[Solved] Malwarebytes keeps finding and removing the same root mbr and trojan viruses

Bobbye · Feb 22, 2011

I'd like to make a suggestion for you to consider: Remove all the toolbar/BHO entries for the IncrediMail MediaBar and the Conduit Toolbars. While using all of these, you are a sitting duck for adware, spyware and access to malware. You don't need any of them!

IncrediMail MediaBar Toolbar - a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality.

Browser plugin bundled with various Conduit "Community Toolbars". Conduit toolbars are reputed to have a certain trackware functionality.

You have 10 Registry entries just for the Incredimail Media Toolbar and the Conduit Toolbar..

Keep IncrediMail if you want, but I would also recommend uninstalling it: Here is just one of many similar comments:

This Program is the worse form of Spy Ware, apart from wanting to contact it's web site www.XXXXXX.com and load a cookie, every time you open the program, it also wants to phone home to it's tracking site, www.XXXXXX.com, which tracks ALL the Incredimail users on the net, This is the worse form of Spyware, because it is devious

I can remove these with script to run through Combofix. Please consider that all of these unneeded processes running increase your vulnerability on the internet.

ncgraham · Feb 22, 2011

I am willing to get rid of any toolbars I don't need. I would like to keep Incredimail though. I have been using it for years and have never had problems before. I will make sure I don't download from it. Thanks!

Bobbye · Feb 24, 2011

I am advising you about the toolbars.> It was a recommendation- nothing more. If you would like to keep Incredimail and the MediaBar, no problem. Same for the Conduit toolbars. I only wanted to make you aware of potential problems., not insisting that you get rid of them. If you use them and also enjoy Incredimail, just keep tabs on your system. Understand that anything from within your system that is making internet contact that you have specifically allowed, puts you at some risk.

And think about the subject itself: "Malwarebytes keeps finding and removing the same root mbr and trijan viruses". This presents 2 possibilities:
1. The malware is not being completely removed>-or-
2. You are continuoing to pick up the same malware by continuing with the same habits.

The two of these come with about the same risks:
c:\program files (x86)\ConduitEngine\ConduitEngine.dll
c:\program files (x86)\IncrediMail_MediaBar_2\tbIncr.dll

Please look at the number of deletions and quarantines in the Combofix logs. As long as you continue with file sharing and program activities that are know to have malware, even if you clean the system now, you will still 'keep finding' or 'finding again' malware entries and problems.

ncgraham · Feb 24, 2011

I am greatful for all your help, and I wasn't disputing your suggestion at all! I have no problem getting rid of toolbars. I have no clue what conduit is, or why I need it. Thanks!

Bobbye · Feb 25, 2011

I didn't mean that as a dispute- just something you should be aware of.

FYI: What is a Conduit Toolbar?
Conduit Toolbar is a custom search toolbar that allows you to search for content such as pictures, videos, research and services on the Internet. A customized Conduit Toolbar can include your favorite links and search engines. The Incredimail Media Toolbar is a conduit toolbar specific for that program.
=========================================
I'm going to remove the toolbars I referred to. If you find you miss using the Incredimail Media Bar, feel free to download it again. This will not remove the Incredimail program: See if these removals will haelp keep the system clean:

Please run this Custom CFScript: There is a lot of script so be sure the Navigation bars on the right side of the codebox and the lower part of the codebox allow everything in the codebox to be copied.

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code:

