File's

americancritic · Jan 6, 2011

Hello I have just found 3 wierd file's in my documents and don't know what they are and was wondering if someone could help.

1. ~E.tmp
2. ~E8.tmp
3. ~pp2.tmp

I have no idea what they are or how they got there but when I click on one it says (Windows cannot open this file) can someone tell me what they are and if they are safe to delete.

Thank You

americancritic

richc46 · Jan 6, 2011

Looks like malware
Run a full and updated virus scan
Run a full and updated malwarebytes scan

Lorien · Jan 7, 2011

Hi americancritic,

Welcome back.

These are all temp files - and as a general rule they are safe to delete (unless currently in use like if you're working on a Word document or if associated with malware - and then mostly to help identify the problem rather than that they shouldn't eventually be deleted). There is a special program designed for temp file problems - it removes ALL of them no matter where they are located. It is TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and you should download and save it to your desktop. When run, it will close everything else, so be sure to save anything you're working on and basically close all your programs. If it asks (and when done even if it doesn't ask), reboot to complete the process.

That should take care of the problem (though running the malware check recommended above by Richard FIRST is a good idea in case there are other problems that aren't just the existence of temp files and other measures are required instead of or before running TFC).

I hope this helps.

Good luck!

derekimo · Jan 7, 2011

Here's a little info on what those probably are,

E.TMP - Trojan.Agent/Gen | SUPERAntiSpyware

E8.TMP, Prevx

I would definitely run a full antivirus and malwarebytes scan as already suggested.

richc46 · Jan 7, 2011

I woiuld not just delete, I would make that anti virus scan to be safe. Those looke like something that should not be there, I agree with Derekirmo.
Take the safe road and be sure. We have people who would be glad to help if the scans give bad news.

Jacee · Jan 7, 2011

Hi americancritic, I was reading this topic and wondered when you deleted your old account and opened a new one ... did you change your passwords?
http://www.vistax64.com/browsers-mail/286569-windows-mail.html#post1309815

By all accounts, your computer is infected.

Warning! Backdoor Trojans

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.
More info can be found below:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security | DSLReports.com, ISP Information
When should I re-format? How should I reinstall?
When should I re-format? How should I reinstall? Security | DSLReports.com, ISP Information
If you choose to format and reinstall see this link for instructions:
Windows: reformat and reinstall - Cyberwalker.com

Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Double click combofix.exe and follow the prompts.
When finished, it will produce a log for you. Post that log.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt
***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

richc46 · Jan 7, 2011

TY Jacee for teaching us all the correct way to handle these insidious problems

Lorien · Jan 7, 2011

Based on the situation, I sent Jacee a PM asking her to specifically examine this thread. It seems the situation is quite serious (moreso than I initially thought and I readily admit I underestimated it) - but it's now in very capable hands.

richc46 · Jan 7, 2011

I would have done the same after the results were in.That is why I suggested the test.

americancritic · Jan 7, 2011

Hello lastnight I ran a complete scan using Malwarebytes and it came back clean and then I ran my AV again and it came back clean but these things are still there so I am reading all the help from you guys and I will do what you suggest.

richc46 · Jan 7, 2011

Every member has their own speciality. Jacee is our resident Security expert. Follow what she tells you and this will be resolved.
The problem could be a serious Trojan, you want to get it removed.

americancritic · Jan 7, 2011

Hello I have run a complete scan from Malwarebytes and I will attach to this thread, I don't know who I am suppose to send this to so I will do it here. I hope this comes through and I ran another full AV scan lastnight along with the full scan from Malwarebytes.

derekimo · Jan 7, 2011

americancritic said:
Hello I have run a complete scan from Malwarebytes and I will attach to this thread, I don't know who I am suppose to send this to so I will do it here. I hope this comes through and I ran another full AV scan lastnight along with the full scan from Malwarebytes.

You can post them here.

This post here http://www.vistax64.com/general-discussion/286646-files.html#post1310250 should be your top priority at this point.

Jacee is well respected in these matters and you would do yourself a favor by following those instructions.

americancritic · Jan 7, 2011

Hello I did try and upload the results of the malwarebytes full scan so I will copy it here. For some reason or another I could no upload it so I copied and pasted it so you can see that it is showing no malware. I also ran another full AV scan and it came back with no virus's also. I will not do anything until someone gets back to me. Thank you all so much for helping me with this and will wait for future instructions.

americancritic

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5474

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/6/2011 9:39:45 PM
mbam-log-2011-01-06 (21-39-45).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 329127
Time elapsed: 1 hour(s), 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

derekimo · Jan 7, 2011

Can you please follow the instructions that Jacee gave you earlier here http://www.vistax64.com/general-discussion/286646-files.html#post1310250 then report back.

