Inactive Vista Sirefef.r problem -- rebooting every minute

Morat20 · Jul 29, 2012

My wife's laptop has got an awful infection that I can't even begin to tackle. It's managed to, so far, involve what I suspect are fake Blue Screen crashes, invalidation of my Windows Activation Key (or a fake version of that -- until I've got this sorted out, I'm not retyping my key), and the "Windows has encountered a critical error, rebooting in one minute" issue.

Oh, also it's got a browser redirect in IE I can't find, and Microsoft Security Essentials (when it runs) will identify Sirefef.r, but it tends to trigger the fake Blue Screen and reboot the system. Oh, and Windows Firewall is not only down, it refuses to come back up -- I can't even access the on/off switch on that.

I've tried to run the Farbar tool (plugged into a USB drive) -- except I don't seem to HAVE a "Systems Recovery Option". I hit F8 and get a choice between Safe Mode, Safe Mode with Command Prompt, Safe Mode with Networking, and some other stuff -- but no recovery option. So I had to run it from the command line. So I'm giving you what I have in the fond hopes someone can talk me through doing it right.

The laptop is running Vista Home Premium SP2, and the infection happened yesterday or the day before and the system seems to be getting progressively worse. Here's the abbreviated (from the Safe Mode Command Prompt) frst file:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by HRH Queen Adminia at 29-07-2012 13:15:09
Running from F:\
Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.ERROR: The process cannot access the file because it is being used by another process.
ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

============ One Month Created Files and Folders ==============
2012-07-29 13:15 - 2012-07-29 13:15 - 00000000 ____D C:\FRST
2012-07-29 12:46 - 2012-07-29 12:47 - 00000000 ___SD C:\32788R22FWJFW
2012-07-29 12:41 - 2012-07-29 12:42 - 00000680 ____A C:\Users\Megan Hutchison\AppData\Local\d3d9caps.dat
2012-07-29 12:31 - 2012-07-29 12:35 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-29 12:31 - 2012-07-29 12:35 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-29 12:31 - 2012-07-29 12:31 - 00000552 ____A C:\Windows\System32\spsys.log
2012-07-29 11:52 - 2012-07-29 11:52 - 00134352 ____A C:\Windows\Minidump\Mini072912-02.dmp
2012-07-29 11:41 - 2012-07-29 11:41 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-29 11:16 - 2012-07-29 11:52 - 124869831 ____A C:\Windows\MEMORY.DMP
2012-07-29 11:16 - 2012-07-29 11:16 - 00134352 ____A C:\Windows\Minidump\Mini072912-01.dmp
2012-07-27 17:04 - 2012-07-27 17:04 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{CCFB4819-0083-4B7C-B858-08DB5DB51345}
2012-07-27 17:04 - 2012-07-27 17:04 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{62F1FC55-045E-48FF-B5C4-22B828CD522B}
2012-07-26 12:52 - 2012-07-26 12:52 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{FDF71062-D6B2-4E50-BF18-A09BDEB0D35B}
2012-07-26 12:52 - 2012-07-26 12:52 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{18B286B8-4B13-4242-AEF5-1D2D356C8CF3}
2012-07-19 13:07 - 2012-07-19 13:08 - 00000000 ____D C:\Program Files\iTunes(6)
2012-07-19 13:07 - 2012-07-19 13:07 - 00000000 ____D C:\Program Files\iPod(5)
2012-07-19 13:02 - 2012-07-29 10:13 - 00000000 ____D C:\Users\HRH Queen Adminia\{bc5d5687-a2ae-4897-a157-f7c7a3ff18d0}
2012-07-19 12:40 - 2012-07-19 12:40 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{749BCDBD-E25A-40E7-A232-C2D3539382E6}
2012-07-19 12:40 - 2012-07-19 12:40 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{310A49D1-68D2-4A0D-98E6-E0C2B16A5306}
2012-07-13 11:38 - 2012-07-13 11:38 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{9E17CE1F-D70B-4854-B235-30FF6DF1B731}
2012-07-13 11:38 - 2012-07-13 11:38 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{63B94AA8-4FCA-494E-8AB7-BDE856786435}
2012-07-13 03:10 - 2012-06-13 08:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-13 03:04 - 2012-06-02 04:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-13 03:04 - 2012-06-02 03:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-13 03:04 - 2012-06-02 03:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-13 03:04 - 2012-06-02 03:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-13 03:04 - 2012-06-02 03:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-13 03:04 - 2012-06-02 03:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-13 03:04 - 2012-06-02 03:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-13 03:04 - 2012-06-02 03:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-13 03:04 - 2012-06-02 03:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-13 03:04 - 2012-06-02 03:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-13 03:04 - 2012-06-02 03:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-13 03:04 - 2012-06-02 03:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-13 03:04 - 2012-06-02 03:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-13 03:04 - 2012-06-02 03:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 14:46 - 2012-06-08 12:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-12 14:46 - 2012-06-05 11:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-12 14:46 - 2012-06-05 11:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-12 14:45 - 2012-06-04 10:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-12 14:45 - 2012-06-01 19:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-12 14:45 - 2012-06-01 19:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-08 17:26 - 2012-07-08 17:26 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\Deployment
2012-07-02 11:35 - 2012-07-02 11:35 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{F4B1FB6B-9C61-41FC-BA5E-96646570DA86}
2012-07-02 11:35 - 2012-07-02 11:35 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{A625F159-C2B6-417E-A268-D95AD2454482}
2012-06-30 04:15 - 2012-06-30 04:15 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{01FF88FB-646F-462E-9ACD-07412B4A2247}
2012-06-30 04:13 - 2012-06-30 04:15 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{9082990B-C52B-469E-B78E-784FCEB77709}
2012-06-29 13:24 - 2012-06-29 13:25 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{29938411-1890-4A7D-ACA7-1A0F0C260F52}
============ 3 Months Modified Files ========================
2012-07-29 13:14 - 2006-11-02 07:52 - 01591348 ____A C:\Windows\WindowsUpdate.log
2012-07-29 13:13 - 2011-11-23 18:28 - 00021780 ____A C:\aaw7boot.log
2012-07-29 12:43 - 2011-01-13 20:25 - 00279552 ____A (Microsoft Corporation) C:\Windows\System32\services.exe
2012-07-29 12:42 - 2012-07-29 12:41 - 00000680 ____A C:\Users\Megan Hutchison\AppData\Local\d3d9caps.dat
2012-07-29 12:41 - 2011-04-23 21:50 - 00002281 ____A C:\Users\Public\Desktop\Safari.lnk
2012-07-29 12:36 - 2011-01-17 18:31 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-29 12:35 - 2012-07-29 12:31 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-29 12:35 - 2012-07-29 12:31 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-29 12:35 - 2006-11-02 08:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-29 12:31 - 2012-07-29 12:31 - 00000552 ____A C:\Windows\System32\spsys.log
2012-07-29 11:52 - 2012-07-29 11:52 - 00134352 ____A C:\Windows\Minidump\Mini072912-02.dmp
2012-07-29 11:52 - 2012-07-29 11:16 - 124869831 ____A C:\Windows\MEMORY.DMP
2012-07-29 11:52 - 2011-01-12 08:56 - 00029256 ____A C:\Windows\PFRO.log
2012-07-29 11:38 - 2011-01-13 19:46 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-29 11:31 - 2011-01-17 18:31 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-29 11:16 - 2012-07-29 11:16 - 00134352 ____A C:\Windows\Minidump\Mini072912-01.dmp
2012-07-29 10:40 - 2006-11-02 08:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-29 10:13 - 2006-11-02 05:22 - 51904512 ____A C:\Windows\System32\config\software_previous
2012-07-29 10:13 - 2006-11-02 05:22 - 36438016 ____A C:\Windows\System32\config\components_previous
2012-07-29 10:13 - 2006-11-02 05:22 - 17301504 ____A C:\Windows\System32\config\system_previous
2012-07-29 10:13 - 2006-11-02 05:22 - 04980736 ____A C:\Windows\System32\config\default_previous
2012-07-29 10:13 - 2006-11-02 05:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-29 10:13 - 2006-11-02 05:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-28 19:30 - 2011-01-11 20:24 - 00090952 ____A C:\Users\HRH Queen Adminia\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-13 03:31 - 2006-11-02 07:47 - 00355168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 03:09 - 2006-11-02 05:23 - 00000219 ____A C:\Windows\win.ini
2012-07-13 03:05 - 2006-11-02 05:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-12 22:48 - 2011-02-18 22:46 - 00017408 ____A C:\Users\Megan Hutchison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-29 15:06 - 2011-02-16 18:18 - 00090952 ____A C:\Users\Caleb\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-28 11:22 - 2012-06-22 18:23 - 00000059 ____A C:\Users\Megan Hutchison\Downloads\d50810c0.js
2012-06-28 11:21 - 2012-06-28 11:11 - 642373584 ____A C:\Users\Megan Hutchison\Downloads\AP English Files.zip
2012-06-22 15:04 - 2011-01-12 09:53 - 00090952 ____A C:\Users\Megan Hutchison\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-17 16:39 - 2011-11-29 18:26 - 00000064 ____A C:\Windows\System32\rp_stats.dat
2012-06-17 16:39 - 2011-11-29 18:26 - 00000044 ____A C:\Windows\System32\rp_rules.dat
2012-06-13 08:40 - 2012-07-13 03:10 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 12:47 - 2012-07-12 14:46 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 11:47 - 2012-07-12 14:46 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 11:47 - 2012-07-12 14:46 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 10:26 - 2012-07-12 14:45 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 17:19 - 2012-06-24 13:24 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 17:19 - 2012-06-24 13:24 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 17:19 - 2012-06-24 13:24 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 17:19 - 2012-06-24 13:23 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 17:19 - 2012-06-24 13:23 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 17:12 - 2012-06-24 13:24 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 17:12 - 2012-06-24 13:23 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 15:19 - 2012-06-24 13:23 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 15:12 - 2012-06-24 13:23 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 04:07 - 2012-07-13 03:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 03:43 - 2012-07-13 03:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 03:33 - 2012-07-13 03:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 03:26 - 2012-07-13 03:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 03:25 - 2012-07-13 03:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 03:25 - 2012-07-13 03:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 03:23 - 2012-07-13 03:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 03:21 - 2012-07-13 03:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 03:20 - 2012-07-13 03:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 03:19 - 2012-07-13 03:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:19 - 2012-07-13 03:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:17 - 2012-07-13 03:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:16 - 2012-07-13 03:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:14 - 2012-07-13 03:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 19:04 - 2012-07-12 14:45 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 19:03 - 2012-07-12 14:45 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-22 22:00 - 2011-08-30 20:25 - 00001992 ____A C:\Users\Public\Desktop\Amazon Cloud Player.lnk
2012-05-19 00:24 - 2012-05-19 00:24 - 00001726 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-01 09:03 - 2012-06-14 12:41 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

