Need help with Virus.

[MikeMW]

Here is the log. I also made a back-up of everything to an external harddrive if that would help.

-c--a-w 28,672 2007-10-10 16:33:48 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-10 16:33:45 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,641,536 2007-10-10 16:33:47 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-10 16:33:48 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-10 16:33:45 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,183,744 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-10 16:33:45 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 143,360 2007-10-10 16:33:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-10 16:33:45 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1240\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-10 16:34:01 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,641,536 2007-10-10 16:34:01 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-10 16:34:01 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-10 16:33:58 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-10 16:33:58 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,183,744 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-10 16:33:58 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 143,360 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-10 16:33:59 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1241\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-10 20:49:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-10 20:49:42 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,756,224 2007-10-10 20:49:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-10 20:49:44 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-10 20:49:42 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,404,928 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-10 20:47:09 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 143,360 2007-10-10 20:49:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-10 16:46:56 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1242\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-11 21:36:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,756,224 2007-10-11 21:36:37 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-11 21:36:37 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,413,120 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-10 20:47:09 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 143,360 2007-10-11 21:36:35 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-10 16:46:56 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1243\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-12 16:33:07 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,756,224 2007-10-12 16:33:07 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-12 16:33:07 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-12 16:33:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,413,120 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-12 16:33:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 143,360 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-12 16:33:05 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1244\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-14 22:08:26 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-14 22:08:24 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,838,144 2007-10-14 22:08:26 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-14 22:08:26 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-14 22:08:24 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-14 22:08:23 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-14 22:08:23 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c--a-w 1,859,584 2007-10-14 22:08:23 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-14 22:08:24 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-14 21:47:37 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-14 22:08:23 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-14 22:08:23 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c--a-w 200,704 2007-10-14 22:08:24 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1245\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 28,672 2007-10-15 01:07:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_MACHINE_SAM
-c--a-w 45,056 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_MACHINE_SECURITY
-c--a-w 24,838,144 2007-10-15 01:07:40 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_MACHINE_SOFTWARE
-c--a-w 5,427,200 2007-10-15 01:07:41 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_MACHINE_SYSTEM
-c--a-w 299,008 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_.DEFAULT
-c--a-w 237,568 2005-07-24 23:32:04 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
-c--a-w 233,472 2007-10-15 01:07:37 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
-c--a-w 233,472 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
-c-ha-w 2,097,152 2007-10-14 22:15:18 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 4,423,680 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 1,048,576 2007-08-13 16:42:43 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 786,432 2007-10-14 21:47:37 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-500
-c--a-w 8,192 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
-c--a-w 8,192 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
-c-ha-w 262,144 2007-10-13 00:30:42 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003
-c--a-w 200,704 2007-10-15 01:07:38 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1004
-c--a-w 8,192 2005-04-01 18:12:51 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1005
-c-ha-w 262,144 2007-10-04 17:32:14 C:\System Volume Information\_restore{F9D1F509-BDC8-4DC8-917D-8B0EFA11A8EC}\RP1246\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-500

[sUBs]

Quote:

ComboFix 07-10-10.1 - Lauren Whitby 2007-10-14 20:08:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.584 [GMT -5:00]
Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt
* Created a new restore point

The last time you ran ComboFix, it created a restore point. That's the one we'll be aiming to use.
Looking at the entries you posted ...

2,097,152 2007-10-14 22:15:18 _REGISTRY_USER_NTUSER_S-1-5-21-2000478354-562591055-839522115-1003

262,144 2007-10-13 00:30:42 _REGISTRY_USER_USRCLASS_S-1-5-21-2000478354-562591055-839522115-1003

The one is dated 2007-10-14 22:15:18 is a good one

Do you know how to perform a Windows System Restore?

[sUBs]

Go to Start > Run - type in "%SystemRoot%\system32\restore\rstrui.exe" & click OK




When the above window opens, Select "Restore to an earlier time" & click Next

Select the Restore point that's dated - 2007-10-14 22:15:18

[MikeMW]

2007-10-14 22:15:18 does not appear in the restore calendar. Should I try another user maybe or does this pull everyone's user profiles from ComboFix?

2007-10-14 - 20:07:41 is the only one available along with one from the 13th.

