Solved Trojan: "teste2_p.exe"

[Resolved] Trojan: "teste2_p.exe "

I have a problem with a Trojan virus that immediately links to a pornographic site. When I try to remove it, (Malware software), the following components are identified:

Backdoor.Bot - HKEY -> Explorer\ {19127ad2-394b-70f5-c650-b97867baa177}

Trojan Downloader - Temp\5_obd.exe

Trojan Agent - Temp\teste2_p.exe
Temp\teste3_p.exe
Temp\teste4_p.exe
Temp\teste5_p.exe

I have installed "Malware bytes Anti Mal Ware" for detection / removal. Although it identifies and removes the Trojan, it re-installs when within a short time. I have removed the components at least a dozen times but the keep reappearing.

Any feedback regarding what can be done to permanently remove this pesky program and prevent it from re-intalling will be appreciated.

I using McAfee antivirus program.

Thanks in advance.

 

Attached are logs. If I have not done this correctly, please comment.
==================
DDS (Ver_09-12-01.01) - NTFSx86
Run by Dennis at 13:34:02.00 on Tue 12/15/2009
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1978.899 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\D O W N L O A D S\dds.scr
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [userinit] c:\users\dennis\appdata\roaming\sdra64.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe "
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe "
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe "

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-24 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-27 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-23 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-27 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 72264]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 168776]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

=============== Created Last 30 ================

2009-12-12 14:25:52 524288 --sha-w- c:\users\dennis\NTUSER.DAT{0f28d382-e716-11de-855a-001d7276b9d0}.TMContainer00000000000000000002.regtrans-ms
2009-12-12 14:25:51 65536 --sha-w- c:\users\dennis\NTUSER.DAT{0f28d382-e716-11de-855a-001d7276b9d0}.TM.blf
2009-12-12 14:25:51 524288 --sha-w- c:\users\dennis\NTUSER.DAT{0f28d382-e716-11de-855a-001d7276b9d0}.TMContainer00000000000000000001.regtrans-ms
2009-12-09 16:22:14 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 16:21:49 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 16:21:47 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 11:07:15 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 20:41:50 0 d-----w- c:\users\dennis\appdata\roaming\Malwarebytes
2009-12-07 20:41:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 20:41:45 0 d-----w- c:\programdata\Malwarebytes
2009-12-07 20:41:44 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-07 20:41:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 12:48:08 0 d-----w- c:\program files\iPod
2009-11-26 03:02:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 23:03:17 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:03:16 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-25 23:03:10 714240 ----a-w- c:\windows\system32\timedate.cpl
2009-11-17 15:08:38 0 d-----w- c:\program files\Windows Portable Devices
2009-11-17 15:03:29 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 15:02:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-17 03:05:31 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-17 03:05:25 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-17 03:05:25 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-17 03:02:48 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-11-17 02:59:35 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-17 02:59:30 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-17 02:59:30 234496 ----a-w- c:\windows\system32\oleacc.dll

==================== Find3M ====================

2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 15:08:27 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-17 15:08:27 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 15:08:27 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-17 15:08:27 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:46:53 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1998-04-24 09:06:42 463872 ----a-w- c:\program files\Convert.exe
2008-06-27 16:02:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 13:35:15.13 ===============
DDS (Ver_09-12-01.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/8/2008 1:39:21 AM
System Uptime: 12/15/2009 10:20:24 AM (3 hours ago)

Motherboard: Wistron | | 360B
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 32.759 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.746 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP312: 12/7/2009 3:23:38 PM - Windows Defender Checkpoint
RP314: 12/8/2009 8:21:29 AM - Windows Defender Checkpoint
RP317: 12/9/2009 8:14:38 AM - Scheduled Checkpoint
RP318: 12/9/2009 11:18:58 AM - Windows Update
RP319: 12/10/2009 9:52:32 AM - Scheduled Checkpoint
RP321: 12/10/2009 12:38:55 PM - Windows Defender Checkpoint
RP322: 12/11/2009 5:54:05 AM - Windows Update
RP323: 12/12/2009 8:53:18 AM - Scheduled Checkpoint
RP325: 12/12/2009 9:25:30 AM - Windows Defender Checkpoint
RP326: 12/14/2009 10:13:32 AM - Scheduled Checkpoint
RP327: 12/14/2009 10:41:21 AM - Windows Update
RP328: 12/15/2009 7:36:33 AM - Scheduled Checkpoint

==== Installed Programs ======================

Adobe Acrobat 7.0 Professional
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Bonjour
Cards_Calendar_OrderGift_DoMorePlugout
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
Herramienta de carga de Windows Live
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 F1
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0121
HP Wireless Assistant
HPNetworkAssistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
HPTCSSetup
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 17
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LabelPrint
LightScribe System Software 1.12.33.2
Malwarebytes' Anti-Malware
Mate Programming utility Ver 2.2.1
McAfee VirusScan Enterprise
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
NetWaiting
OGA Notifier 2.0.0048.0
Power2Go
PowerDirector
PSSWCORE
QuickPlay SlingPlayer 0.4.6
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
Viewpoint Media Player
WhiteCap
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

12/15/2009 8:23:41 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfetdik
12/15/2009 8:23:41 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/15/2009 8:23:14 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 00234D086C4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/13/2009 2:24:00 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.34 for the Network Card with network address 00234D086C4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

 

Attached are the two logs:
___________________________________
ComboFix 09-11-23.02 - Dennis 12/19/2009 16:18.1.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1978.1169 [GMT -5:00]
Running from: c:\users\Dennis\Desktop\3c786fgt5.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1909263115-2301819743-1608281805-500
c:\$recycle.bin\S-1-5-21-1909263115-2301819743-1608281805-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2395403662-305266162-357448060-500
c:\$recycle.bin\S-1-5-21-2395403662-305266162-357448060-500\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-11-19 to 2009-12-19 )))))))))))))))))))))))))))))))
.