ZeroAccess:
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\@
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\n
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\U
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L\00000004.@
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L\201d3dde
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 8737764F4FD36D6808EE80578409C843 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
========================= Memory info ======================
Percentage of memory in use: 16%
Total physical RAM: 1917.32 MB
Available physical RAM: 1592.82 MB
Total Pagefile: 4077.18 MB
Available Pagefile: 3903.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1962.2 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:298.09 GB) (Free:144.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
4 Drive f: (Cruzer) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 1 Online 1908 MB 0 B
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1908 MB 65 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 F Cruzer FAT Removable 1908 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-29 12:07
======================= End Of Log ==========================

Broni · Jul 29, 2012

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===========================================

You didn't run the tool correctly:

ATTENTION:=====> THE TOOL IS NOT RUN FROM RECOVERY ENVIRONMENT AND WILL NOT FUNCTION PROPERLY.

For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

- Startup Repair
  System Restore
  Windows Complete PC Restore
  Windows Memory Diagnostic Tool
  Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Next...

Re-run FRST again.
Type the following in the edit box after "Search:".

services.exe

Click Search button and post the log (Search.txt) it makes to your reply.

I'll expect two logs:
- FRST.txt
- Search.txt

Morat20 · Jul 29, 2012

To finally access the command prompt I had to utilize the Windows disk. Just in case the information is necessary, it first ran the (lengthy) repair wizard (there was no other option --it started immediately after I clicked 'repair your computer'". Upon reboot, the "repair your computer" option from the Vista disk showed the options (including command prompt).

