advice on possible virus

Hi Guys,
I had a nasty virus on my desktop recently. Unfortunately my son OKed a registry change and the whole thing crashed. A computer friend is taking the hard drive to his office to try to clean it on another computer. Tonight my daughter's laptop was acting weird. The MaAfee security said it hadn't scanned in a month but when I tried to do a full scan it froze at 13% and then I had to turn it off manually. I tried a full scan again and the same thing happened. Turned it off manually and when I turned it on windows did a big chckdisk thing. I also have some kind of icon that shows blocked startup programs called system configuation utility. I'm thinking it's a virus. Should I run a virus cleanup program? If so, what? Thanks, Judy

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

here is my log:
ComboFix 10-01-04.01 - claire 01/05/2010 14:09:43.2.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3062.2075 [GMT -6:00]
Running from: c:\users\claire\Desktop\commy.exe
Command switches used :: /stepdel
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\$recycle.bin\S-1-5-21-3878062665-890052964-3471927553-500
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 20:15 . 2010-01-05 20:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 09:00 . 2010-01-03 09:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Location Finder
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Streets and Trips Essentials
2010-01-02 06:46 . 2010-01-02 06:47 -------- d-----w- c:\program files\Encarta
2010-01-02 06:41 . 2010-01-02 06:45 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-01-02 06:39 . 2010-01-02 06:40 -------- d-----w- c:\program files\microsoft money
2010-01-02 06:28 . 2010-01-02 06:28 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-02 06:27 . 2010-01-02 06:27 -------- d-----w- c:\program files\Microsoft Works Suite 2006
2010-01-01 21:08 . 2010-01-01 21:32 -------- d-----w- c:\program files\Snood 4
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\Norton
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\Norton Security Scan
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\NortonInstaller
2009-12-28 04:53 . 2009-12-28 04:54 -------- d-----w- c:\windows\system32\Adobe
2009-12-26 07:15 . 2009-12-26 07:15 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-09 22:30 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 22:30 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:30 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 22:57 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 09:03 . 2009-09-26 03:39 -------- d-----w- c:\program files\Microsoft Works
2010-01-02 06:52 . 2009-09-26 00:30 94808 ----a-w- c:\users\claire\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-31 19:11 . 2009-09-26 03:41 -------- d-----w- c:\programdata\Symantec
2009-12-20 21:43 . 2009-09-26 03:51 -------- d-----w- c:\program files\Java
2009-12-14 05:55 . 2009-10-02 01:31 204 ----a-w- c:\users\claire\AppData\Roaming\wklnhst.dat
2009-12-09 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 22:30 . 2009-09-26 03:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 01:03 . 2009-09-26 01:05 -------- d-----w- c:\programdata\McAfee
2009-11-27 09:19 . 2009-11-27 09:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-27 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 09:19 . 2009-11-27 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-26 19:49 . 2009-11-26 19:49 680 ----a-w- c:\users\claire\AppData\Local\d3d9caps.dat
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-26 17:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:48 . 2009-11-17 00:48 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-11-17 00:47 . 2009-11-17 00:47 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-01 16:31 . 2009-11-01 16:31 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 09:00 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 10:17 . 2009-09-26 01:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08 . 2009-11-27 09:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-27 09:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-27 09:01 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-26 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-19 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]

c:\users\claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d4,e9,fe,19,bf,6e,ca,01

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2009 7:15 PM 93320]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 8:23 PM 21504]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/25/2009 9:50 PM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 4:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\Norton Security Scan for claire.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-31 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 14:15
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\users\claire\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-01-05 14:18:20
ComboFix-quarantined-files.txt 2010-01-05 20:18

Pre-Run: 59,338,997,760 bytes free
Post-Run: 59,284,090,880 bytes free

- - End Of File - - 21F33F6E7A349B77449BEB974C4C50E7

Please download Cheetah-Anti-Rogue, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

Cheetah Anti-Rogue v1.0.22
by DragonMaster Jay

Microsoft Windows [Version 6.0.6002]
Tue 01/05/2010 16:20:42.03


-- Known infection --



If objects found, full virus scan or anti-malware scan necessary


EOF

Please download Malwarebytes Anti-Malware from here.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

DragonMaster Jay,
Tried to run Mbam. Kept freezing and I had to turn off the computer manually after it sat there for over 15 minutes each time it got to a certain point. Ran it in safe mode 3 times. It detedcted 3 infected files but would freeze up again and I would have to manually shut down the computer.
The last two times in safe mode I noted that it stopped at this file
c:\backup\09-09-25 0553PM\Windows\Installer\$PatchCache$\Manger\00002119F20000000000000000F01Fec\12.0.6215\MSO.DLL
Again, I would have to manually shut down the computer even in safe mode.
I did have to do a factory restore and it may have been around Sept. 9, 09 if that helps at all.