americancritic · Jan 7, 2011

Hello and thank you I will follow Jacee advice to the letter and I agree with you just by reading Jacee's post's to me that Jacee is very smart and has had a lot of training with these kind of things. Thanks to all how have helped me thus far.

americancritic · Jan 7, 2011

Hello and I am sorry but got a little confused on what and to whom I was suppose to send my info to. The first thing is I did a complete full scan using Malwarebytes and it came back fine and here is the file info. I also just finished doing one more full AV scan and it came back with no virus's and no problems. I am going to see if I can send the picture I made of these files I am talkng about. These are the things I have done thus far after my e-mail started acting up.
1, New post on this site
2, Ran a complete AV scan /came back fine / I had ran the AV twice and got the same results as far a these 6 things which I will resend in this post. I cleared the list and ran other full AV scan today which is 1-7-2001 and it came back fine and the 6 items did not come back up this time.
3, Check Disk /came back fine
4, A elevated command Defrag
5, Disk clean-up
6, Deleted my e-mail account from windows mail and then made a new one 3 different times either 3 or 4 days ago.
7, Ran a complete full Malwarebytes scan / came back fine
8, Ran a sfc /scannow /came back it had repaired some files but was unable to repair all of them
9, Ran a hardware diagnostic everything came back fine / was trying to rule out any other possibilitys of a computer problem.
10. I only have the factory system restore disk's from HP not the store bought full programs.
11, After all of this then In my documents I find the 3 files that looked very strange to me and when I clicked on them to see what they were it came up with this statement ( Windows cannot open this file) would you like to go to the internet or try opening it in another program.
12, I have downloaded the things from the nice people form vistax64 but have not done any of them yet, I want to make sure by re-reading all the info that has been sent to me through vista64 before I start. So with this post and the info I am sending if you still think I should go ahead with all that has been sent to me then I will go ahead and start the process.
I would like to thank you for all the help you are giving me on this matter and I am sure that with that help I will have m system back up in tip top shape very soon.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5474

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/6/2011 9:39:45 PM
mbam-log-2011-01-06 (21-39-45).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 329127
Time elapsed: 1 hour(s), 3 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detecte

americancritic · Jan 7, 2011

The first couple of full AV scans I did each time these came back up when the scan was done the one I did today they did not come back up after the scan was done.

1, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PDM. Rootshell
C:\user\tom\appdata\local\temp\NS1752.tmp\MSDAD3.tmp
2, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PMD. Rootshell
C:\user\tom\appdata\local\temp\NS1752.tmp\NSCABB3.tmp
3, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PDM.rootshell
C:\user\tom\appdata\local\temp\NSX8561.tmp\NSEA7D.tmp
4, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PDM.rootshell
C:\user\tom\appdata\local\temp\NSX8561.tmp\NSC10C.tmp
5, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PDM.rootshell
C:\user\tom\appdata\local\temp\NSX8561.tmp\NS8978.tmp
6, 12-27-2010 Detected legal software that can be used by criminals for damaging your computer or personal data PDM.rootshell
C:\program files(X86)PC-Doctor 5 for window \UNINST.EXE
1, 9:55:11 time
2, 9:55:07 time
3, 9:54:08 time
4, 9:53:58 time
5, 9:53:44 time
6, 9:54:43 time

Jacee · Jan 7, 2011

Please run Combofix, then copy and paste the log back in your next post.

americancritic · Jan 7, 2011

Hello I am finished running the combofix and here are the results you requested, I hope I have done everything right so that this will be helpful to you, please get back to me when you are finished and thank you again.

americancritic

Code:

[FONT=Calibri][SIZE=3]ComboFix 11-01-07.01 - Tom 01/07/2011  18:39:11.1.3 - x64[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.8062.5853 [GMT -8:00][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]Running from: c:\users\Tom\Desktop\ComboFix.exe[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]AV: Kaspersky Internet Security *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]SP: Kaspersky Internet Security *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]c:\windows\system32\jusched.exe[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]c:\windows\SysWow64\jusched.exe[/SIZE][/FONT]