Below are the two files (They are also attached):

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 14:33:16
Running from E:\
Windows Vista (TM) Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001
========================== Registry (Whitelisted) =============
HKLM\...\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-05] (Apple Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [198032 2011-10-21] (Lavasoft)
HKLM\...\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [931200 2012-03-26] (Microsoft Corporation)
HKU\Caleb\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-17] (Google Inc.)
HKU\HRH Queen Adminia\...\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\HRH Queen Adminia\...\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
HKU\Megan Hutchison\...\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\Megan Hutchison\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-01-17] (Google Inc.)
HKU\Megan Hutchison\...\Winlogon: [Shell] explorer.exe,C:\Users\Megan Hutchison\AppData\Roaming\D4A02\BD770.exe [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Startup: C:\Users\Caleb\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
ShortcutTarget: OpenOffice.org 3.2.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
================================ Services (Whitelisted) ==================
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 FlipShare Service; "C:\Program Files\Flip Video\FlipShare\FlipShareService.exe" [460144 2010-12-15] ()
2 FlipShareServer; "C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe" [1085440 2010-12-15] ()
3 Lavasoft Ad-Aware Service; "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" [2152720 2012-05-30] (Lavasoft Limited)
3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)
4 MotoConnect Service; C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe [91456 2010-04-29] ()
2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\MsMpEng.exe" [x]
2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\NisSrv.exe" [x]
2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [x]
========================== Drivers (Whitelisted) =============
0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [64512 2011-11-03] (Lavasoft AB)
0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [171064 2012-03-20] (Microsoft Corporation)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
3 BTCFilterService; C:\Windows\System32\DRIVERS\motfilt.sys [x]
3 catchme; \??\C:\Users\HRHQUE~1\AppData\Local\Temp\catchme.sys [x]
1 eequfgvp; \??\C:\Windows\system32\drivers\eequfgvp.sys [x]
1 hbwargxv; \??\C:\Windows\system32\drivers\hbwargxv.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 motccgp; C:\Windows\System32\DRIVERS\motccgp.sys [x]
3 motccgpfl; C:\Windows\System32\DRIVERS\motccgpfl.sys [x]
3 motmodem; C:\Windows\System32\DRIVERS\motmodem.sys [x]
3 MotoSwitchService; C:\Windows\System32\DRIVERS\motswch.sys [x]
3 Motousbnet; C:\Windows\System32\DRIVERS\Motousbnet.sys [x]
3 motusbdevice; C:\Windows\System32\DRIVERS\motusbdevice.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============
2012-07-29 10:29 - 2012-07-29 10:30 - 00000000 ___SD C:\ComboFix
2012-07-29 10:15 - 2012-07-29 10:15 - 00005506 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-07-29 10:15 - 2012-07-29 10:15 - 00000000 ____D C:\FRST
2012-07-29 09:41 - 2012-07-29 09:42 - 00000680 ____A C:\Users\Megan Hutchison\AppData\Local\d3d9caps.dat
2012-07-29 09:31 - 2012-07-29 09:35 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-29 09:31 - 2012-07-29 09:35 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-29 09:31 - 2012-07-29 09:31 - 00000552 ____A C:\Windows\System32\spsys.log
2012-07-29 08:52 - 2012-07-29 08:52 - 00134352 ____A C:\Windows\Minidump\Mini072912-02.dmp
2012-07-29 08:41 - 2012-07-29 08:41 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-29 08:16 - 2012-07-29 08:52 - 124869831 ____A C:\Windows\MEMORY.DMP
2012-07-29 08:16 - 2012-07-29 08:16 - 00134352 ____A C:\Windows\Minidump\Mini072912-01.dmp
2012-07-27 14:04 - 2012-07-27 14:04 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{CCFB4819-0083-4B7C-B858-08DB5DB51345}
2012-07-27 14:04 - 2012-07-27 14:04 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{62F1FC55-045E-48FF-B5C4-22B828CD522B}
2012-07-26 09:52 - 2012-07-26 09:52 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{FDF71062-D6B2-4E50-BF18-A09BDEB0D35B}
2012-07-26 09:52 - 2012-07-26 09:52 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{18B286B8-4B13-4242-AEF5-1D2D356C8CF3}
2012-07-19 10:07 - 2012-07-19 10:08 - 00000000 ____D C:\Program Files\iTunes(6)
2012-07-19 10:07 - 2012-07-19 10:07 - 00000000 ____D C:\Program Files\iPod(5)
2012-07-19 10:02 - 2012-07-29 07:13 - 00000000 ____D C:\Users\HRH Queen Adminia\{bc5d5687-a2ae-4897-a157-f7c7a3ff18d0}
2012-07-19 09:40 - 2012-07-19 09:40 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{749BCDBD-E25A-40E7-A232-C2D3539382E6}
2012-07-19 09:40 - 2012-07-19 09:40 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{310A49D1-68D2-4A0D-98E6-E0C2B16A5306}
2012-07-13 08:38 - 2012-07-13 08:38 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{9E17CE1F-D70B-4854-B235-30FF6DF1B731}
2012-07-13 08:38 - 2012-07-13 08:38 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{63B94AA8-4FCA-494E-8AB7-BDE856786435}
2012-07-13 00:10 - 2012-06-13 05:40 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-13 00:04 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-13 00:04 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-13 00:04 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-13 00:04 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-13 00:04 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-13 00:04 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-13 00:04 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-13 00:04 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-13 00:04 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-13 00:04 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-13 00:04 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-13 00:04 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-13 00:04 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-13 00:04 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-12 11:46 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-12 11:46 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-12 11:46 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-12 11:45 - 2012-06-04 07:26 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-12 11:45 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-12 11:45 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-08 14:26 - 2012-07-08 14:26 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\Deployment