File::
c:\windows\SysWOW64\wkloadxA3.dll
c:\windows\SysWOW64\config\systemprofile\wkloadxA3.dll
Folder
c:\users\Nic\AppData\Local\{771D28A5-DF20-4DA1-90DB-9902C82D8FC2}
c:\users\Nic\AppData\Local\{76F76DB3-C5EF-45AF-821A-57D6759D6A5B}
c:\users\Nic\AppData\Local\{A453EF90-82CA-4A11-AB1B-13DA4F7348BB}
c:\users\Nic\AppData\Local\{D69F2751-E89A-4140-A4C1-2DF185B8B7FC}
C:\Users\Nic\AppData\Local\{47607A5E-E2B5-495E-A5B4-0EDB6BA7E7D3}
C:\Users\Nic\AppData\Local\{1812AFFD-CB40-43F6-89CC-58A61F53BC25}
C:\Users\Nic\AppData\Local\{ED33F6E0-F16B-4164-BC1A-6D0916DB923B}
C:\Users\Nic\AppData\Local\{C6B2D7C6-AF25-4BD7-A98A-12497E47E3EF}
C:\Users\Nic\AppData\Local\{9D00F090-3133-4257-9B6F-5E6073D19141}
C:\Users\Nic\AppData\Local\{407FD562-2CCE-4E57-B9EC-0F89D8F67C40}
C:\Users\Nic\AppData\Local\{A509C605-7B4B-4AE5-9E79-25D6E1005FE7}
C:\Users\Nic\AppData\Local\{A4D2399A-4452-4795-BB7B-F3055E5770FF}
C:\Users\Nic\AppData\Local\{A0D51089-B749-4EE7-AA8D-2579B17A3636}
C:\Users\Nic\AppData\Local\{0468DD39-82DF-4328-81D7-3A58D73CF977}
C:\Users\Nic\AppData\Local\{8E0A0C6B-EC0A-43B1-A515-B79932DCF7F4}
C:\Users\Nic\AppData\Local\{D348178D-24EE-4C15-ACB5-4A3495A864B5}
c:\users\Nic\AppData\Local\{A453EF90-82CA-4A11-AB1B-13DA4F7348BB}
c:\users\Nic\AppData\Local\{D69F2751-E89A-4140-A4C1-2DF185B8B7FC}
C:\Program Files (x86)\uTorrentBar
c:\program files (x86)\IncrediMail_MediaBar_2
C:\Users\Nic\DoctorWeb
C:\Program Files (x86)\ConduitEngine
C:\Program Files (x86)\IncrediMail_MediaBar_2
C:\Windows\Temp3A5F9D9C-1158-0844-7F10-BB21F11A82CA-Signatures
Extra::
File::
C:\Program Files (x86)\Java\jre1.6.0\bin\npjava11.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npjava12.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npjava13.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npjava14.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npjava32.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npjpi160.dll
C:\Program Files (x86)\Java\jre1.6.0\bin\npoji610.dll
Firefox::
Firefox-:-Profile-  C:\Users\Nic\AppData\Roaming\Mozilla\Firefox\Profiles\lnkjgj5x.default\
DDS::
uRun: [NvCplDaemonTool] rundll32.exe C:\Users\Nic\WKLOAD~1.DLL,_IWMPEvents
TB-X64: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB-X64: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
TB-X64: {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - No File
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"=- 
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=-
Driver::
Unknown DwProt

Save this as CFScript.txt, in the same location as ComboFix.exe
[IMG]

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================

ncgraham · Feb 27, 2011

ComboFix 11-02-25.02 - Nic 02/26/2011 22:27:12.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4093.2456 [GMT -5:00]
Running from: c:\users\Nic\Desktop\ComboFix.exe
Command switches used :: c:\users\Nic\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FILE ::
"c:\program files (x86)\Java\jre1.6.0\bin\npjava11.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npjava12.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npjava13.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npjava14.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npjava32.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npjpi160.dll"
"c:\program files (x86)\Java\jre1.6.0\bin\npoji610.dll"
"c:\windows\SysWOW64\config\systemprofile\wkloadxA3.dll"
"c:\windows\SysWOW64\wkloadxA3.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Nic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\scandisk.lnk
c:\users\Nic\WKLOAD~1.DLL