[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3](((((((((((((((((((((((((   Files Created from 2010-12-08 to 2011-01-08  )))))))))))))))))))))))))))))))[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]2011-01-08 02:35 . 2011-01-08 02:36         --------   d-----w-                C:\32788R22FWJFW[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 18:24 . 2010-11-10 05:35         8199504                ----a-w-                c:\programdata\Microsoft\Windows Defender\Definition Updates\{9AFE9D31-0356-4D20-84A2-7C8DB0361551}\mpengine.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 04:35 . 2011-01-07 04:35         --------   d-----w-                c:\users\Tom\AppData\Roaming\Malwarebytes[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 04:35 . 2011-01-07 04:35         --------   d-----w-                c:\programdata\Malwarebytes[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 04:35 . 2010-12-21 02:09         38224    ----a-w-                c:\windows\SysWow64\drivers\mbamswissarmy.sys[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 04:35 . 2011-01-07 04:35         --------   d-----w-                c:\program files (x86)\Malwarebytes' Anti-Malware[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 01:55 . 2011-01-07 01:56         --------   d-----w-                c:\users\Tom\AppData\Roaming\ImgBurn[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-07 01:51 . 2011-01-07 01:51         --------   d-----w-                c:\program files (x86)\ImgBurn[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-04 22:15 . 2011-01-04 22:15         --------   d-----w-                c:\users\Tom\AppData\Local\ElevatedDiagnostics[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-04 06:02 . 2011-01-04 06:02         --------   d-----w-                c:\users\Tom\AppData\Roaming\Auslogics[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-04 06:02 . 2011-01-04 06:02         --------   d-----w-                c:\program files (x86)\Auslogics[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-04 01:02 . 2006-11-02 09:39         15821312             ----a-w-                c:\windows\SysWow64\imageres.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-04 00:58 . 2007-06-05 19:26         56496    ----a-w-                c:\windows\SysWow64\wbhelp2.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-03 02:15 . 2011-01-03 02:16         --------   d-----w-                c:\programdata\Yahoo![/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-03 02:15 . 2011-01-07 23:49         --------   d-----w-                c:\program files (x86)\Free Offers from Freeze.com[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2011-01-03 02:14 . 2011-01-03 02:14         --------   d-----w-                c:\users\Tom\AppData\Roaming\Yahoo![/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-31 19:53 . 2010-12-31 19:53         --------   d-----w-                c:\programdata\McAfee[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 21:11 . 2010-12-29 21:11         --------   d-----w-                c:\program files\Windows Journal[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 03:18 . 2011-01-03 22:34         --------   d-----w-                c:\windows\en[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 03:03 . 2011-01-03 22:34         --------   d-----w-                c:\program files (x86)\Microsoft SQL Server Compact Edition[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:50 . 2011-01-03 22:34         --------   d-----w-                c:\program files (x86)\Windows Live[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:48 . 2011-01-03 22:34         --------   d-----w-                c:\program files\Windows Live[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:41 . 2009-09-05 01:44         69464    ----a-w-                c:\windows\SysWow64\XAPOFX1_3.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:41 . 2009-09-05 01:44         515416  ----a-w-                c:\windows\SysWow64\XAudio2_5.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:41 . 2009-09-05 01:29         453456  ----a-w-                c:\windows\SysWow64\d3dx10_42.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:41 . 2006-11-29 21:06         3426072                ----a-w-                c:\windows\SysWow64\d3dx9_32.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:40 . 2010-12-29 03:29         --------   d-----w-                c:\users\Tom\AppData\Local\Windows Live[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:40 . 2010-12-29 02:40         --------   d-----w-                c:\program files (x86)\Common Files\Windows Live[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:39 . 2009-08-04 08:02         754688  ----a-w-                c:\windows\SysWow64\webservices.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-29 02:13 . 2010-12-29 02:13         --------   d-----w-                c:\program files (x86)\Belarc[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-28 05:55 . 2010-12-28 05:55         --------   d-----w-                c:\programdata\PC-Doctor for Windows[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-28 05:54 . 2010-12-28 05:55         --------   d-----w-                c:\program files\PC-Doctor for Windows[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-27 02:35 . 2010-12-27 02:35         --------   d-----w-                c:\programdata\Stardock[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-16 01:41 . 2010-11-02 06:27         165888  ----a-w-                c:\program files\Internet Explorer\sqmapi.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-13 19:08 . 2010-12-14 01:16         --------   d-----w-                c:\users\Guest\AppData\Local\Microsoft Games[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-13 05:04 . 2010-12-13 05:04         --------   d-----w-                c:\program files\CCleaner[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-12-10 20:49 . 2010-12-10 20:49         --------   d-----w-                c:\program files (x86)\IDI Magic[/SIZE][/FONT]