2009-12-19 21:21 . 2009-12-19 21:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-09 16:22 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 16:21 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 16:21 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 11:07 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 01:00 . 2009-12-09 01:00 -------- d-----w- c:\users\oscar\Pokemon Esmeralda
2009-12-07 20:41 . 2009-12-07 20:41 -------- d-----w- c:\users\Dennis\AppData\Roaming\Malwarebytes
2009-12-07 20:41 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 20:41 . 2009-12-07 20:41 -------- d-----w- c:\programdata\Malwarebytes
2009-12-07 20:41 . 2009-12-07 20:41 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 20:41 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 12:48 . 2009-12-02 12:48 -------- d-----w- c:\program files\iPod
2009-12-02 12:43 . 2009-12-02 12:44 4096 d-----w- c:\program files\QuickTime
2009-12-02 12:37 . 2009-12-02 12:37 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-26 03:02 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 23:03 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:03 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 16:36 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-12-07 14:43 . 2009-10-16 20:08 -------- d-sh--w- c:\users\Dennis\AppData\Roaming\lowsec
2009-12-02 12:49 . 2009-04-08 17:49 4096 d-----w- c:\program files\iTunes
2009-12-02 12:48 . 2009-04-05 14:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 00:50 . 2008-06-27 18:51 4096 d-----w- c:\program files\Java
2009-11-21 06:40 . 2009-12-09 11:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 11:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 11:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 15:08 . 2009-11-17 15:08 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 15:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 15:03 . 2009-11-17 15:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-11 00:01 . 2009-11-11 00:01 -------- d-----w- c:\program files\Microsoft
2009-11-11 00:01 . 2009-11-11 00:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-11 00:01 . 2008-10-26 07:19 -------- d-----w- c:\program files\Windows Live
2009-11-03 02:42 . 2009-10-03 13:07 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 10:17 . 2008-12-29 20:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-17 02:59 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-17 02:59 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-17 02:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02 . 2009-11-17 03:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 03:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 03:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 03:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 03:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 03:02 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 03:02 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 03:02 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 03:02 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 03:02 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 03:02 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 03:02 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-11-17 03:02 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-11-17 03:02 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-11-17 03:02 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-10-01 01:01 . 2009-11-17 03:02 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-09-25 02:10 . 2009-11-17 03:03 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-17 03:03 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-17 03:03 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-17 03:03 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-17 03:03 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-17 03:03 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-17 03:03 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-17 03:03 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-17 03:03 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-17 03:03 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-17 03:03 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-17 03:03 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-17 03:03 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-17 03:03 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-17 03:03 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-17 03:03 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-17 03:03 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-17 03:03 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-17 03:03 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-17 03:03 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-17 03:03 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-17 03:03 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-17 03:03 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-17 03:03 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-17 03:03 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-17 03:03 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-17 03:03 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
1998-04-24 09:06 . 2008-10-26 08:27 463872 ----a-w- c:\program files\Convert.exe
2008-06-27 16:02 . 2008-06-27 16:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"ShStatEXE "= "c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI "= "c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"HP Health Check Scheduler "= "c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-2 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2 "=hex(b):70,85,e4,6d,cc,3d,ca,01

R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [6/27/2008 1:46 PM 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/23/2008 2:48 PM 24652]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/4/2008 12:54 PM 113664]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/27/2008 12:46 PM 193840]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 9:23 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe "
.
Contents of the 'Scheduled Tasks' folder

2009-12-04 c:\windows\Tasks\HPCeeScheduleForDennis.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-06-27 03:03]

2009-12-19 c:\windows\Tasks\User_Feed_Synchronization-{B52CA351-7A24-4782-9EF0-C5900472DCEC}.job
- c:\windows\system32\msfeedssync.exe [2009-12-09 04:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-19 16:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Dennis\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2009-12-19 16:26
ComboFix-quarantined-files.txt 2009-12-19 21:26

Pre-Run: 34,221,277,184 bytes free
Post-Run: 34,276,028,416 bytes free

- - End Of File - - D89E8CF3BF622C0A97BFC49F312C9E48
___________________________________

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:30:16 PM, on 12/19/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe "
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9641 bytes
===========================

I await additional comments and/or advice.

Thanks.

 

attached is "KittyFix" scan:
===================
ComboFix 09-12-19.03 - Dennis 12/20/2009 10:38:40.2.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1978.1149 [GMT -5:00]
Running from: c:\d o w n l o a d s\KittyFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dennis\AppData\Roaming\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-19 21:29 . 2009-12-19 21:29 388096 ----a-r- c:\users\Dennis\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-19 21:29 . 2009-12-19 21:29 -------- d-----w- c:\program files\TrendMicro
2009-12-09 16:22 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 16:21 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 16:21 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 11:07 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 01:00 . 2009-12-09 01:00 -------- d-----w- c:\users\oscar\Pokemon Esmeralda
2009-12-07 20:41 . 2009-12-07 20:41 -------- d-----w- c:\users\Dennis\AppData\Roaming\Malwarebytes
2009-12-07 20:41 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-07 20:41 . 2009-12-07 20:41 -------- d-----w- c:\programdata\Malwarebytes
2009-12-07 20:41 . 2009-12-07 20:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-07 20:41 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-02 12:48 . 2009-12-02 12:48 -------- d-----w- c:\program files\iPod
2009-12-02 12:43 . 2009-12-02 12:44 -------- d-----w- c:\program files\QuickTime
2009-12-02 12:37 . 2009-12-02 12:37 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-26 03:02 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 23:03 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 23:03 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-09 16:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-07 14:43 . 2009-10-16 20:08 -------- d-sh--w- c:\users\Dennis\AppData\Roaming\lowsec
2009-12-02 12:49 . 2009-04-08 17:49 -------- d-----w- c:\program files\iTunes
2009-12-02 12:48 . 2009-04-05 14:55 -------- d-----w- c:\program files\Common Files\Apple
2009-11-30 00:50 . 2008-06-27 18:51 -------- d-----w- c:\program files\Java
2009-11-21 06:40 . 2009-12-09 11:09 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 06:34 . 2009-12-09 11:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 04:59 . 2009-12-09 11:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 15:08 . 2009-11-17 15:08 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 15:08 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 15:03 . 2009-11-17 15:03 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 15:02 . 2009-11-17 15:02 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-11 00:01 . 2009-11-11 00:01 -------- d-----w- c:\program files\Microsoft
2009-11-11 00:01 . 2009-11-11 00:01 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-11 00:01 . 2008-10-26 07:19 -------- d-----w- c:\program files\Windows Live
2009-11-03 02:42 . 2009-10-03 13:07 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 10:17 . 2008-12-29 20:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-17 02:59 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-17 02:59 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-17 02:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-01 01:02 . 2009-11-17 03:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 03:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 03:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 03:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 03:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 03:02 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 03:02 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 03:02 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 03:02 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 03:02 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 03:02 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 03:02 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-11-17 03:02 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-11-17 03:02 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-11-17 03:02 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-10-01 01:01 . 2009-11-17 03:02 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-09-25 02:10 . 2009-11-17 03:03 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-17 03:03 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-17 03:03 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-17 03:03 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-17 03:03 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-17 03:03 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-17 03:03 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-17 03:03 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-17 03:03 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-17 03:03 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-17 03:03 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-17 03:03 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-17 03:03 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-17 03:03 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-17 03:03 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-17 03:03 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-17 03:03 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-17 03:03 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-17 03:03 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-17 03:03 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-17 03:03 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-17 03:03 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-17 03:03 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-17 03:03 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-17 03:03 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-17 03:03 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-17 03:03 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
1998-04-24 09:06 . 2008-10-26 08:27 463872 ----a-w- c:\program files\Convert.exe
2008-06-27 16:02 . 2008-06-27 16:02 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-06-17 150040]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-06-17 170520]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-06-17 145944]
"QPService "= "c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe "= "c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-05-12 202032]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"HP Software Update "= "c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant "= "c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"ShStatEXE "= "c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI "= "c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"HP Health Check Scheduler "= "c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Malwarebytes Anti-Malware (reboot) "= "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-12-03 1394000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-7-2 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2 "=hex(b):70,85,e4,6d,cc,3d,ca,01