Thanks for all your time.
Judy

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

• Save it to your desktop.
  
• Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked:
  
  
  • System Memory
    
  • Startup Objects
    
  • Disk Boot Sectors.
    
  • My Computer.
    
  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

I am scanning with Kaspersky in safe mode right now. It seems to have frozen during the autoscan about the same place c:\backup\09-09-250554p...\system.speech.dll. This is the same spot McAfee would freeze and that got my attention to contact geekpolice.

I will let it go a while longer (it's been frozen for about 10 minutes). Then I will probably shut down the computer and try to run Kaspersky again.
Questions: I still want my McAfee virusscan, et.al turned off for this right? When I set up the Kaspersky autoscan I did not check Partion_1 (c:), Recovery (d:), but I did check CD Drive (e:) as well as the other items you listed to be checked. Is that correct?
Thanks, Judy

Ok.

Go to the link below and download Microsoft Malicious Tool remover.

http://www.microsoft.com/security/malwareremove/default.mspx

After you have installed and run it that, come back and tell me if there has been a change.

OK, I will. BTW, I did get Kaspersky to run again for awhile. It said it found 7 items and at least one was a trojan...Torjan-dropper.Win32.Agent.azhd. It could not neutralize so I had it delete and then the system froze again. Kaspersky never could finish the scan and the computer did a crach dump that said STOP:0x00008086.
Judy

Well, let's see what Microsoft's tool says.

Running Microsoft Mal Removal on the laptop and it is frozen at the same file
MaAfee froze at C:\Backup\09-09-25 0554PM\Program Foles\Reference Assemblies\...\System.Speech.dll
Still have it running but it hasn't done anything for about 15 min.

Hey DragonMaster Jay,
FYI, there is an icon on my toolbar that says "blocked startup programs". When I click on it it has a user account control window come up (this is w/ Vista) and asks if I started this action click continue. It lists System Configuration Utility by Microsoft Windows. I'm suspicious that this is part of the virus-scam so I have not clicked continue to open it but have x-ed out of it. Could this be causing all the malware programs to freeze before completing?

Not sure.

Please download RootRepeal from GooglePages.com.

• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

Please remove any e-mail address in the RootRepeal report (if present).

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/07 08:36
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8D600000 Size: 815104 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA899F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b1184-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b11be-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b11c3-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b11c8-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b11cc-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b11d0-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{a87c9cdd-edaf-11de-9565-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c11cce69-daf3-11de-bd15-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ca50f2c8-f8ab-11de-a480-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{dfbc5b63-e291-11de-ab86-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{e9b8db77-dc4d-11de-9f3f-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ebc3296a-f8e0-11de-84f5-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{796b1180-f747-11de-9398-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{212afee6-e511-11de-952f-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{572d5a38-f329-11de-a662-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{68a57de3-e06b-11de-a60c-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6920deec-e129-11de-b0b2-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6e23ee60-f7f8-11de-9ade-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6e23ee6c-f7f8-11de-9ade-00e0b8fbcd07}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\System32\GATHER~1.XSL
Status: Locked to the Windows API!

Path: c:\windows\temp\mcmsc_fwodpsuynvnvpij
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\BACKUP\09-09-25 0554PM\Windows\MEMORY.DMP
Status: Visible to the Windows API, but not on disk.