[sUBs]

Sorry about that. The log that was produced earlier on uses a different timezone than yours. All those times need to be subtracted 5. Please use the restore point from the Oct 13th

[MikeMW]

OK, I ran it and it appears that I have the settings back. Do I need to run any other reports to make sure everything is OK and any idea on the windows installer screen that keeps popping up? It came up when again during the restore as the computer rebooted.

Thanks!

[sUBs]

Double click on ComboFix & do a blank run. We want the log that's produced.

How we proceed depends on that

[MikeMW]

Here is the ComboFix file.

ComboFix 07-10-10.1 - Lauren Whitby 2007-10-15 17:19:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT -5:00]
Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.

2007-10-14 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-14 16:33 225,509 --a------ C:\WINDOWS\sptawl.exe
2007-10-14 16:31 225,509 --a------ C:\WINDOWS\system32\juunrlpiqtz.exe
2007-10-14 16:24 225,509 --a------ C:\WINDOWS\system32\hx.exe
2007-10-12 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-12 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-12 14:58 <DIR> d---s---- C:\Documents and Settings\Mike Whitby\UserData
2007-10-10 15:49 <DIR> d-------- C:\Deckard
2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 22:14 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-10-15 22:03 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-10-15 22:03 108,868 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 19:07 --------- d-----w C:\Program Files\Sony
2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9
2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry
2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar
2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-10-10_13.21.06.40 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-03-13 15:57:10 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 544,768 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 8,192 2007-10-14 21:36:09 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 544,768 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 8,192 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 213,048 2005-05-24 17:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-08-29 20:47:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 950,272 2007-08-29 20:49:54 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----a-w 1,185,840 2007-10-15 22:03:14 C:\WINDOWS\system32\Restore\rstrlog.dat
.
----a-w 3,016,060 2007-10-09 15:44:24 C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00]
"RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32]
"medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25]
"CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25]
"juunrlpiqtz"="C:\WINDOWS\system32\juunrlpiqtz.exe" [2007-10-14 16:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"juunrlpiqtz"=C:\WINDOWS\system32\juunrlpiqtz.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys
R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe"
R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys
S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew
S2 ouhpyeuaoeweuy9k;Print Spooler Service;C:\WINDOWS\system32\juunrlpiqtz.exe /service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}]
AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 19:25:00 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Lauren Whitby at 2 25 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe
"2007-10-09 03:29:25 C:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 17:31:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 17:34:25
C:\ComboFix2.txt ... 2007-10-14 20:31
C:\ComboFix3.txt ... 2007-10-14 17:30
.
--- E O F ---

[Ried]

Hello again, Mike.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

We're working with the Lauren account--we'll stay there for the duration of the fix until otherwise directed.

Here are the download instructions for SDFix if it is no longer on Lauren's account:

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)


Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.

--------------------------------------------------------------------

From Normal Mode....

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\sptawl.exe
C:\WINDOWS\system32\hx.exe
C:\WINDOWS\system32\juunrlpiqtz.exe

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please go to: VirusTotal

• On the page you'll find a "Browse" button.
  
• Next to the browse button you'll see a box to enter text.
• Please copy/paste the following file path:
  
  C:\WINDOWS\System32\mztfuxiy.gew
  
  
• Then click the "Send File " button just below.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\SDFix\Report.txt
C:\ComboFix.txt
Virus total results

Regarding the Windows Installer issue. You mentioned you deleted programs.

1. Did you delete them, or uninstall them via the Add or Remove programs panel?

2. What programs did you remove?

[MikeMW]

OK, sorry for the delay school meetings.....

The files are listed below however I could not get VirusTotal to run. The file did not exist that you had listed for me to copy and paste.

I uninstalled a few programs that we no longer used. I did notice that windows XP was in the program list and now it is not. Do I need to "repair"?


SDFix: Version 1.109

Run by Administrator on Mon 10/15/2007 at 06:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ouhpyeuaoeweuy9k

ImagePath:
C:\WINDOWS\system32\juunrlpiqtz.exe /service

ouhpyeuaoeweuy9k - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\HX.EXE - Deleted
C:\WINDOWS\SYSTEM32\JUUNRL~1.EXE - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 10 Feb 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 10 Feb 2007 4,348 ...H. --- "C:\Documents and Settings\Lauren Whitby\My Documents\My Music\License Backup\drmv1key.bak"
Sun 5 Aug 2007 20 ...H. --- "C:\Documents and Settings\Lauren Whitby\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 10 Feb 2007 9,656 ..SH. --- "C:\Documents and Settings\Lauren Whitby\My Documents\My Music\License Backup\drmv2key.bak"

Finished!