R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [6/27/2008 1:46 PM 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/23/2008 2:48 PM 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [6/27/2008 12:46 PM 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [6/4/2008 12:54 PM 113664]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 9:23 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 10:45
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2009-12-20 10:49:25
ComboFix-quarantined-files.txt 2009-12-20 15:49
ComboFix2.txt 2009-12-19 21:27

Pre-Run: 34,496,786,432 bytes free
Post-Run: 34,251,718,656 bytes free

- - End Of File - - 43F6EECD9D77DB18EC46591089DE24F0
===============

I await further input / comments. Thanks!

 

I downloaded the link to program and tried to run it twice. First scan takes an hour and reports that no virus was found. Both times, the full scan stops after about 2 hours and says message is shown that program has stopped working. It further states that virus was found and is filed under Dr.Web on "C" drive - but I cannot find it. I tried looking for "DrWeb.csv" as you suggested ... as well as any files created in last 24 hours .. but still cannot find it.

Any other suggestions?

 

I had difficulty in finding a report for scan when settings were left "as is ". It only showed "events" of starting / stopping scan. I changed setting to include all computer and the scan took 4 hours. I am not sure if these are the reports you are looking for or not, but I found them in the file listed as "virus removal tool ". Please let me know if this is of help or if something else needs to be done.
=====================
Results of system analysis
Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 21/12/2009; 15:25)

List of processes
File name PID Description Copyright MD5 Information
c:\program files\hewlett-packard\hp health check\hphc_service.exe
Script: Quarantine, Delete, BC delete, Terminate 3792 HP Health Check Service 2006 - 2008 Hewlett-Packard Development Company, L P. ?? 92.00 kb, rsAh,
created: 6/16/2008 8:02:28 AM,
modified: 6/16/2008 8:02:28 AM
Command line:
"c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe"
Detected:76, recognized as trusted 76
Module name Handle Description Copyright MD5 Used by processes
C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll
Script: Quarantine, Delete, BC delete 1886519296 HP Active Support Library 2008 Hewlett-Packard Development Company, L P. -- 3792
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\894183c0c47bd4772fbfad4c1a7e3b71\mscorlib.ni.dll
Script: Quarantine, Delete, BC delete 1849556992 Microsoft Common Language Runtime Class Library © Microsoft Corporation. All rights reserved. -- 3792
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\5fada30bf7c201ababed5104184b9754\System.Runtime.Remoting.ni.dll
Script: Quarantine, Delete, BC delete 1882193920 Microsoft .NET Runtime Object Remoting © Microsoft Corporation. All rights reserved. -- 3792
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b0d40c6d0fc00ba251010b710ca452a6\System.ServiceProcess.ni.dll
Script: Quarantine, Delete, BC delete 1887043584 .NET Framework © Microsoft Corporation. All rights reserved. -- 3792
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\7742aef93bc3679a986cb5dab148cd76\System.Web.ni.dll
Script: Quarantine, Delete, BC delete 1693188096 System.Web.dll © Microsoft Corporation. All rights reserved. -- 3792
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\13cce38e8de5fd54853390e4e98abd0e\System.ni.dll
Script: Quarantine, Delete, BC delete 1841627136 .NET Framework © Microsoft Corporation. All rights reserved. -- 3792
Modules detected:674, recognized as trusted 668

Kernel Space Modules Viewer
Module Base address Size in memory Description Manufacturer
C:\Users\Dennis\AppData\Local\Temp\a77Wf818.sys
Script: Quarantine, Delete, BC delete C200A000 034000 (212992)
C:\Windows\System32\drivers\adwci.sys
Script: Quarantine, Delete, BC delete 805BB000 00E000 (57344)
C:\Windows\System32\Drivers\dump_dumpata.sys
Script: Quarantine, Delete, BC delete 8D530000 00B000 (45056)
C:\Windows\System32\Drivers\dump_msahci.sys
Script: Quarantine, Delete, BC delete 8D53B000 00A000 (40960)
Modules detected - 199, recognized as trusted - 195

Services
Service Description Status File Group Dependencies
Detected - 142, recognized as trusted - 142