[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-11-16 09:32 . 2010-11-16 09:32         61744    ----a-w-                c:\windows\apppatch\AppPatch64\matsshim.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-11-13 02:53 . 2010-10-19 06:05         472808  ----a-w-                c:\windows\SysWow64\deployJava1.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-11-10 10:54 . 2010-11-10 10:54         49016    ----a-w-                c:\windows\SysWow64\sirenacm.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-11-10 10:28 . 2010-11-10 10:28         301936  ----a-w-                c:\windows\WLXPGSS.SCR[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-10-27 00:29 . 2010-11-24 07:18         370744  ----a-w-                c:\users\Tom\AppData\Roaming\Microsoft\Internet Explorer\Hewlett-Packard\SmartPrint\SmartPrintUpdate.exe[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-10-17 19:42 . 2010-10-17 19:42         525792  ----a-w-                c:\windows\DIFxAPI.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-10-17 19:42 . 2010-10-17 19:42         315392  ----a-w-                c:\windows\HideWin.exe[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]

[FONT=Calibri][SIZE=3](((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]*Note* empty entries & legit default entries are not shown [/SIZE][/FONT]
[FONT=Calibri][SIZE=3]REGEDIT4[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1658D3A1-9E13-4196-A82A-D70D70880F36}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-10-15 01:34              772096  ----a-w-                c:\program files (x86)\Hewlett-Packard\SmartPrint\QuickPrintBHO.dll[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-17 39408][/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-10-17 352976][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288][/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"EnableUIADesktopToggle"= 0 (0x0)[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~2\KASPER~1\KASPER~1\sbhook.dll[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"aux"=wdmaud.drv[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"DisableMonitoring"=dword:00000001[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-17 136176][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [2010-11-16 343856][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-10 11864][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-23 27736][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S3 CAXHWBS2;CAXHWBS2;c:\windows\system32\DRIVERS\CAXHWBS2.sys [2008-05-08 411136][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-03 22544][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S3 netr7364;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\WUSB54GCx64.sys [2007-03-12 320512][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64k.sys [2008-12-20 33160][/SIZE][/FONT]


[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]2010-11-22 22:18              451872  ----a-w-                c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]Contents of the 'Scheduled Tasks' folder[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]2011-01-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-17 22:12][/SIZE][/FONT]

[FONT=Calibri][SIZE=3]2011-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-17 22:12][/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]--------- x86-64 -----------[/SIZE][/FONT]


[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"Windows Defender"="%ProgramFiles%\Windows Defender\MSASCui.exe -hide" [X][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"RtHDVCpl"="RAVCpl64.exe" [2008-03-26 6150656][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-23 82464][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-23 15851040][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 2304904][/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"PCDrProfiler"="c:\program files\PC-Doctor for Windows\RunProfiler.exe" [2008-09-10 102912][/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"LoadAppInit_DLLs"=0x1[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]------- Supplementary Scan -------[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]uStart Page = hxxp://ww2.cox.com/myconnection/arizona/home.cox[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]uLocal Page = c:\windows\system32\blank.htm[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cndt[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]mLocal Page = c:\windows\SysWOW64\blank.htm[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]- - - - ORPHANS REMOVED - - - -[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe[/SIZE][/FONT]


[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]--------------------- LOCKED REGISTRY KEYS ---------------------[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="FlashBroker"[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"Enabled"=dword:00000001[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="Shockwave Flash Object"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"ThreadingModel"="Apartment"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="0"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="ShockwaveFlash.ShockwaveFlash.10"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="1.0"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="ShockwaveFlash.ShockwaveFlash"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="Macromedia Flash Factory Object"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"ThreadingModel"="Apartment"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="FlashFactory.FlashFactory.1"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="1.0"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="FlashFactory.FlashFactory"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="IFlashBroker4"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="{00020424-0000-0000-C000-000000000046}"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"Version"="1.0"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="Shockwave Flash"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A 2) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@=""[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@="FlashBroker"[/SIZE][/FONT]

[FONT=Calibri][SIZE=3][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings][/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A) (Users)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Denied: (A) (Everyone)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]@Allowed: (B 1 2 3 4 5) (S-1-5-20)[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]"BlindDial"=dword:00000000[/SIZE][/FONT]
[FONT=Calibri][SIZE=3].[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]Completion time: 2011-01-07  18:58:11[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]ComboFix-quarantined-files.txt  2011-01-08 02:58[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]Pre-Run: 512,966,615,040 bytes free[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]Post-Run: 512,876,449,792 bytes free[/SIZE][/FONT]

[FONT=Calibri][SIZE=3]Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6,20[/SIZE][/FONT]
[FONT=Calibri][SIZE=3]- - End Of File - - 072AF60D9A05C6833963DF24CD477409

[/SIZE][/FONT]

File's

My Computer

My Computer

Account Suspended

My Computer

Moderator

My Computer

My Computer

Security

My Computer

My Computer

Account Suspended

My Computer

My Computer

My Computer

My Computer

My Computer

Moderator

My Computer

My Computer

Moderator

My Computer

My Computer

Attachments

My Computer

My Computer

Security

My Computer

My Computer