ComboFix 07-10-10.1 - Lauren Whitby 2007-10-15 21:19:26.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.580 [GMT -5:00]
Running from: C:\Documents and Settings\Lauren Whitby\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Lauren Whitby\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\sptawl.exe
C:\WINDOWS\system32\hx.exe
C:\WINDOWS\system32\juunrlpiqtz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\sptawl.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-14 16:35 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-12 15:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-12 15:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-12 14:58 <DIR> d---s---- C:\Documents and Settings\Mike Whitby\UserData
2007-10-10 15:49 <DIR> d-------- C:\Deckard
2007-10-10 12:01 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-10 11:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-09 16:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 10:43 <DIR> d-------- C:\WINDOWS\ShellNew
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-10-09 10:42 <DIR> d-------- C:\Program Files\Common Files\L&H

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-16 01:50 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k7
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k6
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k5
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k4
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k3
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k2
2007-10-15 23:29 64 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k1
2007-10-15 23:29 242,484 ----a-w C:\WINDOWS\system32\drivers\kmxcfg.u2k0
2007-10-06 19:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-06 19:07 --------- d-----w C:\Program Files\Sony
2007-10-05 22:42 --------- d-----w C:\Program Files\pspvideo9
2007-10-05 22:41 --------- d--h--w C:\Program Files\Zero G Registry
2007-09-18 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2007-08-20 20:37 --------- d-----w C:\Program Files\AIM Toolbar
2007-04-30 22:52 25,328 -c----w C:\Documents and Settings\Lauren Whitby\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2007-10-10_13.21.06.40 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-10-16 00:33:08 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 544,768 2007-10-15 23:32:33 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 8,192 2007-10-15 23:32:33 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-10-14 11:14:42 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 544,768 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 8,192 2007-10-14 21:35:59 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
----a-w 213,048 2005-05-24 17:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-08-29 20:47:20 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 950,272 2007-08-29 20:49:54 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----a-w 1,185,840 2007-10-15 22:03:14 C:\WINDOWS\system32\Restore\rstrlog.dat
.
----a-w 3,016,060 2007-10-09 15:44:24 C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe" [2002-04-10 03:00]
"RCScheduleCheck"="C:\Program Files\VCOM\Recovery Commander\RCSCHED.exe" [2003-10-21 12:20]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50]
"nwiz"="nwiz.exe" [2004-10-29 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 15:35]
"EPSON Stylus CX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.exe" [2005-02-01 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 00:46]
"QuickTime Task"="C:\qttask.exe" [2006-12-23 18:41]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-06-12 12:32]
"medicsp2"="C:\Program Files\twc\medicsp2\bin\sprtcmd.exe" [2007-03-07 11:53]
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-09-18 17:25]
"cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2007-09-18 17:25]
"capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2007-09-18 17:25]
"capfupgrade"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2007-09-18 17:25]
"QOELOADER"="C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2007-09-18 17:25]
"CaPPcl"="C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe" [2007-09-18 17:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-02-01 10:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 08:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{a5780613-492e-4a2a-a7fd-549610edf6cc}"= C:\Program Files\VCOM\Recovery Commander\RCHOOK.DLL [2003-07-08 09:53 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-05-18 14:30 79368 C:\WINDOWS\system32\UmxWNP.dll

R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R1 KmxAgent;KmxAgent;C:\WINDOWS\system32\DRIVERS\kmxagent.sys
R1 KmxFile;KmxFile;C:\WINDOWS\system32\DRIVERS\KmxFile.sys
R1 KmxFw;KmxFw;C:\WINDOWS\system32\DRIVERS\kmxfw.sys
R1 prodrv04;Star Force copy protection driver v4;C:\WINDOWS\system32\drivers\prodrv04.sys
R2 DPPSUSB;DPPSUSB.Sys Sony DPP-SV55/77/88 USB Digital Photo Printer Driver;C:\WINDOWS\system32\Drivers\DPPSUSB.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 KmxSbx;KmxSbx;C:\WINDOWS\system32\DRIVERS\KmxSbx.sys
R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2
R2 UmxAgent;HIPS Event Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"
R2 UmxCfg;HIPS Configuration Interpreter;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"
R2 UmxPol;HIPS Policy Manager;"C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"
R3 KmxCfg;KmxCfg;C:\WINDOWS\system32\DRIVERS\kmxcfg.sys
R3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPCtlPriv.exe"
R3 SONYWBMS;Sony Memory Stick controller(WB);C:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys
S2 MZTFUXIY;MZTFUXIY;\??\C:\WINDOWS\System32\mztfuxiy.gew