Drivers
Service Description Status File Group Dependencies
catchme
Driver: Unload, Delete, Disable catchme Not started C:\Users\Dennis\AppData\Local\Temp\catchme.sys
Script: Quarantine, Delete, BC delete Base
IpInIp
Driver: Unload, Delete, Disable IP in IP Tunnel Driver Not started C:\Windows\system32\DRIVERS\ipinip.sys
Script: Quarantine, Delete, BC delete Tcpip
NwlnkFlt
Driver: Unload, Delete, Disable IPX Traffic Filter Driver Not started C:\Windows\system32\DRIVERS\nwlnkflt.sys
Script: Quarantine, Delete, BC delete NwlnkFwd
NwlnkFwd
Driver: Unload, Delete, Disable IPX Traffic Forwarder Driver Not started C:\Windows\system32\DRIVERS\nwlnkfwd.sys
Script: Quarantine, Delete, BC delete
Detected - 239, recognized as trusted - 235

Autoruns
File name Status Startup method Description
C:\WindowsSystem32\IoLogMsg.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid, EventMessageFile
Delete
C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner, EventMessageFile
Delete
C:\Windows\System32\appmgmts.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters, ServiceDll
Delete
C:\Windows\System32\igmpv2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2, EventMessageFile
Delete
C:\Windows\System32\ipbootp.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP, EventMessageFile
Delete
C:\Windows\System32\iprip2.dll
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2, EventMessageFile
Delete
C:\Windows\system32\psxss.exe
Script: Quarantine, Delete, BC delete -- Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Session Manager\SubSystems, Posix
progman.exe
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, shell
Delete
rdpclip
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd, StartupPrograms
Delete
vgafix.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fixedfon.fon
Delete
vgaoem.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, oemfonts.fon
Delete
vgasys.fon
Script: Quarantine, Delete, BC delete Active Registry key HKEY_LOCAL_MACHINE, Software\Microsoft\Windows NT\CurrentVersion\WOW\boot, fonts.fon
Delete
Autoruns items detected - 453, recognized as trusted - 441

Microsoft Internet Explorer extension modules (BHOs, Toolbars ...)
File name Type Description Manufacturer CLSID
Elements detected - 11, recognized as trusted - 11

Windows Explorer extension modules
File name Destination Description Manufacturer CLSID
IE User Assist {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}
Delete
Color Control Panel Applet {b2c761c6-29bc-4f19-9251-e6195265baf1}
Delete
Add New Hardware {7A979262-40CE-46ff-AEEE-7884AC3B6136}
Delete
Get Programs Online {3e7efb4c-faf1-453d-89eb-56026875ef90}
Delete
Taskbar and Start Menu {0DF44EAA-FF21-4412-828E-260A8728E7F1}
Delete
ActiveDirectory Folder {1b24a030-9b20-49bc-97ac-1be4426f9e59}
Delete
ActiveDirectory Folder {34449847-FD14-4fc8-A75A-7432F5181EFB}
Delete
Sam Account Folder {C8494E42-ACDD-4739-B0FB-217361E4894F}
Delete
Sam Account Folder {E29F9716-5C08-4FCD-955A-119FDB5A522D}
Delete
Control Panel command object for Start menu {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Delete
Default Programs command object for Start menu {E44E5D18-0652-4508-A4E2-8A090067BCB0}
Delete
Folder Options {6dfd7c5c-2451-11d3-a299-00c04f8ef6af}
Delete
Explorer Query Band {2C2577C2-63A7-40e3-9B7F-586602617ECB}
Delete
View Available Networks {38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}
Delete
Contacts folder {0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}
Delete
Windows Firewall {4026492f-2f69-46b8-b9bf-5654fc07e423}
Delete
Problem Reports and Solutions {fcfeecae-ee1b-4849-ae50-685dcf7717ec}
Delete
iSCSI Initiator {a304259d-52b8-4526-8b1a-a1d6cecc8243}
Delete
.cab or .zip files {911051fa-c21c-4246-b470-070cd8df6dc4}
Delete
Windows Search Shell Service {da67b8ad-e81b-4c70-9b91b417b5e33527}
Delete
Microsoft.ScannersAndCameras {00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}
Delete
"C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll ",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Script: Quarantine, Delete, BC delete Windows Photo Gallery Viewer Autoplay Handler {9D687A4C-1404-41ef-A089-883B6FBECDE6}
Delete
Windows Sidebar Properties {37efd44d-ef8d-41b1-940d-96973a50e9e0}
Delete
Windows Features {67718415-c450-4f3c-bf8a-b487642dc39b}
Delete
Windows Defender {d8559eb9-20c0-410e-beda-7ed416aecc2a}
Delete
Mobility Center Control Panel {5ea4f148-308c-46d7-98a9-49041b1dd468}
Delete
"C:\Program Files\\Windows Media Player\wmprph.exe "
Script: Quarantine, Delete, BC delete Windows Media Player Rich Preview Handler {031EE060-67BC-460d-8847-E4A7C5E45A27}
Delete
User Accounts {7A9D77BD-5403-11d2-8785-2E0420524153}
Delete
Elements detected - 286, recognized as trusted - 258

Printing system extensions (print monitors, providers)
File name Type Name Description Manufacturer
Elements detected - 8, recognized as trusted - 8

Task Scheduler jobs
File name Job name Job status Description Manufacturer
C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe
Script: Quarantine, Delete, BC delete HPCeeScheduleForDennis.job The task is ready to run at its next scheduled time. CEEment Copyright 2005-2006
Elements detected - 2, recognized as trusted - 1

SPI/LSP settings
Namespace providers (NSP) Provider Status EXE file Description GUID
Detected - 7, recognized as trusted - 7
Transport protocol providers (TSP, LSP) Provider EXE file Description
Detected - 26, recognized as trusted - 26
Results of automatic SPI settings check LSP settings checked. No errors detected