Path: C:\Windows\PLA\Reports\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\PLA\Rules\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\PLA\System\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\System32\XPSViewer\XPSVIE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9876.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9876.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.nȯne.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5F3C~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE5FBC~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE6DB5~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE9AEB~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-s..ent-sku-homepremium_31bf3856ad364e35_6.0.6002.18005_none_3d90d406f6a60fcd\SE54EE~1.XRM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.16884_none_9a0b894107fccf79\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6000.21082_none_9a92fd9a211c6fd7\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.18288_none_9bf5c90f051fc5c6\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6001.22468_none_9c9507981e2d2ad5\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18005_none_9e2fbb5f0207ec84\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.18064_none_9deddb8d02397ad3\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.VBS
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\GATHER~1.XSL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\REPORT~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\RULESS~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wlansvc_31bf3856ad364e35_6.0.6002.22170_none_9e68a7441b62d132\WIRELE~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_e2c358ab062e054b\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_cbfb6f4f1fd04a3e\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_e29e3d61068011ec\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_cbd2adfd20258aff\WEB_MI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6000.16708_none_c4f661e592b1c88e\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6000.20864_none_c53b1e00ac03aaa2\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6001.18096_none_c6794ec590232523\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_reg_31bf3856ad364e35_6.0.6001.22208_none_c7663d56a8f5f949\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_cab9e41b8efd69ed\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_cafea036a84f4c01\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_cc3cd0fb8c6ec682\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_cd29bf8ca5419aa8\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_f87832f6f02b1a0c\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_f8bcef12097cfc20\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_f9fb1fd6ed9c76a1\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6000.16708_none_74dcd7a292078251\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6000.20864_none_752193bdab596465\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6001.18096_none_765fc4828f78dee6\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_reg_31bf3856ad364e35_6.0.6001.22208_none_774cb313a84bb30c\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.16708_none_7aa059d88e5323b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6000.20864_none_7ae515f3a7a505c4\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.18096_none_7c2346b88bc48045\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_vrg_31bf3856ad364e35_6.0.6001.22208_none_7d103549a497546b\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_sm_mof_31bf3856ad364e35_6.0.6000.16708_none_c29392a082f7409d\SERVIC~1.UNI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_end_perf_h_31bf3856ad364e35_6.0.6000.20864_none_24101549d032590a\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_fae80e68066f4ac7\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_c8512a7445976b57\_SERVI~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.16720_none_2c88b9b71ca44e71\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6000.20883_none_15c0d05b36469364\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.18111_none_2c639e6d1cf65b12\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-aspnet_webmedtrust_config_b03f5f7f11d50a3a_6.0.6001.22230_none_15980f09369bd425\WEB_ME~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.16720_none_ea4958dde0dcb61b\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.16720_none_ea4958dde0dcb61b\_DATAP~2.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.20883_none_d3816f81fa7efb0e\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6000.20883_none_d3816f81fa7efb0e\_DATAP~2.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.18111_none_ea243d93e12ec2bc\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.18111_none_ea243d93e12ec2bc\_DATAP~2.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.22230_none_d358ae2ffad43bcf\_DATAP~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-data_perf_h_b03f5f7f11d50a3a_6.0.6001.22230_none_d358ae2ffad43bcf\_DATAP~2.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.16720_none_879a188098bde787\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6000.20883_none_70d22f24b2602c7a\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.18111_none_8774fd36990ff428\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.0.6001.22230_none_70a96dd2b2b56d3b\CSCEXE~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.16720_none_f49cbb9015dc43b3\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6000.20883_none_ddd4d2342f7e88a6\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.18111_none_f477a046162e5054\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-dv_aspnetmmc_chm_res_b03f5f7f11d50a3a_6.0.6001.22230_none_ddac10e22fd3c967\DV_ASP~1.CHM
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.16720_none_9b01a5fdd9371aff\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6000.20883_none_9b4d641ef282ae74\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.18111_none_9cf3b4d9d654a956\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_netfx-config_files_.._gacutil_exe_config_31bf3856ad364e35_6.0.6001.22230_none_9d66b182ef8367ab\GACUTI~1.CON
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.18096_none_8023fb392e87c40a\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6001.22208_none_8110e9ca475a9830\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6000.16708_none_7ab8208b3397ed7d\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6000.20864_none_7afcdca64ce9cf91\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6001.18096_none_7c3b0d6b31094a12\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_reg_31bf3856ad364e35_6.0.6001.22208_none_7d27fbfc49dc1e38\_TRANS~1.REG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_807ba2c12fe38edc\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_80c05edc493570f0\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_81fe8fa12d54eb71\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_82eb7e324627bf97\_TRANS~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.16708_none_c71adcbf2e98b7f5\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6000.20864_none_c75f98da47ea9a09\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.18096_none_c89dc99f2c0a148a\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_vrg_31bf3856ad364e35_6.0.6001.22208_none_c98ab83044dce8b0\_SERVI~1.VRG
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.16708_none_9958372092944487\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6000.20864_none_999cf33babe6269b\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.18096_none_9adb24009005a11c\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_h_31bf3856ad364e35_6.0.6001.22208_none_9bc81291a8d87542\_SERVI~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_78c5c5708f85fc49\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.16708_none_78c5c5708f85fc49\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_790a818ba8d7de5d\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6000.20864_none_790a818ba8d7de5d\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_7a48b2508cf758de\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.18096_none_7a48b2508cf758de\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_7b35a0e1a5ca2d04\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_svc_perf_ini_31bf3856ad364e35_6.0.6001.22208_none_7b35a0e1a5ca2d04\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wwf-cwetargets_i_31bf3856ad364e35_6.0.6002.18005_none_a247400ed5fa688d\WORKFL~1.TAR
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.16708_none_b25b01638e2dbfa3\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6000.20864_none_b29fbd7ea77fa1b7\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.18096_none_b3ddee438b9f1c38\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_h_31bf3856ad364e35_6.0.6001.22208_none_b4cadcd4a471f05e\_TRANS~1.H
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_7ea10e5931166775\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_7ee5ca744a684989\_TRANS~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_tx_bridge_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_7ee5ca744a684989\_TRANS~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b4004\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.16708_none_c1843fad322b4004\_SERVI~2.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perf_c_ini_31bf3856ad364e35_6.0.6000.20864_none_c1c8fbc84b7d2218\_SERVI~1.INI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_wcf-m_svc_mod_op_perfProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1240 Status: Locked to the Windows API!

