[Resolved] For Hoov... Possible video driver infection.....

[CheyrlB]

Here's my DDS.txt and my Attach.txt from "What do I do first".  


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by CherylB at 18:06:47 on 2012-05-01
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.5887.4302 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files\WTouch\WTouchUser.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\mswinext.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Users\CherylB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\CherylB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\CherylB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\splwow64.exe
C:\Users\CherylB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\CherylB\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cfu.net/
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Google Update] "C:\Users\CherylB\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MOZYHO~1.LNK - C:\Program Files (x86)\MozyHome\mozystat.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SNAPFI~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{88D6FDC8-C028-4379-A05F-5AA6C23B289B} : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64:     Search Helper - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\CherylB\AppData\Roaming\Mozilla\Firefox\Profiles\p855a8gx.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll
FF - plugin: C:\Program Files (x86)\TabletPlugins\npwacom.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\CherylB\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\CherylB\AppData\Roaming\Mozilla\Firefox\Profiles\p855a8gx.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npAclmPlugin.dll
FF - plugin: C:\Users\CherylB\AppData\Roaming\Mozilla\Firefox\Profiles\p855a8gx.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: C:\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 HP Power Assistant Service;HP Power Assistant Service;C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [2010-9-28 107576]
R2 HPAuto;HP Auto;C:\Program Files\Hewlett-Packard\HP Auto\HPAuto.exe [2010-8-5 681528]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-8-5 291896]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-8-20 92216]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-4-2 1119768]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-9-11 399344]
R2 TabletServicePen;TabletServicePen;C:\Windows\system32\Pen_Tablet.exe --> C:\Windows\system32\Pen_Tablet.exe [?]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2012-4-28 127784]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-27 253088]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 wacmoumonitor;Wacom Mode Helper;C:\Windows\system32\DRIVERS\wacmoumonitor.sys --> C:\Windows\system32\DRIVERS\wacmoumonitor.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-05-01 17:55:19   69000   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D8D52797-B4B2-4617-986B-EBE5866594CE}\offreg.dll
2012-05-01 17:27:29   8917360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D8D52797-B4B2-4617-986B-EBE5866594CE}\mpengine.dll
2012-05-01 16:31:44   47616   ----a-w-   C:\Windows\SysWow64\pdf995mon64.dll
2012-05-01 16:31:44   47616   ----a-w-   C:\Windows\System32\pdf995mon64.dll
2012-05-01 16:31:44   314368   ----a-w-   C:\Windows\System32\pdfmona64.dll
2012-05-01 16:31:44   142   ----a-w-   C:\Windows\wpd99.drv
2012-05-01 16:31:44   11264   ----a-w-   C:\Windows\System32\pdf995mon64ui.dll
2012-05-01 16:31:44   --------   d-----w-   C:\ProgramData\pdf995
2012-05-01 16:31:14   202752   ----a-w-   C:\Windows\SysWow64\wbem\framedyn.dll