.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-27 04:18 . 2011-02-27 04:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-27 03:25 . 2011-02-11 07:30 7947600 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3467F618-2901-4D66-A8CF-3EE3535F1CF6}\mpengine.dll
2011-02-27 03:13 . 2011-02-27 03:14 -------- d-----w- c:\users\Nic\AppData\Local\{82838471-9A36-4E48-9A14-E1DEFD857070}
2011-02-25 03:03 . 2011-02-25 03:03 -------- d-----w- c:\windows\Sun
2011-02-25 03:01 . 2011-02-25 03:00 472808 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
2011-02-25 03:01 . 2011-02-25 03:00 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-02-25 01:32 . 2011-02-25 01:32 -------- d-----w- c:\users\Nic\AppData\Local\{2E26D92B-5A37-4187-9460-CABF264C736C}
2011-02-24 22:32 . 2011-02-24 22:32 -------- d--h--w- c:\programdata\CanonIJEGV
2011-02-23 17:43 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 17:43 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-02-23 02:20 . 2011-01-07 08:07 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-23 02:20 . 2011-01-07 07:31 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-02-23 02:20 . 2011-01-07 08:07 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-23 02:20 . 2011-01-07 07:31 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-02-23 02:16 . 2011-02-23 02:16 -------- d-----w- c:\users\Nic\AppData\Local\{291E6774-DBE6-42CC-9D9C-1AE73FAB0EC4}
2011-02-21 20:20 . 2011-02-21 20:20 -------- d-----w- c:\users\Nic\AppData\Local\{E0B8749B-A086-4DCF-8DD3-F14BDBE69A83}
2011-02-21 20:14 . 2011-02-21 20:14 -------- d-----w- C:\_OTM
2011-02-21 04:39 . 2011-02-21 04:39 -------- d-----w- c:\program files (x86)\ESET
2011-02-20 19:38 . 2011-02-20 19:38 7734208 ----a-w- c:\users\Nic\mbe-setup-1.50.1.1100.exe
2011-02-20 19:31 . 2011-02-20 19:31 -------- d-----w- c:\users\Nic\AppData\Local\{771D28A5-DF20-4DA1-90DB-9902C82D8FC2}
2011-02-20 19:26 . 2011-02-20 19:26 -------- d--h--w- c:\programdata\CanonIJSolutionMenu
2011-02-20 19:11 . 2011-02-20 19:11 -------- d--h--w- c:\programdata\CanonIJMyPrinter
2011-02-20 19:11 . 2011-02-24 22:32 -------- d-----w- c:\programdata\CanonIJPLM
2011-02-20 18:51 . 2010-05-16 10:00 344064 ----a-w- c:\windows\system32\CNMLMA5.DLL
2011-02-20 18:50 . 2011-01-06 18:09 109568 ----a-w- c:\windows\system32\CNC340I.dll
2011-02-20 18:50 . 2011-01-06 18:07 102400 ----a-w- c:\windows\SysWow64\CNC340U.dll
2011-02-20 18:50 . 2009-10-19 21:30 346624 ----a-w- c:\windows\system32\CNC340L.dll
2011-02-20 18:50 . 2009-10-19 21:29 307200 ----a-w- c:\windows\SysWow64\CNC340L.dll
2011-02-20 18:50 . 2008-08-25 23:02 15872 ----a-w- c:\windows\SysWow64\CNHMCA.dll
2011-02-20 18:50 . 2011-01-06 18:09 1324544 ----a-w- c:\windows\system32\CNC340C.dll
2011-02-20 18:50 . 2008-08-25 23:02 17920 ----a-w- c:\windows\system32\CNHMCA6.dll
2011-02-20 18:41 . 2009-12-08 10:00 84480 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPPA5.DLL
2011-02-20 18:41 . 2009-12-08 10:00 28672 ----a-w- c:\windows\system32\Spool\prtprocs\x64\CNMPDA5.DLL
2011-02-20 18:39 . 2009-09-10 09:00 245760 ----a-w- c:\windows\system32\CNMIUA5.DLL
2011-02-20 18:39 . 2011-02-20 18:39 -------- d-----w- c:\windows\system32\STRING
2011-02-20 18:39 . 2009-10-09 15:01 144384 ----a-w- c:\windows\system32\CNMN6UI.DLL
2011-02-20 18:39 . 2009-10-09 15:01 337920 ----a-w- c:\windows\system32\CNMN6PPM.DLL
2011-02-20 18:39 . 2011-02-20 18:39 -------- d-----w- c:\windows\system32\CHM
2011-02-19 19:46 . 2011-02-19 19:46 -------- d-----w- c:\users\Nic\AppData\Local\{76F76DB3-C5EF-45AF-821A-57D6759D6A5B}
2011-02-18 19:39 . 2011-02-18 19:39 -------- d-----w- c:\users\Nic\AppData\Local\{A453EF90-82CA-4A11-AB1B-13DA4F7348BB}
2011-02-18 03:19 . 2011-02-18 03:19 -------- d-----w- c:\users\Nic\AppData\Local\{D69F2751-E89A-4140-A4C1-2DF185B8B7FC}
2011-02-17 04:13 . 2011-02-17 04:13 -------- d-----w- c:\users\Nic\AppData\Roaming\SUPERAntiSpyware.com
2011-02-17 04:13 . 2011-02-17 04:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-02-17 04:13 . 2011-02-17 04:13 -------- d-----w- c:\programdata\!SASCORE
2011-02-17 04:13 . 2011-02-17 04:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-16 13:01 . 2011-02-16 13:02 -------- d-----w- c:\users\Nic\AppData\Local\{A0D51089-B749-4EE7-AA8D-2579B17A3636}
2011-02-16 06:25 . 2011-02-16 06:25 -------- d-----w- c:\programdata\Photo Notifier and Animation Creator
2011-02-16 06:25 . 2011-02-16 06:25 -------- d-----w- c:\program files (x86)\Photo Notifier and Animation Creator
2011-02-10 22:57 . 2011-02-10 23:09 -------- d-----w- c:\program files (x86)\JDownloader
2011-02-09 16:11 . 2011-02-09 16:11 -------- d-----w- c:\program files (x86)\Applian Director
2011-02-09 16:11 . 2011-02-09 16:11 -------- d-----w- c:\windows\Applian Director
2011-02-09 16:10 . 2011-02-09 16:10 -------- d-----w- c:\program files (x86)\Replay Converter 4
2011-02-09 16:10 . 2011-02-09 16:10 -------- d-----w- c:\windows\Replay Converter 4
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-01-29 05:01 . 2011-01-29 05:00 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8A3715C8-72A8-4357-BEE2-AD5F8378D611}\gapaengine.dll