==EOF==

Sorry, I didn't see page 2 so I posted the file again. Just edited the file out of this post.
Judy

Last edited by judyjudy on 7th January 2010, 5:34 pm; edited 1 time in total (Reason for editing : already sent file)

Re-running ComboFix:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DirLook::
   c:\windows\temp\mcmsc_fwodpsuynvnvpij
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Ran combofix as you instructed. I am posted from another laptop now because my computer will not allow me to do anything. If I click on the C:\combofix I get a window that says "illegal operation attempted on a registry key that has been marked for deletion". I still have the combofix notepad open in my taskbar menu but when I try to reconnect to Internet Explorer I get a window that says the same thing and when I X out of that I get a window titled Internet that says"The item you selected is unavailable. It might have been moved, renamed, or removed. Do you want to remove it from the list?"

What now????

Started laptop in safe mode and was able to get online.

ComboFix 10-01-04.01 - claire 01/07/2010 18:12:53.3.2 - x86
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3062.1674 [GMT -6:00]
Running from: c:\users\claire\Desktop\commy.exe
Command switches used :: c:\users\claire\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 00:17 . 2010-01-08 00:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-08 00:17 . 2010-01-08 00:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 14:34 . 2010-01-07 14:34 0 ----a-w- c:\windows\system32\settings.dat
2010-01-07 00:16 . 2010-01-07 00:16 -------- d-----w- C:\576977e1acd33bf2c3d252fb9f478689
2010-01-06 21:42 . 2010-01-06 21:42 -------- d-----w- C:\d94631834e44ccfcac57
2010-01-06 15:30 . 2010-01-06 20:16 -------- d-----w- c:\programdata\Kaspersky Lab
2010-01-06 14:32 . 2010-01-06 14:32 -------- d-----w- C:\found.000
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\users\claire\AppData\Roaming\Malwarebytes
2010-01-06 03:05 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\programdata\Malwarebytes
2010-01-06 03:05 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 09:00 . 2010-01-03 09:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Location Finder
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Streets and Trips Essentials
2010-01-02 06:46 . 2010-01-02 06:47 -------- d-----w- c:\program files\Encarta
2010-01-02 06:41 . 2010-01-02 06:45 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-01-02 06:39 . 2010-01-02 06:40 -------- d-----w- c:\program files\microsoft money
2010-01-02 06:28 . 2010-01-02 06:28 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-02 06:27 . 2010-01-02 06:27 -------- d-----w- c:\program files\Microsoft Works Suite 2006
2010-01-01 21:08 . 2010-01-01 21:32 -------- d-----w- c:\program files\Snood 4
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\Norton
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\Norton Security Scan
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\NortonInstaller
2009-12-28 04:53 . 2009-12-28 04:54 -------- d-----w- c:\windows\system32\Adobe
2009-12-26 07:15 . 2009-12-26 07:15 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-09 22:30 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 22:30 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:30 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 09:03 . 2009-09-26 03:39 -------- d-----w- c:\program files\Microsoft Works
2010-01-02 06:52 . 2009-09-26 00:30 94808 ----a-w- c:\users\claire\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-31 19:11 . 2009-09-26 03:41 -------- d-----w- c:\programdata\Symantec
2009-12-20 21:43 . 2009-09-26 03:51 -------- d-----w- c:\program files\Java
2009-12-14 05:55 . 2009-10-02 01:31 204 ----a-w- c:\users\claire\AppData\Roaming\wklnhst.dat
2009-12-09 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 22:30 . 2009-09-26 03:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 01:03 . 2009-09-26 01:05 -------- d-----w- c:\programdata\McAfee
2009-11-27 09:19 . 2009-11-27 09:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-27 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 09:19 . 2009-11-27 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-26 19:49 . 2009-11-26 19:49 680 ----a-w- c:\users\claire\AppData\Local\d3d9caps.dat
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-26 17:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:48 . 2009-11-17 00:48 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-11-17 00:47 . 2009-11-17 00:47 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-01 16:31 . 2009-11-01 16:31 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 09:00 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 10:17 . 2009-09-26 01:37 411368 ----a-w- c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\temp\mcmsc_fwodpsuynvnvpij ----