2012-05-01 16:10:36   --------   d-----w-   C:\Program Files\Canon
2012-05-01 16:09:00   82944   ----a-w-   C:\Windows\System32\Spool\prtprocs\x64\CNMPP97.DLL
2012-05-01 16:09:00   27648   ----a-w-   C:\Windows\System32\Spool\prtprocs\x64\CNMPD97.DLL
2012-05-01 16:09:00   27648   ----a-w-   C:\Windows\System32\Spool\prtprocs\x64\1_CNMPD97.DLL
2012-05-01 16:08:41   269824   ----a-w-   C:\Windows\System32\CNMLM97.DLL
2012-05-01 16:07:49   --------   d-----w-   C:\Program Files (x86)\Canon
2012-05-01 15:44:11   --------   d-----w-   C:\Program Files (x86)\PDF995
2012-04-30 21:45:18   --------   d-----w-   C:\Users\CherylB\AppData\Local\Mozy Restore Manager
2012-04-30 21:41:13   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\hpqLog
2012-04-30 21:31:18   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\TaxCut
2012-04-30 21:26:22   --------   d-----w-   C:\Program Files (x86)\HRBlock2011
2012-04-30 21:25:28   --------   d-----w-   C:\ProgramData\TaxCut
2012-04-30 21:19:08   67328   ----a-w-   C:\Windows\System32\drivers\mozy.sys
2012-04-30 21:19:07   --------   d-----w-   C:\Program Files\MozyHome
2012-04-30 19:36:49   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\Malwarebytes
2012-04-30 19:36:40   --------   d-----w-   C:\ProgramData\Malwarebytes
2012-04-30 19:36:39   24904   ----a-w-   C:\Windows\System32\drivers\mbam.sys
2012-04-30 19:36:39   --------   d-----w-   C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-30 18:41:17   8917360   ----a-w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-30 18:28:45   1139200   ----a-w-   C:\Windows\System32\FntCache.dll
2012-04-30 18:28:44   902656   ----a-w-   C:\Windows\System32\d2d1.dll
2012-04-30 18:28:44   739840   ----a-w-   C:\Windows\SysWow64\d2d1.dll
2012-04-30 13:58:01   --------   d-----w-   C:\Users\CherylB\AppData\Local\{8F609AA6-E8B8-409F-9DFB-4B11535CC5C6}
2012-04-30 13:57:49   --------   d-----w-   C:\Users\CherylB\AppData\Local\{1131BF4F-364F-4110-B149-2033D7BBEB1A}
2012-04-30 00:42:44   927800   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8A3C21A6-3DBB-4755-A02D-C2E7DF70C488}\gapaengine.dll
2012-04-29 23:45:33   927800   ------w-   C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-04-29 22:25:29   --------   d-----w-   C:\Users\CherylB\AppData\Local\ElevatedDiagnostics
2012-04-29 22:06:36   77312   ----a-w-   C:\Windows\System32\rdpwsx.dll
2012-04-29 22:06:36   149504   ----a-w-   C:\Windows\System32\rdpcorekmts.dll
2012-04-29 20:52:03   --------   d-----w-   C:\Windows\System32\SPReview
2012-04-29 20:51:34   --------   d-----w-   C:\Windows\System32\EventProviders
2012-04-29 17:13:59   640512   ----a-w-   C:\Windows\SysWow64\advapi32.dll
2012-04-29 17:12:59   921600   ----a-w-   C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.dll
2012-04-29 17:11:43   606208   ----a-w-   C:\Windows\SysWow64\wbem\fastprox.dll
2012-04-29 17:11:43   363008   ----a-w-   C:\Windows\SysWow64\wbemcomn.dll
2012-04-29 17:10:19   529408   ----a-w-   C:\Windows\System32\wbemcomn.dll
2012-04-29 14:13:28   --------   d-----w-   C:\Users\CherylB\AppData\Local\{03EBE109-7834-45BE-8225-F5AB7ED1288B}
2012-04-29 14:13:15   --------   d-----w-   C:\Users\CherylB\AppData\Local\{3AFA85CC-22BB-403A-8158-A987A247FA68}
2012-04-29 08:39:38   --------   d-----w-   C:\Windows\SysWow64\Wat
2012-04-29 08:39:38   --------   d-----w-   C:\Windows\System32\Wat
2012-04-29 08:11:13   --------   d-----w-   C:\Program Files (x86)\MSXML 4.0
2012-04-29 08:06:20   5559152   ----a-w-   C:\Windows\System32\ntoskrnl.exe