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53dbe4a9-2cda-11db-ab4d-00e018b959ee}]
AutoRun\command - I:\JDSecure\Windows\JDSecure30.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 19:25:00 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Lauren Whitby at 2 25 PM.job"
- C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\CAAntiSpyware.exe
"2007-10-09 03:29:25 C:\WINDOWS\Tasks\Scheduled Checkpoint.job"
- C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 21:24:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-15 21:27:10
C:\ComboFix2.txt ... 2007-10-15 17:34
C:\ComboFix3.txt ... 2007-10-14 20:31
.
--- E O F ---

[Ried]

Let's get an online scan done to search for remnants. Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------

Quote:

I uninstalled a few programs that we no longer used

Do you recall the names of those programs?

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The list will automatically be saved in your HijackThis folder.

Please copy and paste the uninstall_list.txt here along with the Kaspersky results.

[MikeMW]

I don't recall but they were installed games etc. I am running the Kaspersky program now and I will finish up and send the reports in the morning but I will be out most of the day and away from the home computer. I will get any additional information needed as soon as I can.

Thanks again!

[Ried]

That will be fine. After you've run the Kaspersky scan, I'd like you to do the following as well:

Go to Start > Run - type in eventvwr <Press Enter>



This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.

1. In the left pane click on Application.
2. Click the gray title “Type” at the top of the source name column in the right pane to sort by type name
   Look for “Error” & double-click on the most recent 10, and evaluate the event description for any indication of the cause of the problem.
3. Make note of the Description, EventID and Source of these Event Properties.
4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below
   
   
   
   
   
   
5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
   There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here, along with the other requested reports.

Repeat steps 1-6 for System

[MikeMW]

Here are the requested files. I did not copy all of the repeating errors, however, I did go down and try to pick out ones that I thought would be important. I also included warnings and information. I included a few from the System tab as well.

Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
AIM 6
AOL Instant Messenger
ArcSoft PhotoImpression 5
AviSynth 2.5
CA Internet Security Suite
DeductionPro 2004-05
DeductionPro 2005-06
DeductionPro 2006
DVD Decrypter (Remove Only)
eMusic Download Manager
EPSON CX 4200 4800 Guide
EPSON Printer Software
EPSON Scan
EPSON Web-To-Page
Google Toolbar for Internet Explorer
GraphicView 32
HijackThis 2.0.2
Image Converter 2
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Lucent® Soft Modem Driver for Microsoft® Windows® XP
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft AntiSpyware
Microsoft Office XP Professional with FrontPage
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NVIDIA Drivers
OpenMG Secure Module 4.6.01
Pdf995
QuickTime
Recovery Commander
Regfixer
Revo Uninstaller 1.30
Road Runner Medic 6.1
RoadRunner
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SonicStage 4.2
Sony DPP-SV55/77/88 Reader Software
Sony MP3 Conversion Tool
Sony MP4 Shared Library
Spybot - Search & Destroy
Spyware Doctor 3.1
SpywareBlaster v3.5.1
TaxCut 2003
TaxCut 2004
TaxCut Premium 2005
TaxCut Premium 2006
The Sims 2
The Ultimate Home
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB917425)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Widget Workshop
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WNW Dictionary v2.0
Yahoo! Toolbar

Event Type: Error
Event Source: UmxAgent
Event Category: None
Event ID: 108
Date: 10/15/2007
Time: 10:41:51 PM
User: N/A
Computer: THE-WHITBYS
Description:
Cannot open mailslot of Ask User client. Product 0x1, Session 0, Error 0x2.

Event Type: Error
Event Source: UmxAgent
Event Category: None
Event ID: 108
Date: 10/15/2007
Time: 6:29:25 PM
User: N/A
Computer: THE-WHITBYS
Description:
Cannot open mailslot of Ask User client. Product 0x1, Session 0, Error 0x2.