((((((((((((((((((((((((((((( SnapShot@2010-01-05_20.16.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-01-07 14:25 39912 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-01-07 14:25 69504 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-09-26 03:32 . 2010-01-05 19:34 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 03:32 . 2010-01-07 14:25 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-09-26 03:31 . 2010-01-07 14:25 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-26 03:31 . 2010-01-05 19:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-09-26 03:32 . 2010-01-05 19:34 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-26 03:32 . 2010-01-07 14:25 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-09-26 00:51 . 2010-01-07 14:25 8658 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3878062665-890052964-3471927553-1000_UserData.bin
- 2010-01-05 19:32 . 2010-01-05 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-07 14:22 . 2010-01-07 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-01-05 19:32 . 2010-01-05 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-07 14:22 . 2010-01-07 14:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-26 19:41 . 2010-01-08 00:05 207968 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-01-05 20:07 604452 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-01-07 14:29 604452 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-01-05 20:07 105376 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-01-07 14:29 105376 c:\windows\System32\perfc009.dat
- 2006-11-02 10:24 . 2009-12-01 20:06 25966024 c:\windows\System32\mrt.exe
+ 2006-11-02 10:24 . 2009-12-01 18:06 25966024 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-26 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-19 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]

c:\users\claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d4,e9,fe,19,bf,6e,ca,01

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2009 7:15 PM 93320]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 8:23 PM 21504]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/25/2009 9:50 PM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [1/5/2010 9:05 PM 38224]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 4:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\Norton Security Scan for claire.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-31 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 18:18
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5224)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
Completion time: 2010-01-07 18:20:25
ComboFix-quarantined-files.txt 2010-01-08 00:20
ComboFix2.txt 2010-01-05 20:18

Pre-Run: 60,497,879,040 bytes free
Post-Run: 59,249,213,440 bytes free

- - End Of File - - 312EFB1025DC8B8BD509FF9784438812

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   DirLook::
   C:\found.000
   C:\d94631834e44ccfcac57
   C:\576977e1acd33bf2c3d252fb9f478689
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

ComboFix 10-01-04.01 - claire 01/08/2010 6:43.4.2 - x86 NETWORK
Microsoft Windows Vista Home Premium 6.0.6002.2.1252.1.1033.18.3062.2667 [GMT -6:00]
Running from: c:\users\claire\Desktop\commy.exe
Command switches used :: c:\users\claire\Desktop\CFscript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 12:50 . 2010-01-08 12:50 -------- d-----w- c:\users\claire\AppData\Local\temp
2010-01-08 12:50 . 2010-01-08 12:50 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-08 12:50 . 2010-01-08 12:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-08 12:41 . 2010-01-08 12:41 -------- d-----w- C:\32788R22FWJFW
2010-01-07 14:34 . 2010-01-07 14:34 0 ----a-w- c:\windows\system32\settings.dat
2010-01-07 00:16 . 2010-01-07 00:16 -------- d-----w- C:\576977e1acd33bf2c3d252fb9f478689
2010-01-06 21:42 . 2010-01-06 21:42 -------- d-----w- C:\d94631834e44ccfcac57
2010-01-06 15:30 . 2010-01-06 20:16 -------- d-----w- c:\programdata\Kaspersky Lab
2010-01-06 14:32 . 2010-01-06 14:32 -------- d-----w- C:\found.000
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\users\claire\AppData\Roaming\Malwarebytes
2010-01-06 03:05 . 2009-12-30 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-06 03:05 . 2010-01-06 03:05 -------- d-----w- c:\programdata\Malwarebytes
2010-01-06 03:05 . 2009-12-30 20:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 09:00 . 2010-01-03 09:00 -------- d-----w- c:\program files\MSXML 4.0
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Location Finder
2010-01-02 06:49 . 2010-01-02 06:50 -------- d-----w- c:\program files\Microsoft Streets and Trips Essentials
2010-01-02 06:46 . 2010-01-02 06:47 -------- d-----w- c:\program files\Encarta
2010-01-02 06:41 . 2010-01-02 06:45 -------- d-----w- c:\program files\Microsoft Digital Image 2006
2010-01-02 06:39 . 2010-01-02 06:40 -------- d-----w- c:\program files\microsoft money
2010-01-02 06:28 . 2010-01-02 06:28 -------- d-----w- c:\windows\system32\URTTEMP
2010-01-02 06:27 . 2010-01-02 06:27 -------- d-----w- c:\program files\Microsoft Works Suite 2006
2010-01-01 21:08 . 2010-01-01 21:32 -------- d-----w- c:\program files\Snood 4
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\Norton
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\windows\system32\drivers\NSS
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\Norton Security Scan
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\programdata\NortonInstaller
2009-12-31 19:11 . 2009-12-31 19:11 -------- d-----w- c:\program files\NortonInstaller
2009-12-28 04:53 . 2009-12-28 04:54 -------- d-----w- c:\windows\system32\Adobe
2009-12-26 07:15 . 2009-12-26 07:15 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-09 22:30 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 22:30 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:30 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 09:03 . 2009-09-26 03:39 -------- d-----w- c:\program files\Microsoft Works
2010-01-02 06:52 . 2009-09-26 00:30 94808 ----a-w- c:\users\claire\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-31 19:11 . 2009-09-26 03:41 -------- d-----w- c:\programdata\Symantec
2009-12-20 21:43 . 2009-09-26 03:51 -------- d-----w- c:\program files\Java
2009-12-14 05:55 . 2009-10-02 01:31 204 ----a-w- c:\users\claire\AppData\Roaming\wklnhst.dat
2009-12-09 23:04 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 22:30 . 2009-09-26 03:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-03 01:03 . 2009-09-26 01:05 -------- d-----w- c:\programdata\McAfee
2009-11-27 09:19 . 2009-11-27 09:19 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-27 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-27 09:19 . 2009-11-27 09:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-26 19:49 . 2009-11-26 19:49 680 ----a-w- c:\users\claire\AppData\Local\d3d9caps.dat
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-11-26 17:31 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-11-26 17:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-21 06:40 . 2009-12-08 22:58 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 22:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 22:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 22:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 00:48 . 2009-11-17 00:48 652296 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsTemplate\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2009-11-17 00:47 . 2009-11-17 00:47 416128 ----a-w- c:\programdata\Microsoft\eHome\Packages\NetTV\Browse\NetTVResources.dll
2009-11-01 16:31 . 2009-11-01 16:31 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 09:17 . 2009-11-25 09:00 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 10:17 . 2009-09-26 01:37 411368 ----a-w- c:\windows\system32\deploytk.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\576977e1acd33bf2c3d252fb9f478689 ----