2011-01-29 05:00 . 2011-01-20 15:39 7844688 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5A3704C-BE6F-4138-88A6-18FBCB8AD5E6}\mpengine.dll
2011-01-29 04:58 . 2011-01-29 04:58 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-01-29 04:56 . 2011-01-29 04:58 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-29 04:56 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2011-01-28 05:21 . 2011-01-28 05:21 -------- d-----w- c:\program files\iPod
2011-01-28 05:21 . 2011-01-28 05:21 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 07:30 . 2010-06-04 23:17 7947600 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-20 23:09 . 2010-05-11 06:44 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-05-11 06:44 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot_2011-02-21_03.38.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-02-27 04:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-02-21 03:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-02-27 04:21 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-02-21 03:36 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-27 04:21 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-02-21 03:36 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-30 05:02 . 2011-02-27 03:13 64834 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-02-27 03:13 52114 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-30 00:00 . 2011-02-25 01:32 11448 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-507356439-3088909933-1585047825-1000_UserData.bin
- 2009-10-29 18:13 . 2011-02-21 02:59 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-29 18:13 . 2011-02-27 03:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-02-22 03:02 . 2011-02-27 03:16 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-02-27 03:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-02-21 02:59 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2011-02-25 01:38 78432 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-10-30 07:03 . 2011-02-27 04:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-30 07:03 . 2011-02-21 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-30 07:03 . 2011-02-21 03:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-30 07:03 . 2011-02-27 04:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-29 18:24 . 2011-02-27 04:20 3279 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
- 2009-10-29 18:24 . 2011-02-21 03:35 3279 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Bluetooth\bthservsdp.dat
- 2011-02-21 03:36 . 2011-02-21 03:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-27 04:21 . 2011-02-27 04:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-02-27 04:21 . 2011-02-27 04:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-02-21 03:36 . 2011-02-21 03:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-02-25 03:01 . 2011-02-25 03:00 157472 c:\windows\SysWOW64\javaws.exe
+ 2011-02-25 03:01 . 2011-02-25 03:00 145184 c:\windows\SysWOW64\javaw.exe
+ 2011-02-25 03:01 . 2011-02-25 03:00 145184 c:\windows\SysWOW64\java.exe
+ 2009-10-29 23:11 . 2011-02-24 20:57 303374 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 05:01 . 2011-02-21 03:35 723044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-02-27 04:20 723044 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-12-08 20:22 . 2011-02-27 04:20 856912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-507356439-3088909933-1585047825-1000-8192.dat
- 2010-12-08 20:22 . 2011-02-19 01:23 856912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-507356439-3088909933-1585047825-1000-8192.dat
+ 2011-02-21 20:15 . 2011-02-22 07:00 893208 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-507356439-3088909933-1585047825-1000-12288.dat
+ 2011-02-25 03:03 . 2011-02-25 03:03 183808 c:\windows\Installer\532308.msi
- 2009-07-14 04:45 . 2011-02-09 08:27 3834178 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-02-23 22:20 3834178 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 02:34 . 2011-02-27 04:35 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2011-02-20 19:43 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-02-25 02:59 . 2011-02-25 02:59 12565504 c:\windows\Installer\532303.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files (x86)\IncrediMail\bin\IncMail.exe" [2011-02-16 353736]
"CursorFX"="c:\program files (x86)\Stardock\CursorFX\CursorFX.exe" [2010-01-30 654848]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-23 39408]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"Zinio DLM"="c:\program files (x86)\Zinio\ZinioReader.exe" [2009-07-21 2707526]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2988784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2009-05-26 317288]
"SmartWiHelper"="c:\program files (x86)\Sony\SmartWi Connection Utility\SmartWiHelper.exe" [2009-09-02 80384]
"SysMetrix"="c:\program files (x86)\SysMetrix\SysMetrix.exe" [2010-02-17 2621440]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]