2012-07-02 08:35 - 2012-07-02 08:35 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{F4B1FB6B-9C61-41FC-BA5E-96646570DA86}
2012-07-02 08:35 - 2012-07-02 08:35 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{A625F159-C2B6-417E-A268-D95AD2454482}
2012-06-30 01:15 - 2012-06-30 01:15 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{01FF88FB-646F-462E-9ACD-07412B4A2247}
2012-06-30 01:13 - 2012-06-30 01:15 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{9082990B-C52B-469E-B78E-784FCEB77709}
2012-06-29 10:24 - 2012-06-29 10:25 - 00000000 ____D C:\Users\Megan Hutchison\AppData\Local\{29938411-1890-4A7D-ACA7-1A0F0C260F52}
============ 3 Months Modified Files ========================
2012-07-29 10:27 - 2006-11-02 04:52 - 01594044 ____A C:\Windows\WindowsUpdate.log
2012-07-29 10:25 - 2011-11-23 15:28 - 00022004 ____A C:\aaw7boot.log
2012-07-29 10:15 - 2012-07-29 10:15 - 00005506 ____A C:\Windows\System32\PerfStringBackup.TMP
2012-07-29 09:42 - 2012-07-29 09:41 - 00000680 ____A C:\Users\Megan Hutchison\AppData\Local\d3d9caps.dat
2012-07-29 09:41 - 2011-04-23 18:50 - 00002281 ____A C:\Users\Public\Desktop\Safari.lnk
2012-07-29 09:36 - 2011-01-17 15:31 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-29 09:35 - 2012-07-29 09:31 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-29 09:35 - 2012-07-29 09:31 - 00000736 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-29 09:35 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-29 09:31 - 2012-07-29 09:31 - 00000552 ____A C:\Windows\System32\spsys.log
2012-07-29 08:52 - 2012-07-29 08:52 - 00134352 ____A C:\Windows\Minidump\Mini072912-02.dmp
2012-07-29 08:52 - 2012-07-29 08:16 - 124869831 ____A C:\Windows\MEMORY.DMP
2012-07-29 08:52 - 2011-01-12 05:56 - 00029256 ____A C:\Windows\PFRO.log
2012-07-29 08:38 - 2011-01-13 16:46 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-29 08:31 - 2011-01-17 15:31 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-29 08:16 - 2012-07-29 08:16 - 00134352 ____A C:\Windows\Minidump\Mini072912-01.dmp
2012-07-29 07:40 - 2006-11-02 05:01 - 00032624 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-29 07:13 - 2006-11-02 02:22 - 51904512 ____A C:\Windows\System32\config\software_previous
2012-07-29 07:13 - 2006-11-02 02:22 - 36438016 ____A C:\Windows\System32\config\components_previous
2012-07-29 07:13 - 2006-11-02 02:22 - 17301504 ____A C:\Windows\System32\config\system_previous
2012-07-29 07:13 - 2006-11-02 02:22 - 04980736 ____A C:\Windows\System32\config\default_previous
2012-07-29 07:13 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-29 07:13 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-28 16:30 - 2011-01-11 17:24 - 00090952 ____A C:\Users\HRH Queen Adminia\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-13 00:31 - 2006-11-02 04:47 - 00355168 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-13 00:09 - 2006-11-02 02:23 - 00000219 ____A C:\Windows\win.ini
2012-07-13 00:05 - 2006-11-02 02:24 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-12 19:48 - 2011-02-18 19:46 - 00017408 ____A C:\Users\Megan Hutchison\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-06-29 12:06 - 2011-02-16 15:18 - 00090952 ____A C:\Users\Caleb\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-28 08:22 - 2012-06-22 15:23 - 00000059 ____A C:\Users\Megan Hutchison\Downloads\d50810c0.js
2012-06-28 08:21 - 2012-06-28 08:11 - 642373584 ____A C:\Users\Megan Hutchison\Downloads\AP English Files.zip
2012-06-22 12:04 - 2011-01-12 06:53 - 00090952 ____A C:\Users\Megan Hutchison\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-17 13:39 - 2011-11-29 15:26 - 00000064 ____A C:\Windows\System32\rp_stats.dat
2012-06-17 13:39 - 2011-11-29 15:26 - 00000044 ____A C:\Windows\System32\rp_rules.dat
2012-06-13 05:40 - 2012-07-13 00:10 - 02047488 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:47 - 2012-07-12 11:46 - 11586048 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 08:47 - 2012-07-12 11:46 - 01401856 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 08:47 - 2012-07-12 11:46 - 01248768 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 07:26 - 2012-07-12 11:45 - 00440704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-24 10:24 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 10:24 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 10:24 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 10:23 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 10:23 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:12 - 2012-06-24 10:24 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-24 10:23 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-24 10:23 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:12 - 2012-06-24 10:23 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 01:07 - 2012-07-13 00:04 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 00:43 - 2012-07-13 00:04 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 00:33 - 2012-07-13 00:04 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 00:26 - 2012-07-13 00:04 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 00:25 - 2012-07-13 00:04 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 00:25 - 2012-07-13 00:04 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 00:23 - 2012-07-13 00:04 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 00:21 - 2012-07-13 00:04 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 00:20 - 2012-07-13 00:04 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 00:19 - 2012-07-13 00:04 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 00:19 - 2012-07-13 00:04 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 00:17 - 2012-07-13 00:04 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 00:16 - 2012-07-13 00:04 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 00:14 - 2012-07-13 00:04 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-01 16:04 - 2012-07-12 11:45 - 00278528 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:03 - 2012-07-12 11:45 - 00204288 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-05-22 19:00 - 2011-08-30 17:25 - 00001992 ____A C:\Users\Public\Desktop\Amazon Cloud Player.lnk
2012-05-18 21:24 - 2012-05-18 21:24 - 00001726 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-05-01 06:03 - 2012-06-14 09:41 - 00180736 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys

ZeroAccess:
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\@
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\n
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\U
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L\00000004.@
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c}\L\201d3dde
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
==================== EXE ASSOCIATION =====================
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
========================= Memory info ======================
Percentage of memory in use: 22%
Total physical RAM: 1917.44 MB
Available physical RAM: 1495.45 MB
Total Pagefile: 1729.81 MB
Available Pagefile: 1559.75 MB
Total Virtual: 2047.88 MB
Available Virtual: 1990.35 MB
======================= Partitions =========================
1 Drive c: () (Fixed) (Total:298.09 GB) (Free:146.51 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (VISTA_32_PREMIUM) (CDROM) (Total:2.84 GB) (Free:0 GB) CDFS
3 Drive e: (Cruzer) (Removable) (Total:1.86 GB) (Free:1.86 GB) FAT
4 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1337 KB
Disk 1 Online 1908 MB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 298 GB 1024 KB
==================================================================================
Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 298 GB Healthy
==================================================================================
Partitions of Disk 1:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1908 MB 65 KB
==================================================================================
Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E Cruzer FAT Removable 1908 MB Healthy
==================================================================================
==========================================================
Last Boot: 2012-07-29 09:07
======================= End Of Log ==========================

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-29 14:34:23
Running from E:\
================== Search: "services.exe" ===================
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2011-01-13 17:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2011-01-13 04:49] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6000.16386_none_cd28fe6bd05df036\services.exe
[2006-11-02 00:35] - [2006-11-02 01:45] - 0279552 ____A (Microsoft Corporation) 329CF3C97CE4C19375C8ABCABAE258B0
C:\Windows\System32\services.exe
[2011-01-13 17:25] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\ERDNT\cache\services.exe
[2011-11-22 19:40] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B
=== End Of Search ===

Broni · Jul 29, 2012

Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next....

Restart normally.

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe

Double-click on the Rkill icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Morat20 · Jul 29, 2012

Here is the fixlog -- I am moving to the Combofix step now.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-29 15:44:56 Run:1
Running from E:\
==============================================
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
eequfgvp service deleted successfully.
C:\Windows\system32\drivers\eequfgvp.sys not found.
hbwargxv service deleted successfully.
C:\Windows\system32\drivers\hbwargxv.sys not found.
C:\Windows\Installer\{4b093b68-8c67-1628-5af8-f8e50037688c} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.
==== End of Fixlog ====

Morat20 · Jul 29, 2012

Logging in normally generates a Windows Activation Window requesting my Activation Key -- or online validation. (It looks legitimate, but I have no idea). I tested out my key -- it's rejecting the first characters for some reason, so I never entered the full key.

Online validation through Microsoft has me at 'reduced functionality' which I will resolve after downloading and running ComboBox.

Morat20 · Jul 29, 2012

ComboBox refused to run from Normal mode. I started it fine from safe mode (no need for rkill or renaming), however there were several warning messages about "error saving file" (had something about backup and HIV).

It then just closed. I do not think it was continuing, as I don't see any related processes still running. I'll give it a few more minutes then try Step 2 version.

Morat20 · Jul 29, 2012

Rkill + renamed ComboFix in safe mode worked. Will post the logs when ComboFix is complete.

Morat20 · Jul 29, 2012

Rkill did not generate a log file (or if it did, I was unable to find it.) Attached is Combofix's log file -- I had to break the log apart -- the forum wouldn't allow me to upload it.

It's obviously too big to past into the text box, since it's too big to upload in one piece -- here's the initial part. (The rest is attached in order).

ComboFix 12-07-29.02 - HRH Queen Adminia 07/29/2012 16:19:10.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1346 [GMT -5:00]
Running from: c:\users\HRH Queen Adminia\Desktop\mike_b.exe.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\spsys.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))

Broni · Jul 29, 2012

ComboFix 12-07-29.02 - HRH Queen Adminia 07/29/2012 16:19:10.2.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1346 [GMT -5:00]
Running from: c:\users\HRH Queen Adminia\Desktop\mike_b.exe.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\spsys.log
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-29 )))))))))))))))))))))))))))))))
.
.
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\HRH Queen Adminia\AppData\Local\temp
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\TEMP\AppData\Local\temp
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\Megan Hutchison\AppData\Local\temp
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-29 21:27 . 2012-07-29 21:27 -------- d-----w- c:\users\Caleb\AppData\Local\temp
2012-07-29 21:09 . 2012-07-29 21:13 -------- d-----w- C:\ComboFix
2012-07-29 21:05 . 2012-07-29 21:05 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00613B0A-6319-42E3-A282-493239EC6595}\offreg.dll
2012-07-29 20:49 . 2012-07-16 07:41 6891424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{00613B0A-6319-42E3-A282-493239EC6595}\mpengine.dll
2012-07-29 18:15 . 2012-07-29 20:55 5506 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-07-29 18:15 . 2012-07-29 18:15 -------- d-----w- C:\FRST
2012-07-29 16:45 . 2012-02-09 19:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E857D958-BEE6-4013-8D85-23807FCD296A}\gapaengine.dll
2012-07-29 16:41 . 2012-07-29 16:41 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-19 18:07 . 2012-07-19 18:07 -------- d-----w- c:\program files\iPod(5)
2012-07-19 18:07 . 2012-07-19 18:08 -------- d-----w- c:\program files\iTunes(6)
2012-07-19 18:02 . 2012-07-29 15:13 -------- d-----w- c:\users\HRH Queen Adminia\{bc5d5687-a2ae-4897-a157-f7c7a3ff18d0}
2012-07-13 08:10 . 2012-06-13 13:40 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-07-12 19:46 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-12 19:46 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-12 19:46 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-12 19:45 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-12 19:45 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-12 19:45 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-08 22:26 . 2012-07-08 22:26 -------- d-----w- c:\users\Megan Hutchison\AppData\Local\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-20 16:12 . 2011-03-28 23:36 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-02 22:19 . 2012-06-24 18:24 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 18:24 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 18:23 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 18:23 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-24 18:24 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-24 18:24 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-24 18:23 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-24 18:23 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:12 . 2012-06-24 18:23 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-01 14:03 . 2012-06-14 17:41 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-31_20.46.52 )))))))))))))))))))))))))))))))))))))))))
.
[snapshot omitted]

(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-10-21 09:10 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-10-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-17 23:31]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-17 23:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-29 16:27
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(276)
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
.
Completion time: 2012-07-29 16:30:36
ComboFix-quarantined-files.txt 2012-07-29 21:30
ComboFix2.txt 2012-03-31 23:49
ComboFix3.txt 2012-03-31 20:50
ComboFix4.txt 2011-11-23 17:45
ComboFix5.txt 2012-07-29 18:21
.
Pre-Run: 157,254,119,424 bytes free
Post-Run: 157,742,751,744 bytes free
.
- - End Of File - - C18D72A3B4F15A518B2C5DC06CF225A7

Broni · Jul 29, 2012

Looks good

Any current issues?