2012-04-29 08:06:20   3968368   ----a-w-   C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-29 08:06:19   3913072   ----a-w-   C:\Windows\SysWow64\ntoskrnl.exe
2012-04-29 08:03:48   81408   ----a-w-   C:\Windows\System32\imagehlp.dll
2012-04-29 08:03:48   5120   ----a-w-   C:\Windows\SysWow64\wmi.dll
2012-04-29 08:03:48   5120   ----a-w-   C:\Windows\System32\wmi.dll
2012-04-29 08:03:48   23408   ----a-w-   C:\Windows\System32\drivers\fs_rec.sys
2012-04-29 08:03:48   220672   ----a-w-   C:\Windows\System32\wintrust.dll
2012-04-29 08:03:48   172544   ----a-w-   C:\Windows\SysWow64\wintrust.dll
2012-04-29 08:03:48   159232   ----a-w-   C:\Windows\SysWow64\imagehlp.dll
2012-04-28 21:51:10   --------   d-----w-   C:\Users\CherylB\AppData\Local\{60FE0829-162F-4217-911B-619E2E746EA7}
2012-04-28 21:50:58   --------   d-----w-   C:\Users\CherylB\AppData\Local\{D1ACE37D-43C4-45FB-8EFD-BDD5973F5690}
2012-04-28 21:50:44   --------   d-----w-   C:\Users\CherylB\Tracing
2012-04-28 21:28:57   --------   d-----w-   C:\Windows\en
2012-04-28 21:25:35   19352   ----a-w-   C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-04-28 21:22:58   89944   ----a-w-   C:\Program Files (x86)\Common Files\Windows Live\.cache\14cf40561cd258510\DSETUP.dll
2012-04-28 21:22:58   537432   ----a-w-   C:\Program Files (x86)\Common Files\Windows Live\.cache\14cf40561cd258510\DXSETUP.exe
2012-04-28 21:22:58   1801048   ----a-w-   C:\Program Files (x86)\Common Files\Windows Live\.cache\14cf40561cd258510\dsetup32.dll
2012-04-28 21:20:54   --------   d-----w-   C:\Users\CherylB\AppData\Local\Windows Live
2012-04-28 20:56:09   321024   ----a-w-   C:\Windows\System32\d3d10_1core.dll
2012-04-28 20:56:09   219136   ----a-w-   C:\Windows\SysWow64\d3d10_1core.dll
2012-04-28 20:56:09   197120   ----a-w-   C:\Windows\System32\d3d10_1.dll
2012-04-28 20:56:09   161792   ----a-w-   C:\Windows\SysWow64\d3d10_1.dll
2012-04-28 20:56:07   467456   ----a-w-   C:\Windows\System32\drivers\srv.sys
2012-04-28 20:56:07   410112   ----a-w-   C:\Windows\System32\drivers\srv2.sys
2012-04-28 20:56:07   168448   ----a-w-   C:\Windows\System32\drivers\srvnet.sys
2012-04-28 20:54:56   142336   ----a-w-   C:\Windows\System32\poqexec.exe
2012-04-28 20:53:59   1544192   ----a-w-   C:\Windows\System32\DWrite.dll
2012-04-28 20:50:29   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\HP Support Assistant
2012-04-28 20:50:21   --------   d-----w-   C:\Users\CherylB\AppData\Local\CrashDumps
2012-04-28 20:47:51   90624   ----a-w-   C:\Windows\System32\drivers\bowser.sys
2012-04-28 20:47:37   --------   d-----w-   C:\Users\CherylB\AppData\Local\Zame
2012-04-28 20:47:30   2048   ----a-w-   C:\Windows\SysWow64\tzres.dll
2012-04-28 20:47:30   2048   ----a-w-   C:\Windows\System32\tzres.dll
2012-04-28 20:47:14   1731920   ----a-w-   C:\Windows\System32\ntdll.dll
2012-04-28 20:47:13   1292080   ----a-w-   C:\Windows\SysWow64\ntdll.dll
2012-04-28 20:47:03   77312   ----a-w-   C:\Windows\System32\packager.dll
2012-04-28 20:47:03   67072   ----a-w-   C:\Windows\SysWow64\packager.dll
2012-04-28 20:47:03   279656   ------w-   C:\Windows\System32\MpSigStub.exe
2012-04-28 20:46:25   861696   ----a-w-   C:\Windows\System32\oleaut32.dll
2012-04-28 20:46:25   571904   ----a-w-   C:\Windows\SysWow64\oleaut32.dll
2012-04-28 20:46:25   331776   ----a-w-   C:\Windows\System32\oleacc.dll
2012-04-28 20:46:25   233472   ----a-w-   C:\Windows\SysWow64\oleacc.dll
2012-04-28 20:46:24   723456   ----a-w-   C:\Windows\System32\EncDec.dll
2012-04-28 20:46:24   534528   ----a-w-   C:\Windows\SysWow64\EncDec.dll
2012-04-28 20:45:18   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\HpUpdate