2010-01-07 00:16 . 2010-01-07 00:16 788 ---ha-w- c:\576977e1acd33bf2c3d252fb9f478689\$shtdwn$.req
2009-12-01 18:06 . 2009-12-01 18:06 25966024 ----a-w- c:\576977e1acd33bf2c3d252fb9f478689\mrt.exe
2009-12-01 18:06 . 2009-12-01 18:06 57800 ----a-w- c:\576977e1acd33bf2c3d252fb9f478689\mrtstub.exe

---- Directory of C:\d94631834e44ccfcac57 ----

2010-01-06 21:42 . 2010-01-06 21:42 788 ---ha-w- c:\d94631834e44ccfcac57\$shtdwn$.req
2009-12-01 18:06 . 2009-12-01 18:06 25966024 ----a-w- c:\d94631834e44ccfcac57\mrt.exe
2009-12-01 18:06 . 2009-12-01 18:06 57800 ----a-w- c:\d94631834e44ccfcac57\mrtstub.exe

---- Directory of C:\found.000 ----

2008-02-05 05:23 . 2010-01-06 03:45 33988608 ----a-w- c:\found.000\file0000.chk


((((((((((((((((((((((((((((( SnapShot@2010-01-05_20.16.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2010-01-07 14:25 39912 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-01-07 14:25 69504 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-09-26 03:32 . 2010-01-08 00:20 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-26 03:32 . 2010-01-05 19:34 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-09-26 03:31 . 2010-01-05 19:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-26 03:31 . 2010-01-08 00:20 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-09-26 03:32 . 2010-01-08 00:20 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-09-26 03:32 . 2010-01-05 19:34 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-11-28 07:20 . 2010-01-08 01:24 1836 c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-11-28 07:20 . 2009-11-28 07:20 1836 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-09-26 00:51 . 2010-01-07 14:25 8658 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3878062665-890052964-3471927553-1000_UserData.bin
- 2010-01-05 19:32 . 2010-01-05 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-08 12:33 . 2010-01-08 12:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-01-08 12:33 . 2010-01-08 12:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-01-05 19:32 . 2010-01-05 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-26 19:41 . 2010-01-08 01:22 208192 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2010-01-08 12:38 603466 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-01-08 12:38 104792 c:\windows\System32\perfc009.dat
- 2006-11-02 10:24 . 2009-12-01 20:06 25966024 c:\windows\System32\mrt.exe
+ 2006-11-02 10:24 . 2009-12-01 18:06 25966024 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-26 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-02 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-26 865840]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-19 30192]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SigmatelSysTrayApp"="sttray.exe" [2007-09-07 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\claire\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d4,e9,fe,19,bf,6e,ca,01

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2009 7:15 PM 93320]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 8:23 PM 21504]
S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/25/2009 9:50 PM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [1/5/2010 9:05 PM 38224]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 4:25 AM 2589184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 17:22]

2010-01-01 c:\windows\Tasks\Norton Security Scan for claire.job
- c:\program files\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-31 19:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6827
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce- - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 06:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-01-08 06:52:19
ComboFix-quarantined-files.txt 2010-01-08 12:52
ComboFix2.txt 2010-01-08 00:20
ComboFix3.txt 2010-01-05 20:18

Pre-Run: 62,282,813,440 bytes free
Post-Run: 62,233,145,344 bytes free

- - End Of File - - 940D3AA378AC869365C8EB3622497EBB

Please delete this folder:
c:\found.000

==
Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Was running the scan when I got the "blue screen" that said something about a bad disk (maybe, it flashed on the screen too quickly). I rebooted in safe mode and went to C: and this text looks like it accured at the disk check at reboot. What now???