================================

You're running two AV programs, Lavasoft Ad-Watch Live! Anti-Virus and MSE.
You must uninstall one of them.
I suggest Lavasoft goes.

================================

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

===================================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

Morat20 · Jul 29, 2012

It's my wife's laptop and she tends to..overprotect, mostly because she gets infections like this about once a year. This is the first one I haven't managed to nuke on my own. I appreciate the help. I'll update MalwareBytes and scan it, then post the log file.

A question regarding the Windows Authentication problem -- that isn't some clever virus hijack, so it's safe to try to fix? I suspect she hosed her fingerprint or whatever MS calls it when she originally tried to do a system restore after seeing one of the fake BSODs.

I've been hesitant to enter my user key -- and even trying to enter the first few numbers got an odd rejection. (It claimed the first few numbers were invalid, which was weird).

Broni · Jul 29, 2012

that isn't some clever virus hijack, so it's safe to try to fix?

Yes.

Morat20 · Jul 29, 2012

Looks like it's not clean yet -- MalwareBytes Log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.29.09

Windows Vista Service Pack 2 x86 FAT
Internet Explorer 9.0.8112.16421
HRH Queen Adminia :: ARTEMIS [administrator]

7/29/2012 6:14:38 PM
mbam-log-2012-07-29 (20-00-35).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 396464
Time elapsed: 58 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\n (Trojan.Zaccess) -> No action taken.
C:\FRST\Quarantine\Desktop.ini (Trojan.0access) -> No action taken.
C:\FRST\Quarantine\{4b093b68-8c67-1628-5af8-f8e50037688c}\n (Trojan.Zaccess) -> No action taken.

(end)

Broni · Jul 29, 2012

First item is just a leftover.
Two others are already quarantined by FRST.

However your MBAM log says "No action taken".
Re-run it, FIX all issues and post new log.

Morat20 · Jul 29, 2012

MBAM had a "reboot to finish" thing and restarted the laptop. I'll re-run it now that it's rebooted.

Edited to add: I checked the logs when it rebooted -- all three were marked "quarantined and deleted". I'm running it again just to be safe and will post a log. (Then I suppose it's time to call Microsoft and straighten out the license, and then make sure Windows Firewall and such is working again).

I'm really appreciating the help.

Morat20 · Jul 29, 2012

Reran Malware Bytes: Log follows:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.29.09

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
HRH Queen Adminia :: ARTEMIS [administrator]

7/29/2012 8:16:10 PM
mbam-log-2012-07-29 (20-16-10).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 398136
Time elapsed: 1 hour(s), 2 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
I am still having a problem with the Windows Firewall. Attempting to turn it on gives something to the effect of "An unidentified problem prevents" and won't turn on. I can't even get the window with the on/off buttons, so some service or file is missing, off, or dead. I'm not sure that's a problem for this forum though.
Other than attempting to turn on the Firewall, I just shut the laptop down -- I'm not doing anything until you give the OK. I do NOT want this stupid thing back. I really appreciate all the help so far, and I'm not about to screw it up.

Broni · Jul 29, 2012

Very good.

We'll look into Windows firewall issue in a bit.

First I need OTL log.

Morat20 · Jul 30, 2012

Had to run it in safe mode -- OTL wouldn't run in regular mode. (I can go get the actual error message if you need. It might have been caused by the laptop not coming out of hibernation right). Here's the log:

OTL logfile created on: 7/30/2012 4:57:57 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\HRH Queen Adminia\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.48 Gb Available Physical Memory | 79.03% Memory free
3.98 Gb Paging File | 3.74 Gb Available in Paging File | 94.09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 147.32 Gb Free Space | 49.42% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 1.85 Gb Free Space | 99.37% Space Free | Partition Type: FAT

Computer Name: ARTEMIS | User Name: HRH Queen Adminia | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/30 08:26:14 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\HRH Queen Adminia\Desktop\OTL.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2006/10/26 17:21:22 | 000,056,056 | ---- | M] () -- C:\Windows\System32\DLAAPI_W.DLL

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - File not found [Auto | Stopped] -- C:\Windows\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - File not found [Auto | Stopped] -- C:\Windows\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2012/05/30 16:53:53 | 002,152,720 | ---- | M] (Lavasoft Limited) [On_Demand | Stopped] -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2012/04/04 00:53:50 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2011/10/21 16:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/10/13 18:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2010/12/15 13:31:20 | 000,460,144 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/12/15 13:22:42 | 001,085,440 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe -- (FlipShareServer)
SRV - [2010/04/29 12:30:44 | 000,091,456 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe -- (MotoConnect Service)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2004/10/22 04:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motusbdevice.sys -- (motusbdevice)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\Motousbnet.sys -- (Motousbnet)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motswch.sys -- (MotoSwitchService)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motmodem.sys -- (motmodem)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motccgpfl.sys -- (motccgpfl)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motccgp.sys -- (motccgp)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\HRHQUE~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\motfilt.sys -- (BTCFilterService)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2011/11/03 13:06:56 | 000,064,512 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2009/06/25 17:58:10 | 000,048,128 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2008/06/03 07:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2008/06/03 07:22:56 | 003,695,104 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/02/08 21:05:30 | 000,028,120 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2007/02/08 21:05:30 | 000,012,856 | ---- | M] (Roxio) [File_System | System | Running] -- C:\Windows\System32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/11/02 02:30:53 | 000,045,056 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/10/26 17:22:02 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/10/26 17:21:34 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/10/26 17:21:34 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/10/26 17:21:32 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/10/26 17:21:30 | 000,026,296 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/10/26 17:21:28 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/10/26 17:21:26 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/10/26 17:21:24 | 000,104,536 | ---- | M] (Roxio) [File_System | Auto | Stopped] -- C:\Windows\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
IE - HKU\S-1-5-19\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = {2381E4B7-5C04-459E-9D46-2F9AC1608B66}
IE - HKU\S-1-5-20\..\SearchScopes\{2381E4B7-5C04-459E-9D46-2F9AC1608B66}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=ysp
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&sourceid=ie7&rlz=1I7ADRA_enUS415
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\..\SearchScopes\{DECA3892-BA8F-44b8-A993-A466AD694AE4}: "URL" = http://search.yahoo.com/search?p={searchTerms}
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3555.0308: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\HRH Queen Adminia\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)