c:\users\Nic\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Gloss Lavender Clock Gadget.lnk - c:\users\Nic\Desktop\Nic's Theme Gadgets\Gloss Lavender\Gadgets\Gloss Lavender Clock\Gloss Lavender Clock.exe [2009-12-7 821760]
Gloss Lavender Weather.lnk - c:\users\Nic\Desktop\Nic's Theme Gadgets\Gloss Lavender\Gadgets\Gloss Lavender Weather\Gloss Lavender Weather.exe [2009-12-7 716800]
Impulse Now.lnk - c:\program files (x86)\Stardock\Impulse\Now\ImpulseNow.exe [2009-10-27 476464]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
PMB Media Check Tool.lnk - c:\program files (x86)\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-10-29 333088]
scandisk.lnk - c:\windows\system32\rundll32.exe [2009-7-13 45568]
scanmdiskdk85.dll [2009-7-13 610304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-1-24 1069608]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
IconPackager.lnk - c:\program files (x86)\Stardock\Object Desktop\IconPackager\IconPackager.exe [2009-10-29 992648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-11-29 18:40 534832 ----a-w- c:\progra~2\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca588b4d28cf3f;Google Update Service (gupdate1ca588b4d28cf3f);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-29 133104]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-06-26 362992]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 40832]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 72064]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 282616]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-06-26 313840]
R3 SampleCollector;Intel(R) Sample Collector;c:\program files\Sony\VAIO Care\collsvc.exe [2009-09-17 167424]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [2009-07-17 120104]
R3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [2009-07-17 70952]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [2009-07-17 427304]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [2009-07-17 75048]
R3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [2009-07-17 91432]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-09-28 51712]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2009-06-26 468264]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [2009-01-17 110376]
R3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [2009-12-09 1164656]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-04 1255736]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-05-20 55280]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2010-06-29 128752]
S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [2008-09-18 104960]
S2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [2009-07-22 642920]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2008-04-24 19968]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-02-05 36392]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-09-09 5435904]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2008-11-19 11392]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]