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 10/15/2007
Time: 5:23:24 PM
User: N/A
Computer: THE-WHITBYS
Description:
Faulting application sed.cfexe, version 0.0.0.0, faulting module sed.cfexe, version 0.0.0.0, fault address 0x000106ac.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 65 64 ure sed
0018: 2e 63 66 65 78 65 20 30 .cfexe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 73 65 64 2e 63 66 n sed.cf
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 31 30 36 61 63 0d 0a 0106ac..

Event Type: Error
Event Source: UmxAgent
Event Category: None
Event ID: 98
Date: 10/15/2007
Time: 12:34:54 PM
User: N/A
Computer: THE-WHITBYS
Description:
Cannot launch sync event client C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe

Event Type: Error
Event Source: UmxAgent
Event Category: None
Event ID: 105
Date: 10/15/2007
Time: 12:34:54 PM
User: N/A
Computer: THE-WHITBYS
Description:
Cannot create sync event client process. Sess: 1, Err: 2

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1511
Date: 10/14/2007
Time: 8:34:52 PM
User: THE-WHITBYS\Mike Whitby
Computer: THE-WHITBYS
Description:
Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11708
Date: 10/15/2007
Time: 11:20:08 PM
User: THE-WHITBYS\Lauren Whitby
Computer: THE-WHITBYS
Description:
Product: Microsoft Office XP Professional with FrontPage -- Installation failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 39 30 32 38 30 34 30 {9028040
0008: 39 2d 36 30 30 30 2d 31 9-6000-1
0010: 31 44 33 2d 38 43 46 45 1D3-8CFE
0018: 2d 30 30 35 30 30 34 38 -0050048
0020: 33 38 33 43 39 7d 383C9}

Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1001
Date: 10/15/2007
Time: 11:19:34 PM
User: THE-WHITBYS\Lauren Whitby
Computer: THE-WHITBYS
Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'HandWritingFiles' failed during request for component '{E6BFD503-3A35-4B78-BAB5-9570EDDEF81C}'

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1004
Date: 10/15/2007
Time: 11:19:34 PM
User: THE-WHITBYS\Lauren Whitby
Computer: THE-WHITBYS
Description:
Detection of product '{90280409-6000-11D3-8CFE-0050048383C9}', feature 'ProductFiles', component '{85DB45A4-EFC9-11D3-8D70-0050048384E3}' failed. The resource 'C:\Program Files\Common Files\Microsoft Shared\Office10\CTRYINFO.TXT' does not exist.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 10/15/2007
Time: 10:42:02 PM
User: NT AUTHORITY\SYSTEM
Computer: THE-WHITBYS
Description:
Windows saved user THE-WHITBYS\Lauren Whitby registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

[Ried]

Hi Mike,

My apologies for the delay. It appears Microsoft Office is the source of your Windows Installer 'woes'. You should have an install disc for Microsoft Office--uninstall it first via the Add/Remove programs and reboot.

Now install it again.

Is your D: drive backup? I'm seeing infections in the system restore on that drive as well as infected temp internet files.

[MikeMW]

A back-up was done a couple of years ago to correct issues with a virus and I had a friend fix it and he did the back-up to D drive. I will try the uninstall and reinstall for disc in the Office issue to see if that clears that part up.
I will be traveling until Thursday so I will reply with an update then and take care of anything else you post you need me to do when I return.

Thanks again for the help!

[MikeMW]

A back-up was done a couple of years ago to correct issues with a virus and I had a friend fix it and he did the back-up to D drive. I will try the uninstall and reinstall for disc in the Office issue to see if that clears that part up.
I will be traveling until Thursday so I will reply with an update then and take care of anything else you post you need me to do when I return.

Thanks again for the help!

[Ried]

You're welcome.

You may as well delete that entire backup as it's filled with junk. Perhaps you can ask your friend to make another backup for you once we've resolved these issues.

I'll remain subscribed to this thread, so I'll be notified when you do reply. Safe traveling until then.

[MikeMW]

Thanks Ried.

I did not have a disc for Office to try to re-install. It appears that all the files are still there but it keeps telling me that it cannot find certain programs when I try to repair it. I have tried to open Word, Outlook and Excel to run a "repair" and none will open.

I noticed that there is a "C" drive loaded on my "D" drive with a bunch of files. Should I just delete that file all together to clear up the virus issues?

Mike

[Ried]

The C: drive contents on that D: drive are the backups your friend made of your system a couple of years ago, so yes--delete it all.

As far as the Office issue, I would suggest discussing this issue with the folks over in the Microsoft Office Support.