2012-04-28 20:44:22   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\WTablet
2012-04-28 20:44:16   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\WTouch
2012-04-28 20:44:15   245032   ------w-   C:\Windows\SysWow64\Touch_Tablet.dll
2012-04-28 20:44:14   290088   ------w-   C:\Windows\System32\Touch_Tablet.dll
2012-04-28 20:44:11   --------   d-----w-   C:\Program Files\WTouch
2012-04-28 20:44:08   --------   d-----w-   C:\Program Files (x86)\TabletPlugins
2012-04-28 20:43:50   7543592   ------w-   C:\Windows\System32\PenTablet.cpl
2012-04-28 20:43:44   12848   ----a-w-   C:\Windows\System32\drivers\wacommousefilter.sys
2012-04-28 20:43:32   15656   ----a-w-   C:\Windows\System32\drivers\wacomvhid.sys
2012-04-28 20:43:29   18216   ----a-w-   C:\Windows\System32\drivers\wacmoumonitor.sys
2012-04-28 20:43:28   --------   d-----w-   C:\Windows\System32\WTablet
2012-04-28 20:43:24   490280   ------w-   C:\Windows\System32\Pen_Tablet.dll
2012-04-28 20:43:24   416040   ------w-   C:\Windows\SysWow64\Pen_Tablet.dll
2012-04-28 20:43:24   284160   ------w-   C:\Windows\SysWow64\Wintab32.dll
2012-04-28 20:43:20   5556520   ------w-   C:\Windows\System32\Pen_Tablet.exe
2012-04-28 20:43:16   --------   d-----w-   C:\Program Files (x86)\Tablet
2012-04-28 01:56:00   --------   d-----w-   C:\Program Files (x86)\Microsoft Security Client
2012-04-28 01:55:56   --------   d-----w-   C:\Program Files\Microsoft Security Client
2012-04-28 01:45:39   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\Netgear Live Parental Controls
2012-04-28 01:43:55   --------   d-----w-   C:\Users\CherylB\AppData\Local\Diagnostics
2012-04-28 01:25:11   35840   ----a-r-   C:\Windows\System32\drivers\BVRPMPR5a64.SYS
2012-04-28 01:24:22   --------   d-----w-   C:\Netgear
2012-04-27 23:09:27   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\Blio
2012-04-27 23:06:07   --------   d-----w-   C:\Users\CherylB\AppData\Local\Google
2012-04-27 22:52:37   --------   d-----w-   C:\ProgramData\Recovery
2012-04-27 22:14:04   70304   ----a-w-   C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-27 22:14:04   418464   ----a-w-   C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-27 20:55:51   --------   d-----w-   C:\Program Files (x86)\Common Files\Symantec Shared
2012-04-27 20:12:59   89088   ----a-w-   C:\Windows\System32\RegisterIEPKEYs.exe
2012-04-27 20:09:08   --------   d-----w-   C:\Users\CherylB\AppData\Local\ATI
2012-04-27 20:09:03   --------   d-----w-   C:\Users\CherylB\AppData\Roaming\PictureMover
2012-04-27 20:05:52   --------   d-----w-   C:\Users\CherylB\AppData\Local\PDFC
2012-04-27 20:05:21   9216   ----a-w-   C:\Windows\System32\rdrmemptylst.exe
2012-04-27 20:05:20   826880   ----a-w-   C:\Windows\SysWow64\rdpcore.dll
2012-04-27 20:05:20   23552   ----a-w-   C:\Windows\System32\drivers\tdtcp.sys
2012-04-27 20:05:20   210944   ----a-w-   C:\Windows\System32\drivers\rdpwd.sys
2012-04-27 20:05:20   1031680   ----a-w-   C:\Windows\System32\rdpcore.dll
2012-04-27 20:05:12   --------   d-----w-   C:\Users\CherylB\AppData\Local\VirtualStore
2012-04-27 20:04:45   --------   d-----w-   C:\Users\CherylB\AppData\Local\RemEngine
.
==================== Find3M  ====================
.
2012-04-29 21:06:21   175616   ----a-w-   C:\Windows\System32\msclmd.dll
2012-04-29 21:06:21   152576   ----a-w-   C:\Windows\SysWow64\msclmd.dll
2012-04-27 20:13:00   76800   ----a-w-   C:\Windows\SysWow64\SetIEInstalledDate.exe
2012-04-27 20:13:00   74752   ----a-w-   C:\Windows\SysWow64\RegisterIEPKEYs.exe
2012-04-27 20:13:00   161792   ----a-w-   C:\Windows\SysWow64\msls31.dll