TCP/UDP ports
Port Status Remote Host Remote Port Application Notes
TCP ports
135 LISTENING 0.0.0.0 0 [844] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
139 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
445 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
5354 LISTENING 0.0.0.0 0 [1916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5357 LISTENING 0.0.0.0 0 [4] System
Script: Quarantine, Delete, BC delete, Terminate
27015 ESTABLISHED 127.0.0.1 49158 [1900] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
27015 LISTENING 0.0.0.0 0 [1900] c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING 0.0.0.0 0 [524] c:\windows\system32\wininit.exe
Script: Quarantine, Delete, BC delete, Terminate
49153 LISTENING 0.0.0.0 0 [968] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49154 LISTENING 0.0.0.0 0 [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49155 LISTENING 0.0.0.0 0 [584] c:\windows\system32\lsass.exe
Script: Quarantine, Delete, BC delete, Terminate
49156 LISTENING 0.0.0.0 0 [568] c:\windows\system32\services.exe
Script: Quarantine, Delete, BC delete, Terminate
49158 ESTABLISHED 127.0.0.1 27015 [3104] c:\program files\itunes\ituneshelper.exe
Script: Quarantine, Delete, BC delete, Terminate
55972 CLOSE_WAIT 200.60.190.9 80 [1988] c:\program files\mcafee\common framework\frameworkservice.exe
Script: Quarantine, Delete, BC delete, Terminate
UDP ports
123 LISTENING -- -- [1216] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
137 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
138 LISTENING -- -- [4] System
Script: Quarantine, Delete, BC delete, Terminate
500 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1216] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
1900 LISTENING -- -- [1216] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
4500 LISTENING -- -- [1020] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
5353 LISTENING -- -- [1916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
5355 LISTENING -- -- [1448] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
49152 LISTENING -- -- [1916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
51949 LISTENING -- -- [1216] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
51950 LISTENING -- -- [1216] c:\windows\system32\svchost.exe
Script: Quarantine, Delete, BC delete, Terminate
55677 LISTENING -- -- [1916] c:\program files\bonjour\mdnsresponder.exe
Script: Quarantine, Delete, BC delete, Terminate
62842 LISTENING -- -- [2548] c:\program files\microsoft office\office11\winword.exe
Script: Quarantine, Delete, BC delete, Terminate

Downloaded Program Files (DPF)
File name Description Manufacturer CLSID Source URL
Elements detected - 5, recognized as trusted - 5

Control Panel Applets (CPL)
File name Description Manufacturer
Elements detected - 21, recognized as trusted - 21

Active Setup
File name Description Manufacturer CLSID
Elements detected - 10, recognized as trusted - 10

HOSTS file
Hosts file record



127.0.0.1 localhost


::1 localhost



Protocols and handlers
File name Type Description Manufacturer CLSID
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
mscoree.dll
Script: Quarantine, Delete, BC delete Protocol Microsoft .NET Runtime Execution Engine () © Microsoft Corporation. All rights reserved. {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
Elements detected - 22, recognized as trusted - 19

Suspicious objects
File Description Type
\SystemRoot\system32\drivers\mfehidk.sys
Script: Quarantine, Delete, BC delete Suspicion for Rootkit Kernel-mode hook


--------------------------------------------------------------------------------

Main script of analysis
Windows version: Windows Vista (TM) Home Premium, Build=6002, SP= "Service Pack 2 "
System Restore: enabled
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
IAT modification detected: CreateProcessA - 01880010<>77011C28
IAT modification detected: GetModuleFileNameA - 01880080<>7705B6BD
IAT modification detected: GetModuleFileNameW - 018800F0<>7705B27E
IAT modification detected: CreateProcessW - 01880160<>77011BF3
IAT modification detected: LoadLibraryW - 01880240<>77039362
IAT modification detected: LoadLibraryA - 01880320<>770394DC
IAT modification detected: GetProcAddress - 01880390<>7705903B
IAT modification detected: FreeLibrary - 01880400<>77053DB4
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=137B00)
Kernel ntkrnlpa.exe found in memory at address 81E11000
SDT = 81F48B00
KiST = 81EBD82C (391)
Function NtTerminateProcess (14E) - machine code modification Method of JmpTo. jmp A75832CB\SystemRoot\system32\drivers\mfehidk.sys, driver recognized as trusted
Functions checked: 391, intercepted: 0, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
>> Services: potentially dangerous service allowed: TermService (@%SystemRoot%\System32\termsrv.dll,-268)
>> Services: potentially dangerous service allowed: SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)
>> Services: potentially dangerous service allowed: Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
>> Disable HDD autorun
>> Disable autorun from network drives
>> Disable CD/DVD autorun
>> Disable removable media autorun
>> Windows Explorer - show extensions of known file types
System Analysis in progress
System Analysis - complete

Script commands
Add commands to script:Blocking hooks using Anti-RootkitEnable AVZGuardOperations with AVZPM (true=enable,false=disable)BootCleaner - import list of deleted filesRegistry cleanup after deleting filesBootCleaner - activateRebootInsert template for QuarantineFile() - quarantining fileInsert template for BC_QrFile() - quarantining file via BootCleanerInsert template for DeleteFile() - deleting fileInsert template for DelCLSID() - deleting CLSID item from registryAdditional operationserformance tweaking: disable service TermService (@%SystemRoot%\System32\termsrv.dll,-268)Performance tweaking: disable service SSDPSRV (@%systemroot%\system32\ssdpsrv.dll,-100)Performance tweaking: disable service Schedule (@%SystemRoot%\system32\schedsvc.dll,-100)Security tweaking: disable CD autorunSecurity tweaking: disable administrative sharesSecurity tweaking: disable anonymous user accessSecurity: disable sending Remote Assistant queries--------------------------------------------------------------------------------
File list


