|^.$" && TYPE myNul.dat >NewSnap.dat
IF NOT DEFINED SnapShot TYPE myNul.dat >CreateSnap
IF EXIST CreateSnap SET "SnapShot=%systemdrive%\qoobox\SnapShot@%Dtime% "


IF EXIST CreateSnap (
SWREG ADD HKLM\software\swearware /v SnapShot /d "%SnapShot% "
MOVE /Y SnapShot.01.dat "%SnapShot%.dat "
DEL /A/F CreateSnap
)



IF EXIST NewSnap.dat (
REM @ECHO.-- Snapshot reset to current date -->>ComboFix.txt
@ECHO.%Line49%>>ComboFix.txt
ECHO..>>ComboFix.txt
MOVE /Y SnapShot.01.dat "%systemdrive%\qoobox\SnapShot_%DTime%.dat "
SWREG ADD HKLM\software\swearware /v SnapShot /d "%systemdrive%\qoobox\SnapShot_%DTime% "
DEL /A/F NewSnap.dat
)

@GOTO :EOF



:WUpdate
@DEL /A/F/Q temp0?
@PEV -fs32 -rtd -dcg1M AND "%systemroot%\$hf_mig$\kb*" OR "%systemroot%\$Nt*" OR "%systemroot%\$MS*" -output:MScreate.dat
@PEV -fs32 -rtd -dmg1M AND "%systemroot%\$hf_mig$\kb*" OR "%systemroot%\$Nt*" OR "%systemroot%\$MS*" -output:MSMod.dat
@GREP -Fif MScreate.dat MSMod.dat >temp04
@SED -r "s/%systemroot:\=\\%\\//I" temp04 >MSnew.dat
@ECHO.%systemroot%\SoftwareDistribution\Download>>MSnew.dat
@DEL /A/F/Q temp0? MScreate.dat MSMod.dat
@GOTO :EOF

It is a mess, with drivers, system root persistent handlers and my Windows Explorer Folder is already pinned after a clean install and %windir%\explorer.exe. Many folders open to IE and will say at the end of the line =EXT and it is a redirect.

Any ideas on how I can clear up the preconfigured cache files he is using from when I had IE5, which was a while back, that is for sure.