2012-04-27 20:13:00   110592   ----a-w-   C:\Windows\SysWow64\IEAdvpack.dll
2012-03-21 01:44:12   98688   ----a-w-   C:\Windows\System32\drivers\NisDrvWFP.sys
2012-03-21 01:44:12   203888   ----a-w-   C:\Windows\System32\drivers\MpFilter.sys
2012-03-08 23:50:28   49016   ----a-w-   C:\Windows\SysWow64\sirenacm.dll
2012-03-08 23:37:20   302448   ----a-w-   C:\Windows\WLXPGSS.SCR
2012-02-28 06:56:48   2311168   ----a-w-   C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56   1390080   ----a-w-   C:\Windows\System32\wininet.dll
2012-02-28 06:48:57   1493504   ----a-w-   C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55   2382848   ----a-w-   C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55   1799168   ----a-w-   C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21   1427456   ----a-w-   C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07   1127424   ----a-w-   C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16   2382848   ----a-w-   C:\Windows\SysWow64\mshtml.tlb
2012-02-10 05:38:43   1077248   ----a-w-   C:\Windows\SysWow64\DWrite.dll
2012-02-03 04:34:34   3145728   ----a-w-   C:\Windows\System32\win32k.sys
.
============= FINISH: 18:07:01.71 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/27/2012 2:58:54 PM
System Uptime: 5/1/2012 11:05:18 AM (7 hours ago)
.
Motherboard: FOXCONN |  | 2AB1
Processor: AMD Athlon(tm) II X4 640 Processor | CPU 1 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 919 GiB total, 869.755 GiB free.
D: is FIXED (NTFS) - 13 GiB total, 1.272 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP15: 4/29/2012 3:51:56 PM - Windows 7 Service Pack 1
RP16: 4/29/2012 5:01:17 PM - Windows Update
RP17: 4/29/2012 7:43:11 PM - Windows Update
RP18: 4/30/2012 11:36:28 AM - Windows Update
RP19: 4/30/2012 1:28:48 PM - Windows Update
RP20: 4/30/2012 2:08:40 PM - Installed HP Product Detection
RP21: 4/30/2012 2:09:23 PM - Installed Hewlett-Packard ACLM.NET v1.1.0.0.
RP22: 4/30/2012 4:18:46 PM - Installed MozyHome
RP23: 4/30/2012 4:25:59 PM - Installed HR Block 2011.
RP24: 4/30/2012 4:35:18 PM - Installed HR Block Iowa 2011.
RP25: 4/30/2012 4:41:26 PM - Installed HP Power Assistant
RP26: 4/30/2012 5:18:11 PM - Removed H&R Block Premium + Efile + State 2011.
RP27: 4/30/2012 5:34:59 PM - Removed H&R Block Iowa 2011.
RP28: 5/1/2012 9:07:43 AM - Windows Update
RP29: 5/1/2012 10:43:49 AM - Installed HR Block 2011.
RP30: 5/1/2012 10:47:26 AM - Installed HR Block Iowa 2011.
.
==== Installed Programs ======================
.
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Reader X (10.1.3)
Agatha Christie - Peril at End House
Bamboo
Bejeweled 2 Deluxe
Bing Bar
Bing Bar Platform
Bing Rewards Client Installer
Blackhawk Striker 2
Blasterball 3
Blio
Bounce Symphony
Build-a-lot 2
Cake Mania
Canon iP2600 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chuzzle Deluxe
CyberLink DVD Suite Deluxe
D3DX10
Diner Dash 2 Restaurant Rescue
Dora's World Adventure
DVD Menu Pack for HP MediaSmart Video
Escape Rosecliff Island
Farm Frenzy
FATE
Final Drive Nitro
Google Chrome
H&R Block Iowa 2011
H&R Block Premium + Efile + State 2011
Heroes of Hellas 2 - Olympia
Hewlett-Packard ACLM.NET v1.1.0.0
HP Customer Experience Enhancements
HP Game Console
HP Games
HP MediaSmart DVD
HP MediaSmart Music
HP MediaSmart Photo
HP MediaSmart Video
HP MediaSmart/TouchSmart Netflix
HP MovieStore
HP Odometer
HP Product Detection
HP Setup
HP Setup Manager
HP Support Assistant
HP Support Information
HP Update
HPAsset component for HP Active Support Library
Hulu Desktop
Jewel Quest Solitaire 2
Junk Mail filter update