===================
<?xml version= "1.0" encoding= "windows-1251" ?>
- <!-- AVZ XML Report
-->
- <AVZ Version= "4.32" LogDate= "12/21/2009 5:13:37 PM" WinDir= "C:\Windows\" ProfileDir= "C:\Users\Dennis" IsWow64= "False" CompHash= "033BA64A62C6D3222B6486CBC83E20A3 ">
- <PROCESS>
<ITEM PID= "3792" File= "c:\program files\hewlett-packard\hp health check\hphc_service.exe" CheckResult= "0" Descr= "HP Health Check Service" LegalCopyright= "2006 - 2008 Hewlett-Packard Development Company, L P." Hidden= "0" CmdLine=" "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" " Size= "94208" Attr= "rsAh" CreateDate= "6/16/2008 8:02:28 AM" ChageDate= "6/16/2008 8:02:28 AM" MD5= "89F9E1984C1CD9E5F4FE39642D886E11" />
</PROCESS>
- <DLL>
<ITEM File= "C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\894183c0c47bd4772fbfad4c1a7e3b71\mscorlib.ni.dll" CheckResult= "-1" Descr= "Microsoft Common Language Runtime Class Library" LegalCopyright= "© Microsoft Corporation. All rights reserved." UsedBy= "3792" Hidden= "0" Size= "11490816" Attr= "rsAh" CreateDate= "10/15/2009 7:18:31 AM" ChageDate= "10/15/2009 7:18:35 AM" MD5= "3C97E7131026A968C69892A3002F4003" />
<ITEM File= "C:\Windows\assembly\NativeImages_v2.0.50727_32\System\13cce38e8de5fd54853390e4e98abd0e\System.ni.dll" CheckResult= "-1" Descr= ".NET Framework" LegalCopyright= "© Microsoft Corporation. All rights reserved." UsedBy= "3792" Hidden= "0" Size= "7868416" Attr= "rsAh" CreateDate= "10/15/2009 7:19:43 AM" ChageDate= "10/15/2009 7:19:44 AM" MD5= "96D9CCDFCBDAB436BF49AD0ED15C18E3" />
<ITEM File= "C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\b0d40c6d0fc00ba251010b710ca452a6\System.ServiceProcess.ni.dll" CheckResult= "-1" Descr= ".NET Framework" LegalCopyright= "© Microsoft Corporation. All rights reserved." UsedBy= "3792" Hidden= "0" Size= "212992" Attr= "rsAh" CreateDate= "10/15/2009 7:46:41 AM" ChageDate= "10/15/2009 7:46:41 AM" MD5= "5EC62AE0A57DAB7CD546A8CFD5094F3C" />
<ITEM File= "C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\5fada30bf7c201ababed5104184b9754\System.Runtime.Remoting.ni.dll" CheckResult= "-1" Descr= "Microsoft .NET Runtime Object Remoting" LegalCopyright= "© Microsoft Corporation. All rights reserved." UsedBy= "3792" Hidden= "0" Size= "771584" Attr= "rsAh" CreateDate= "10/15/2009 7:46:26 AM" ChageDate= "10/15/2009 7:46:26 AM" MD5= "B49D32FBA5F5670B45663145947F717A" />
<ITEM File= "C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll" CheckResult= "-1" Descr= "HP Active Support Library" LegalCopyright= "2008 Hewlett-Packard Development Company, L P." UsedBy= "3792" Hidden= "0" Size= "98304" Attr= "rsAh" CreateDate= "11/8/2008 1:45:07 AM" ChageDate= "11/8/2008 1:45:08 AM" MD5= "8AD53763BB3A4091D7731DE368BCB575" />
<ITEM File= "C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\7742aef93bc3679a986cb5dab148cd76\System.Web.ni.dll" CheckResult= "-1" Descr= "System.Web.dll" LegalCopyright= "© Microsoft Corporation. All rights reserved." UsedBy= "3792" Hidden= "0" Size= "11800576" Attr= "rsAh" CreateDate= "10/15/2009 7:46:33 AM" ChageDate= "10/15/2009 7:46:33 AM" MD5= "08DD0E0639AC0929C9A46E876CDBADF8" />
</DLL>
- <KERNELOBJ>
<ITEM File= "C:\Users\Dennis\AppData\Local\Temp\a77Wf818.sys" CheckResult= "-1" Base= "C200A000" MemSize= "034000" Descr=" " LegalCopyright=" " />
<ITEM File= "C:\Windows\System32\drivers\adwci.sys" CheckResult= "-1" Base= "805BB000" MemSize= "00E000" Descr=" " LegalCopyright=" " />
<ITEM File= "C:\Windows\System32\Drivers\dump_dumpata.sys" CheckResult= "-1" Base= "8D530000" MemSize= "00B000" Descr=" " LegalCopyright=" " />
<ITEM File= "C:\Windows\System32\Drivers\dump_msahci.sys" CheckResult= "-1" Base= "8D53B000" MemSize= "00A000" Descr=" " LegalCopyright=" " />
</KERNELOBJ>
<Service />
- <Drivers>
<ITEM File= "C:\Users\Dennis\AppData\Local\Temp\catchme.sys" Name= "catchme" CheckResult= "-1" Type= "1" State= "1" />
<ITEM File= "C:\Windows\system32\DRIVERS\ipinip.sys" Name= "IpInIp" CheckResult= "-1" Type= "1" State= "1" />
<ITEM File= "C:\Windows\system32\DRIVERS\nwlnkflt.sys" Name= "NwlnkFlt" CheckResult= "-1" Type= "1" State= "1" />
<ITEM File= "C:\Windows\system32\DRIVERS\nwlnkfwd.sys" Name= "NwlnkFwd" CheckResult= "-1" Type= "1" State= "1" />
</Drivers>
- <AUTORUN>
<ITEM File= "C:\WindowsSystem32\IoLogMsg.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\vsmraid" X3= "EventMessageFile" />
<ITEM File= "C:\Windows\SoftwareDistribution\Download\Install\WGAER_M.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\Application\WGA Scanner" X3= "EventMessageFile" />
<ITEM File= "C:\Windows\System32\appmgmts.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters" X3= "ServiceDll" />
<ITEM File= "C:\Windows\System32\igmpv2.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IGMPv2" X3= "EventMessageFile" />
<ITEM File= "C:\Windows\System32\ipbootp.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IPBOOTP" X3= "EventMessageFile" />
<ITEM File= "C:\Windows\System32\iprip2.dll" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "SYSTEM\CurrentControlSet\Services\Eventlog\System\IPRIP2" X3= "EventMessageFile" />
<ITEM File= "C:\Windows\system32\psxss.exe" CheckResult= "-1" Enabled= "-1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "System\CurrentControlSet\Control\Session Manager\SubSystems" X3= "Posix" />
<ITEM File= "progman.exe" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3= "shell" />
<ITEM File= "rdpclip" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" X3= "StartupPrograms" />
<ITEM File= "vgafix.fon" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3= "fixedfon.fon" />
<ITEM File= "vgaoem.fon" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3= "oemfonts.fon" />
<ITEM File= "vgasys.fon" CheckResult= "-1" Enabled= "1" Type= "REG" X1= "HKEY_LOCAL_MACHINE" X2= "Software\Microsoft\Windows NT\CurrentVersion\WOW\boot" X3= "fonts.fon" />
</AUTORUN>
<BHO />
- <ExplorerExt>
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "IE User Assist" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Color Control Panel Applet" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{b2c761c6-29bc-4f19-9251-e6195265baf1}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Add New Hardware" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{7A979262-40CE-46ff-AEEE-7884AC3B6136}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Get Programs Online" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{3e7efb4c-faf1-453d-89eb-56026875ef90}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Taskbar and Start Menu" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "ActiveDirectory Folder" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{1b24a030-9b20-49bc-97ac-1be4426f9e59}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "ActiveDirectory Folder" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{34449847-FD14-4fc8-A75A-7432F5181EFB}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Sam Account Folder" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{C8494E42-ACDD-4739-B0FB-217361E4894F}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Sam Account Folder" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{E29F9716-5C08-4FCD-955A-119FDB5A522D}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Control Panel command object for Start menu" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Default Programs command object for Start menu" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{E44E5D18-0652-4508-A4E2-8A090067BCB0}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Folder Options" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{6dfd7c5c-2451-11d3-a299-00c04f8ef6af}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Explorer Query Band" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{2C2577C2-63A7-40e3-9B7F-586602617ECB}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "View Available Networks" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Contacts folder" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Firewall" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{4026492f-2f69-46b8-b9bf-5654fc07e423}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Problem Reports and Solutions" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{fcfeecae-ee1b-4849-ae50-685dcf7717ec}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "iSCSI Initiator" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{a304259d-52b8-4526-8b1a-a1d6cecc8243}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= ".cab or .zip files" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{911051fa-c21c-4246-b470-070cd8df6dc4}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Search Shell Service" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{da67b8ad-e81b-4c70-9b91b417b5e33527}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Microsoft.ScannersAndCameras" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3}" Descr=" " LegalCopyright=" " />