O1 HOSTS File: ([2012/07/29 16:27:17 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-74043557-1430267458-2187411530-1000..\Run: [MobileDocuments] C:\Program Files\Common Files\Apple\Internet Services\ubd.exe (Apple Inc.)
O4 - HKU\S-1-5-21-74043557-1430267458-2187411530-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Users\Caleb\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Users\M H\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-74043557-1430267458-2187411530-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{28BA98DE-7EA5-4B02-8537-26E587AF367B}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\HRH Queen Adminia\Pictures\queen megan.jpg
O24 - Desktop BackupWallPaper: C:\Users\HRH Queen Adminia\Pictures\queen megan.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 07:26:23 | 000,000,309 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (lsdelete)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/30 16:52:46 | 000,597,504 | ---- | C] (OldTimer Tools) -- C:\Users\HRH Queen Adminia\Desktop\OTL.exe
[2012/07/29 16:30:40 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/07/29 16:30:40 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\temp
[2012/07/29 16:29:40 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/07/29 16:13:48 | 000,000,000 | ---D | C] -- C:\mike_b.exe
[2012/07/29 16:09:38 | 000,000,000 | ---D | C] -- C:\ComboFix
[2012/07/29 15:54:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Windows Genuine Advantage
[2012/07/29 13:15:04 | 000,000,000 | ---D | C] -- C:\FRST
[2012/07/29 11:41:16 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/07/27 17:04:18 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{62F1FC55-045E-48FF-B5C4-22B828CD522B}
[2012/07/27 17:04:05 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{CCFB4819-0083-4B7C-B858-08DB5DB51345}
[2012/07/26 12:52:33 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{18B286B8-4B13-4242-AEF5-1D2D356C8CF3}
[2012/07/26 12:52:19 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{FDF71062-D6B2-4E50-BF18-A09BDEB0D35B}
[2012/07/19 13:07:07 | 000,000,000 | ---D | C] -- C:\Program Files\iPod(5)
[2012/07/19 13:07:02 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes(6)
[2012/07/19 13:02:52 | 000,000,000 | ---D | C] -- C:\Users\HRH Queen Adminia\{bc5d5687-a2ae-4897-a157-f7c7a3ff18d0}
[2012/07/19 12:40:34 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{310A49D1-68D2-4A0D-98E6-E0C2B16A5306}
[2012/07/19 12:40:23 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{749BCDBD-E25A-40E7-A232-C2D3539382E6}
[2012/07/13 11:38:37 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{63B94AA8-4FCA-494E-8AB7-BDE856786435}
[2012/07/13 11:38:25 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{9E17CE1F-D70B-4854-B235-30FF6DF1B731}
[2012/07/13 03:10:11 | 002,047,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/07/13 03:04:19 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2012/07/13 03:04:17 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2012/07/13 03:04:17 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2012/07/13 03:04:15 | 001,800,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2012/07/13 03:04:15 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2012/07/13 03:04:14 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2012/07/13 03:04:13 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2012/07/12 14:45:06 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ncrypt.dll
[2012/07/08 17:26:42 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\Deployment
[2012/07/02 11:35:23 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{A625F159-C2B6-417E-A268-D95AD2454482}
[2012/07/02 11:35:11 | 000,000,000 | ---D | C] -- C:\Users\M H\AppData\Local\{F4B1FB6B-9C61-41FC-BA5E-96646570DA86}
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/30 16:56:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/07/30 16:51:46 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/30 16:51:30 | 000,002,128 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/30 16:51:30 | 000,002,128 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/30 16:02:57 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/30 08:26:14 | 000,597,504 | ---- | M] (OldTimer Tools) -- C:\Users\HRH Queen Adminia\Desktop\OTL.exe
[2012/07/29 18:09:13 | 000,000,906 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/29 16:27:17 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/07/29 12:42:00 | 000,000,680 | ---- | M] () -- C:\Users\M H\AppData\Local\d3d9caps.dat
[2012/07/29 12:41:39 | 000,002,281 | ---- | M] () -- C:\Users\Public\Desktop\Safari.lnk
[2012/07/29 11:52:19 | 124,869,831 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/07/29 11:38:15 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/07/13 03:31:03 | 000,355,168 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/07/12 22:48:39 | 000,017,408 | ---- | M] () -- C:\Users\M H\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/29 18:09:13 | 000,000,906 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/07/29 12:41:46 | 000,000,680 | ---- | C] () -- C:\Users\M H\AppData\Local\d3d9caps.dat
[2012/07/29 12:31:23 | 000,002,128 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/07/29 12:31:23 | 000,002,128 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/07/29 11:41:41 | 000,001,826 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/07/29 11:16:07 | 124,869,831 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/01/12 04:06:37 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\@
[2012/01/09 22:32:12 | 000,010,918 | -HS- | C] () -- C:\Users\M H\AppData\Local\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101
[2012/01/09 22:32:12 | 000,010,918 | -HS- | C] () -- C:\ProgramData\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101
[2011/11/29 18:26:41 | 000,000,064 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/11/29 18:26:41 | 000,000,044 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/11/23 18:24:20 | 000,016,432 | ---- | C] () -- C:\Windows\System32\lsdelete.exe
[2011/11/22 22:22:30 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/11/22 22:22:30 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/11/22 22:22:30 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/11/22 22:22:30 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/11/22 22:22:30 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/21 20:09:24 | 000,000,552 | ---- | C] () -- C:\Users\M H\AppData\Local\d3d8caps.dat
[2011/02/18 22:46:28 | 000,017,408 | ---- | C] () -- C:\Users\M H\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/13 20:48:24 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2011/01/13 20:25:23 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2011/01/13 20:25:23 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2011/01/12 09:43:21 | 000,056,056 | ---- | C] () -- C:\Windows\System32\DLAAPI_W.DLL
[2011/01/12 09:43:21 | 000,000,120 | ---- | C] () -- C:\Windows\wininit.ini
[2011/01/11 20:35:50 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\HRH Queen Adminia\Desktop\OpenOffice.org 3.2 (en-US) Installation Files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\HRH Queen Adminia\Desktop\Admin:Roxio EMC Stream