Checking file system on C:
The type of the file system is NTFS.
Volume label is Partition_1.

One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
248960 file records processed.

1026 large file records processed.

0 bad file records processed.

0 EA records processed.

78 reparse records processed.

Unable to locate the file name attribute of index entry PenIMC.dll
of index $I30 with parent 0x51b in file 0x1897f.
Deleting index entry PenIMC.dll in index $I30 of file 1307.
Unable to locate the file name attribute of index entry PresentationFontCache.exe
of index $I30 with parent 0x51b in file 0x17f9e.
Deleting index entry PresentationFontCache.exe in index $I30 of file 1307.
Unable to locate the file name attribute of index entry PresentationFontCache.exe.config
of index $I30 with parent 0x51b in file 0x17eb4.
Deleting index entry PresentationFontCache.exe.config in index $I30 of file 1307.
Unable to locate the file name attribute of index entry PresentationHostDLL.dll
of index $I30 with parent 0x51b in file 0x1806b.
Deleting index entry PresentationHostDLL.dll in index $I30 of file 1307.
Unable to locate the file name attribute of index entry wpfgfx_v0300.dll
of index $I30 with parent 0x51b in file 0x193e7.
Deleting index entry wpfgfx_v0300.dll in index $I30 of file 1307.
326870 index entries processed.

CHKDSK is recovering lost files.
Recovering orphaned file PresentationFontCache.exe.config (97972) into directory file 1307.
Recovering orphaned file PresentationFontCache.exe (98206) into directory file 1307.
Recovering orphaned file PresentationHostDLL.dll (98411) into directory file 1307.
Recovering orphaned file PenIMC.dll (100735) into directory file 1307.
5 unindexed files processed.

Recovering orphaned file wpfgfx_v0300.dll (103399) into directory file 1307.
248960 security descriptors processed.

Cleaning up 36 unused index entries from index $SII of file 0x9.
Cleaning up 36 unused index entries from index $SDH of file 0x9.
Cleaning up 36 unused security descriptors.
38956 data files processed.

CHKDSK is verifying Usn Journal...
The remaining of an USN page at offset 0xdb427268 in file 0xb74e
should be filled with zeros.
The USN Journal entry at offset 0xdb428000 and length 0x8c25d crosses
the page boundary.
The USN Journal entry at offset 0xdb429000 and length 0x55390a7d crosses
the page boundary.
The USN Journal entry at offset 0xdb42a000 and length 0x531075ff crosses
the page boundary.
The USN Journal entry at offset 0xdb42b000 and length 0x5e2c149 crosses
the page boundary.
The USN Journal entry at offset 0xdb42c000 and length 0x5724458b crosses
the page boundary.
The USN Journal entry length 0x9b at offset 0xdb42d000 in file
0xb74e is not aligned.
The USN Journal entry at offset 0xdb42e000 and length 0x75ff1574 crosses
the page boundary.
The USN Journal entry at offset 0xdb42f000 and length 0x8d53085d crosses
the page boundary.
Repairing Usn Journal file record segment.
34711288 USN bytes processed.

Usn Journal verification completed.
Windows has made corrections to the file system.

143781749 KB total disk space.
82578760 KB in 203301 files.
111916 KB in 38957 indexes.
0 KB in bad sectors.
358865 KB in use by the system.
65536 KB occupied by the log file.
60732208 KB available on disk.

4096 bytes in each allocation unit.
35945437 total allocation units on disk.
15183052 allocation units available on disk.

Internal Info:
80 cc 03 00 5e b2 03 00 ea 96 06 00 00 00 00 00 ....^...........
d3 01 00 00 4e 00 00 00 00 00 00 00 00 00 00 00 ....N...........
80 19 37 00 48 01 37 00 02 00 00 02 d8 7f 38 00 ..7.H.7.......8.

Windows has finished checking your disk.
Please wait while your computer restarts.

Run chkdsk:

1. Right-click the Start button and select Explore (alternatively, hit WINDOWS key E on your keyboard).
   
2. Using Windows Explorer, navigate to your C:\ drive, then right-click the drive and select Properties
   
3. In the Properties window that pops up, click the Tools tab and then, under "Error-checking", click on the button that says Check Now...
   