<ITEM File=" "C:\Windows\System32\rundll32.exe" "C:\Program Files\\Windows Photo Gallery\PhotoViewer.dll ",ImageView_COMServer {9D687A4C-1404-41ef-A089-883B6FBECDE6}" CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Photo Gallery Viewer Autoplay Handler" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{9D687A4C-1404-41ef-A089-883B6FBECDE6}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Sidebar Properties" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Features" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{67718415-c450-4f3c-bf8a-b487642dc39b}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Defender" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{d8559eb9-20c0-410e-beda-7ed416aecc2a}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Mobility Center Control Panel" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{5ea4f148-308c-46d7-98a9-49041b1dd468}" Descr=" " LegalCopyright=" " />
<ITEM File=" "C:\Program Files\\Windows Media Player\wmprph.exe" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "Windows Media Player Rich Preview Handler" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{031EE060-67BC-460d-8847-E4A7C5E45A27}" Descr=" " LegalCopyright=" " />
<ITEM File=" " CheckResult= "-1" Enabled= "1" ExtType= "1" ExtName= "User Accounts" RegKey= "SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" CLSID= "{7A9D77BD-5403-11d2-8785-2E0420524153}" Descr=" " LegalCopyright=" " />
</ExplorerExt>
<PrintEXT />
- <TaskScheduler>
<ITEM File= "C:\Program Files\hewlett-packard\sdp\ceement\HPCEE.exe" CheckResult= "-1" Enabled= "124340704" Descr= "CEEment" LegalCopyright= "Copyright 2005-2006" Size= "86016" Attr= "rsAh" CreateDate= "6/27/2008 12:22:22 PM" ChageDate= "12/17/2007 10:03:48 PM" MD5= "89F9670B7E1E76313646BA8692CB62CB" />
</TaskScheduler>
- <SPI>
<ITEM File= "C:\Windows\system32\NLAapi.dll" CheckResult= "-1" SPIType= "1" SPINaim= "@%SystemRoot%\system32\nlasvc.dll,-1000" Descr= "Network Location Awareness 2" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "48128" Attr= "rsAh" CreateDate= "1/20/2008 9:23:44 PM" ChageDate= "1/20/2008 9:23:44 PM" MD5= "D1A84F7D4CAFCFE2A32149FF418056E5" />
<ITEM File= "C:\Windows\system32\napinsp.dll" CheckResult= "-1" SPIType= "1" SPINaim= "@%SystemRoot%\system32\napinsp.dll,-1000" Descr= "E-mail Naming Shim Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "50176" Attr= "rsAh" CreateDate= "1/20/2008 9:24:29 PM" ChageDate= "1/20/2008 9:24:29 PM" MD5= "FC62A635063B762E1C3C60EA77279378" />
<ITEM File= "C:\Windows\system32\pnrpnsp.dll" CheckResult= "-1" SPIType= "1" SPINaim= "@%SystemRoot%\system32\pnrpnsp.dll,-1000" Descr= "PNRP Name Space Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "62464" Attr= "rsAh" CreateDate= "1/20/2008 9:25:26 PM" ChageDate= "1/20/2008 9:25:26 PM" MD5= "690D41DF1D555F96D4898A0F54EBA065" />
<ITEM File= "C:\Windows\system32\pnrpnsp.dll" CheckResult= "-1" SPIType= "1" SPINaim= "@%SystemRoot%\system32\pnrpnsp.dll,-1001" Descr= "PNRP Name Space Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "62464" Attr= "rsAh" CreateDate= "1/20/2008 9:25:26 PM" ChageDate= "1/20/2008 9:25:26 PM" MD5= "690D41DF1D555F96D4898A0F54EBA065" />
<ITEM File= "C:\Program Files\Bonjour\mdnsNSP.dll" CheckResult= "-1" SPIType= "1" SPINaim= "mdnsNSP" Descr= "Bonjour Namespace Provider" LegalCopyright= "Copyright (C) 2003-2008 Apple Inc." Size= "147456" Attr= "rsAh" CreateDate= "12/12/2008 11:11:44 AM" ChageDate= "12/12/2008 11:11:44 AM" MD5= "292F92469EFB2FD402E00742C06D539D" />
<ITEM File= "C:\Windows\System32\mswsock.dll" CheckResult= "-1" SPIType= "1" SPINaim= "@%SystemRoot%\system32\wshtcpip.dll,-60103" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\System32\winrnr.dll" CheckResult= "-1" SPIType= "1" SPINaim= "NTDS" Descr= "LDAP RnR Provider DLL" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "19968" Attr= "rsAh" CreateDate= "9/21/2009 6:58:04 AM" ChageDate= "4/11/2009 1:28:25 AM" MD5= "C411C80F90D6732380352B98B37BBD53" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshtcpip.dll,-60100" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshtcpip.dll,-60101" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshtcpip.dll,-60102" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wship6.dll,-60100" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wship6.dll,-60101" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wship6.dll,-60102" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshqos.dll,-100" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshqos.dll,-101" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshqos.dll,-102" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "@%SystemRoot%\System32\wshqos.dll,-103" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip_{38D74C42-7C05-421A-B688-AE57C996E3AB}] SEQPACKET 0" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip_{38D74C42-7C05-421A-B688-AE57C996E3AB}] DATAGRAM 0" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF915CC9-97A0-4700-BA18-0AB31D1F14E2}] SEQPACKET 4" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip_{BF915CC9-97A0-4700-BA18-0AB31D1F14E2}] DATAGRAM 4" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{90313179-F634-4C75-8035-2F81A2FCE52A}] SEQPACKET 9" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{90313179-F634-4C75-8035-2F81A2FCE52A}] DATAGRAM 9" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2BC16674-8E35-407A-A764-36B02DA058A9}] SEQPACKET 2" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{2BC16674-8E35-407A-A764-36B02DA058A9}] DATAGRAM 2" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6794E47B-F327-4714-803B-E8DDB6BDEE54}] SEQPACKET 7" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{6794E47B-F327-4714-803B-E8DDB6BDEE54}] DATAGRAM 7" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{009BE3B1-3077-45B1-AA65-50875B1258FE}] SEQPACKET 6" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{009BE3B1-3077-45B1-AA65-50875B1258FE}] DATAGRAM 6" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{38D74C42-7C05-421A-B688-AE57C996E3AB}] SEQPACKET 1" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{38D74C42-7C05-421A-B688-AE57C996E3AB}] DATAGRAM 1" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BF915CC9-97A0-4700-BA18-0AB31D1F14E2}] SEQPACKET 5" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
<ITEM File= "C:\Windows\system32\mswsock.dll" CheckResult= "-1" SPIType= "3" SPINaim= "MSAFD NetBIOS [\Device\NetBT_Tcpip6_{BF915CC9-97A0-4700-BA18-0AB31D1F14E2}] DATAGRAM 5" Descr= "Microsoft Windows Sockets 2.0 Service Provider" LegalCopyright= "© Microsoft Corporation. All rights reserved." Size= "223232" Attr= "rsAh" CreateDate= "9/21/2009 6:59:06 AM" ChageDate= "4/11/2009 1:28:22 AM" MD5= "8617350C9B590B63E620881092751BCB" />
</SPI>
<DPF />
<CPL />
<ActiveSetup />
- <HOSTS>
<ITEM Line= "127.0.0.1 localhost" />
<ITEM Line= "::1 localhost" />
</HOSTS>
- <SuspFiles>
<ITEM File= "\SystemRoot\system32\drivers\mfehidk.sys" VirType= "4" Descr= "Kernel-mode hook" />
</SuspFiles>
- <RK_KM>
<ITEM File= "\SystemRoot\system32\drivers\mfehidk.sys" FNaim= "NtTerminateProcess" FIndx= "334" HookPtr= "82001D5D" HookType= "2" />
</RK_KM>
- <WIZARD-TSW>
<ITEM ID= "58" Level= "3" Fixed= "0" />
<ITEM ID= "59" Level= "3" Fixed= "0" />
<ITEM ID= "60" Level= "1" Fixed= "0" />
<ITEM ID= "61" Level= "2" Fixed= "0" />
<ITEM ID= "66" Level= "1" Fixed= "0" />
</WIZARD-TSW>
</AVZ>
=====================
I'll send HIJACK THIS scan separately.