< End of report >

Broni · Jul 30, 2012

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Spybot -- (SBSDWSCService)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
[2012/07/29 13:15:04 | 000,000,000 | ---D | C] -- C:\FRST
[2012/01/12 04:06:37 | 000,002,048 | -HS- | C] () -- C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}\@
[2012/01/09 22:32:12 | 000,010,918 | -HS- | C] () -- C:\Users\M H\AppData\Local\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101
[2012/01/09 22:32:12 | 000,010,918 | -HS- | C] () -- C:\ProgramData\rl852wj330mmqr47288lc35317u85ux808k2yc5m5cr101
@Alternate Data Stream - 76 bytes -> C:\Users\HRH Queen Adminia\Desktop\OpenOffice.org 3.2 (en-US) Installation Files:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\HRH Queen Adminia\Desktop\Admin:Roxio EMC Stream

:Services

:Reg

:Files
C:\Windows\System32\config\systemprofile\AppData\Local\{4b093b68-8c67-1628-5af8-f8e50037688c}


:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
You will get a log that shows the results of the fix. Please post it.

============================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

3. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

4. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Tick the box next to YES, I accept the Terms of Use
Click Start
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click on List of found threats
Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
NOTE. If Eset won't find any threats, it won't produce any log.

Morat20 · Jul 30, 2012

Run this in safe mode, or regular mode? And as administrator, right?

Broni · Jul 30, 2012

Normal mode. Admin yes.

Morat20 · Jul 30, 2012

I missed one of the OTL logs (extras.txt). Not sure if it's important, but here it is:

OTL Extras logfile created on: 7/30/2012 4:57:57 PM - Run 1
OTL by OldTimer - Version 3.2.55.0 Folder = C:\Users\HRH Queen Adminia\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.87 Gb Total Physical Memory | 1.48 Gb Available Physical Memory | 79.03% Memory free
3.98 Gb Paging File | 3.74 Gb Available in Paging File | 94.09% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 147.32 Gb Free Space | 49.42% Space Free | Partition Type: NTFS
Drive E: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 1.86 Gb Total Space | 1.85 Gb Free Space | 99.37% Space Free | Partition Type: FAT

Computer Name: ARTEMIS | User Name: HRH Queen Adminia | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{0E64B098-8018-4256-BA23-C316A43AD9B0}" = QuickTime
"{0F842B77-56EA-4AAF-8295-81A022350B5E}" = Microsoft Security Client
"{122ADF8C-DDA1-480C-9936-C88F2825B265}" = Apple Application Support
"{166FCF01-AC98-4288-A01C-90BEB808C059}" = Sony RAW Driver
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1EBEC42C-5E3F-4077-933B-411E33A0C3A4}" = Motorola Driver Installation 4.6.0
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{420DFB63-8AE7-F7D6-E4B4-AB6D140221F4}" = FlipShare
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}" = Google SketchUp 8
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50816F92-1652-4A7C-B9BC-48F682742C4B}" = Messenger Companion
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5U8xx Media Driver ver.3.62.02
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{78A96B4C-A643-4D0F-98C2-A8E16A6669F9}" = Windows Live Messenger Companion Core
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_BASICR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_BASICR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_BASICR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_BASICR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_BASICR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_BASICR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_BASICR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_BASICR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{91120000-0013-0000-0000-0000000FF1CE}" = Microsoft Office Basic 2007
"{91120000-0013-0000-0000-0000000FF1CE}_BASICR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{932D0FC7-6DF1-4136-A2EC-166E8DEFD6A4}" = Ad-Aware
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B4089055-D468-45A4-A6BA-5A138DD715FC}" = Bing Bar
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C6150D8A-86ED-41D3-87BB-F3BB51B0B77F}" = Windows Live ID Sign-in Assistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C779648B-410E-4BBA-B75B-5815BCEFE71D}" = Safari
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{DA7DF8E2-4B8F-4286-97FE-DE3FFFE9B728}" = iCloud
"{DDC5B3E0-C656-4070-9CF0-E592EC60AD42}" = MotoConnect
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"adawaretb" = Ad-Aware Security Toolbar
"Adobe AIR" = Adobe AIR
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.15
"BASICR" = Microsoft Office Basic 2007
"Bejeweled 3" = Bejeweled 3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"WinLiveSuite" = Windows Live Essentials
"World of Warcraft" = World of Warcraft
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-74043557-1430267458-2187411530-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.8

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/30/2012 5:51:45 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:51:46 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:51:49 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:53:19 PM | Computer Name = Artemis | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.0.6002.18005 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: d30 Start Time: 01cd6e9d880f3832 Termination Time: 32

Error - 7/30/2012 5:54:24 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:54:25 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:54:27 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:54:27 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:56:42 PM | Computer Name = Artemis | Source = profsvc | ID = 1542
Description = Windows cannot load classes registry file. DETAIL - The specified
path is invalid.

Error - 7/30/2012 5:56:58 PM | Computer Name = Artemis | Source = EventSystem | ID = 4609
Description =

[ System Events ]
Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7003
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7026
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 5:57:43 PM | Computer Name = Artemis | Source = Service Control Manager | ID = 7001
Description =

Error - 7/30/2012 6:06:32 PM | Computer Name = Artemis | Source = DCOM | ID = 10005
Description =

Error - 7/30/2012 6:06:33 PM | Computer Name = Artemis | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.131.943.0 Update Source: %%859 Update Stage:
%%852 Source Path: Default URL Signature Type: %%800 Update Type: %%803 User: NT AUTHORITY\SYSTEM

Current
Engine Version: Previous Engine Version: 1.1.8601.0 Error code: 0x8007043c Error
description: This service cannot be started in Safe Mode

< End of report >

Morat20 · Jul 30, 2012

FYI, I had to run OTL.exe in Safe Mode. In normal mode it fails with " A device attatched to the system is not functioning."

Broni · Jul 30, 2012

Run OTL fix from my previous reply from safe mode as well but other scans from normal mode.

Inactive Vista Sirefef.r problem -- rebooting every minute

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Attachments

Posts: 56,041 +516

Attachments

Posts: 30 +0

Posts: 30 +0

Posts: 30 +0

Posts: 30 +0

Posts: 30 +0

Attachments

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 30 +0

Posts: 56,041 +516

Similar threads