.
Contents of the 'Scheduled Tasks' folder

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-29 11:30]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-10-29 11:30]
.

--------- x86-64 -----------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-09 1674536]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-16 6430208]
"Skytel"="Skytel.exe" [2008-09-16 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-18 16334368]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 163568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 1436224]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://msn.com/
uDefault_Search_URL = hxxp://www.Google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\Nic\AppData\Roaming\Mozilla\Firefox\Profiles\lnkjgj5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://mystart.incredimail.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
WebBrowser-{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - (no file)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Canon\IJPLM\IJPLMSVC.EXE
c:\program files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe
c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\IncrediMail\Bin\ImApp.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
.
**************************************************************************
.
Completion time: 2011-02-27 00:15:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-27 05:15
ComboFix2.txt 2011-02-21 04:10
ComboFix3.txt 2011-02-19 01:33

Pre-Run: 147,093,696,512 bytes free
Post-Run: 147,125,616,640 bytes free

- - End Of File - - DEE0F608BDD6B19D70026B7F01C415C2

Bobbye · Mar 1, 2011

Looking good! How is the system running?

ncgraham · Mar 2, 2011

It's running good thanks!

Bobbye · Mar 2, 2011

Okay then- let's clean up!
Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.

Double click OTCleanIt.exe.

Click the CleanUp! button.

If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Creating a Restore Point in Windows 7:

Click on Start> right click on Computer> Properties

Select System Protection

Click on the Create button (near bottom)

Type a name for the Restore Point

Click on Create again to save the restore point.

Deleting all but the most recent System Protection point in Windows 7

Click Start> Computer> right click the C Drive and choose Properties> enter.

Click Disk Cleanup from there.

Click Clean up system files
This restarts Disk Cleanup to run in elevated mode.

Click the More Options tab

Click the Clean up under System Restore and Shadow Copies.

Click OK.

You will get a confirmation screen> Just click Delete.

Click OK on the Disk Cleanup Screen.

Click Delete Files on the Confirmation screen.

It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin
LEt me know if you have any more questions.

ncgraham · Mar 3, 2011

Thank you so very much! You have been wonderful!

Bobbye · Mar 5, 2011

You're very welcome! I'm leaving some tips for you to help keep the system clean.

Tips for added security and safer browsing:

Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.

Have layered Security:

Antivirus Software(only one):Both of the following programs are free and known to be good:
[o]Avira-AntiVir-Personal-Free-Antivirus
[o]Avast Free Version

[o]Avira Free
[o]Avast Home

Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
[o]Comodo
[o]Zone Alarm

Antispyware: I recommend all of the following:
[o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.

[o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
[o]Replace the Host Files
MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
[o]Google Toolbar Get the free google toolbar to help stop pop up windows.

Stay current on updates:
[o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
[o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
[o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

Reset Cookies to prevent Tracking Cookies:
[o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
[o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

Do regular Maintenance
Remove Temporary Internet Files regularly:
[o]ATF Cleaner by Atribune
OR
[o]TFC
Disable and Enable System Restore:
[o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.

Practice Safe Email Handling
[o] Don't open email from anyone you don't know.
[o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
[o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.

Use a Site Advosor
The Web of Trust (WOT) add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time to do a search and the screen comes up with the sites, they will have the rating light. Green (2 shades), Amber/Yellow Caution, Red> not advised. A few sites haven't been rated and show as a blue flashlight.

TechSpot

[Solved] Malwarebytes keeps finding and removing the same root mbr and trojan viruses

Bobbye Helper on the Fringe

ncgraham Newcomer, in training

Bobbye Helper on the Fringe

ncgraham Newcomer, in training

Bobbye Helper on the Fringe

ncgraham Newcomer, in training

Bobbye Helper on the Fringe

ncgraham Newcomer, in training

Bobbye Helper on the Fringe

ncgraham Newcomer, in training

Bobbye Helper on the Fringe