Thanks.

 

Attached is "HIJACK THIS" log:

======================================



Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:30:16 PM, on 12/19/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe "
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9641 bytes

 

The suggested scan logs are posted below. The first two took over 2 hours each.

I have not seen the Trojan virus in the past several days. Perhaps all the scans we've done to diagnose this have removed it?

Please comment if you think things should be "clean" or if other scans / operations are suggested.

Also, I have the 3 or 4 recommended "Malware" and "antispy" programs installed now. Should I routinely run all of them?

Thanks in advance.
=======================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2009 at 06:47 AM

Application Version : 4.32.1000

Core Rules Database Version : 4401
Trace Rules Database Version: 2235

Scan type : Complete Scan
Total Scan Time : 00:35:38

Memory items scanned : 270
Memory threats detected : 0
Registry items scanned : 7436
Registry threats detected : 0
File items scanned : 30961
File threats detected : 6

Adware.Tracking Cookie
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@doubleclick[2].txt
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@content.yieldmanager[3].txt
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@ad.yieldmanager[2].txt
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@ad.wsod[2].txt
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@questionmarket[2].txt
C:\Users\Dennis\AppData\Roaming\Microsoft\Windows\Cookies\Low\dennis@content.yieldmanager[2].txt


Malwarebytes' Anti-Malware 1.42
Database version: 3407
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

12/22/2009 9:43:19 AM
mbam-log-2009-12-22 (09-43-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 326417
Time elapsed: 2 hour(s), 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:52:56 AM, on 12/22/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe "
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9204 bytes
==================================================

 

I've tried your suggestions several times, but I keep getting a message that "system denied write access to Host files ". This appears to be preventing me from deleting the checked files . I turned off the WINDOWS DEFENDER by unchecking the box indicated. Perhaps some other programs or some other aspect of DEFENDER are preventing this function? Anyway, I attach the most recent HIJACK THIS file ... but I think it is the same as previous and suggested files were not removed.
==================
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:30:16 PM, on 12/19/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe "
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9641 bytes
===================================

 

OK, I guess I overlooked this. When I right click on icon for program (HJT) I find under properties / shortcut / advanced, the option for "run as administrator ", but the window is "greyed out" and doesn't allow me to select this. If I go back to "programs" and select HJT, I find the same. Maybe I need to uninstall / re-install the program? Any suggestions ?