4. In the Check disk options window that pops up, place a checkmark in both boxes:
   
   
   
   • Automatically fix file system errors
     
   • Scan for and attempt recovery of bad sectors
     

Now click on Start

A new window will pop up saying, "Windows can't check the disk while it's in use".

Click Yes to schedule the disk check.

Now shut down (do NOT restart!) your computer, and then turn your computer back on with its power button.

When your computer turns on, you will see a black screen with white lettering, this is chkdsk running.

Let chkdsk run through its five stages. When the utility finishes, Windows will boot to the Desktop.
NOTE: Running chkdsk may take some time to complete. Please be patient and do NOT use the computer, press any keys, or try to stop the chkdsk scan once it has started!

==

Locate the chkdsk log and post it here:

1. Click on Start, then click Run...
   
2. Copy and paste the following text into the "Open:" box: eventvwr.msc /s
   NOTE there is a space between "eventvwr.msc" and "/s"!
   
3. Click OK (or hit Enter).
   
   This will bring up the Event Viewer window.
   

In the left panel, click on Application

The chkdsk log should be the first entry, with a source of Winlogon
NOTE: If it is not the first log, click on View, and then on Newest First: that should place the chkdsk log at the top of the list.

Click on the entry once.

Right-click on the entry and choose Properties

In the window that pops up, click on to copy the log.

Paste the log in a reply to this topic.

do i do this in safe mode or normal mode?

Either way. It will tell you to restart your computer, then it will do a large check of your disk to fix it.

I'm on a different laptop typing this. The diskck has been frozen at 17% complete (stage 4 of 5) for about 1/2 hour. Is this normal? I swear I have not touched anything on it and I am TRYING to be patient ;-)

Still frozen at the same 17% after 1 1/2 hours!

Try to press Ctrl+Alt+Delete to get out of it.

Then, after rebooting, let it try CHKDSK again.

nothing happens when I hit Ctl+Alt+Del

Force shutdown (hold power button in), then boot again. It shall try the CHKDSK again.

OK, wish me luck!

It's freezing at the same spot: 17% (stage 4 of 5). Do a hit ctrl+alt+del?

Please shut down.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Log on to Safe Mode as Administrator.

Then, go to Start > Run
type in chkdsk and hit OK.

It will run a quick CHKDSK then give Windows the assurance the CHKDSK was successful.

One quick question, do you have your Windows XP cd?

Please let me know if the above method worked.

this laptop has Windows Vista. I have the operating system disc from Gateway for this windows vista w/ SP1

Ok. Let me know of the results.

right now it is in safe mode and seems to be frozen at loading windows files. It has not gotten to the point of letting me log on.

It's not going past the loading of windows files. I shut it down and got in safe mode again and it still froze at loading windows files. I'm starting to get scared!

Please place your Vista disc in to the drive. Reboot. Allow it to boot from the disc.

While in setup, choose Startup Repair.

ok. it is saying startup repair could not detect a problem. Also: "If you have recently attached a device to this computer, such as a camera or portable music player, remove it and restart your computer." I have not had anything attached to this since we started trying to fix it.

Oops. hope I didn't do anything wrong. I hit the restart button when startup repair said it could find nothing wrong. When it restarted the discck screen came on again and I hit the cancel button to stop the disc check. Then the desktop screen came on as usual with the "windows has blocked some startup programs" warning window.

It's late now. I'm shutting down the computer. Thanks for your patience.

booted up in safe mode and was able to log on did a run chkdsk and it got to about 54% done and then that window just went off the screen. Ran it again and watched to see that it was at: verifying indexes (stage 2 of 3). Then it had about 5 lines that said "Index entry.........is incorrect" Then it was doing something at 50%, 51%....and at 54% the chkdsk window just disappeared.

Go Start type in CMD and right-click on it in the results pane and select Run as Administrator.
Type in: sfc /scannow
Press enter.

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.

Dragon Master Jay,
Had a computer friend stop by. He gave kudos to you guys but said "of course it's much easier when one is sitting right at the computer". He did not find a virus on this laptop but thought it was a damaged disk. The problem you and I were having is that in Vista even if one is the administrator there is some program (3 letters..maybe UOS?) that pops up these windows asking to OK any action. I think that means that a disk check can't be done when Windows starts running. (This friend is not a fan of Vista).
So he had to go though some administrative stuff to get that disabled before running a disk check. Something was damaged. Did a repair. Seems to be running fine.

So I'm ready to close this topic and free you up to help all the other poor souls with something nasty on their computers. Thank you soooo very much for all your help. I did learn something about Mbam. You all are great and I will be recommending you to friends.

Thanks. Glad it is working again properly!