Kobo
LabelPrint
LightScribe System Software
Malwarebytes Anti-Malware version 1.61.0.1400
Messenger Companion
Microsoft Default Manager
Microsoft Office 2010
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Movie Theme Pack for HP MediaSmart Video
Mozilla Firefox 12.0 (x86 en-US)
MSVCRT
MSVCRT_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery P.I. - The London Caper
PDF Complete Special Edition
Pdf995 (installed by H&R Block)
PdfEdit995 (installed by H&R Block)
Penguins!
PhotoNow!
PictureMover
Plants vs. Zombies
PlayReady PC Runtime x86
Poker Superstars III
Polar Bowler
Polar Golfer
Power2Go
PowerDirector
PressReader
Realtek High Definition Audio Driver
Recovery Manager
RoxioNow Player
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Virtual Families
Virtual Villagers 4 - The Tree of Life
WebTablet IE Plugin
WebTablet Netscape Plugin
Wheel of Fortune 2
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live Messenger Companion Core
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zinio Reader 4
Zuma Deluxe
.
==== Event Viewer Messages From Past Week ========
.
4/29/2012 3:41:55 AM, Error: Service Control Manager [7023]  -
4/29/2012 3:38:40 AM, Error: Service Control Manager [7023]  - The Windows Modules Installer service terminated with the following error:  The process cannot access the file because it is being used by another process.
4/28/2012 3:23:36 PM, Error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Search     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x8024001e     Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
4/27/2012 8:25:11 PM, Error: Service Control Manager [7000]  - The BVRPMPR5a64 NDIS Protocol Driver service failed to start due to the following error:  The system cannot find the file specified.
.
==== End Of File ===========================

[Hoov]

I have been helping you on the other forum and asked you to move the problem here, but I must ask you to do a few things for me.

First, tell me any other problems you are having, no matter how small or long you have been dealing with them.

Second, please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

Third, follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go.

Fourth, Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

Fifth, if we start this fix, I need you to stick with me until the end. Just because your computer is running better does not mean it is fixed.

Before we start trying to fix your computer, you need to make sure your data is backed up. Also let me know of any software you have running that encrypts your harddrive.

One last thing, I am assuming this is your computer. If its not I need you to tell me if this computer belongs to a school or to a company or orginization of some kind. Also tell me if there is an IT department responsible for this computer.

Now onto trying to fix your computer.

I know you did a restore on your computer, but the problems you were having may help us with the current problem. Do you remember what problems you were having before you did the reimage?

[CheyrlB]

First, when you say "any other problems that I;m having", do you mean other than those we've already talked about? I'm not sure if you want me to relist the issues I've had since the infection. If you're speaking of anything new, the only "new" thing happened yesterday when I disabled Microsoft Security Essentials to run the DDS scan. The computer seemed to break loose when I did that, as if downloading something. That scared me so I did a quick check of the Windows update, ran the Bing Bar update and restarted the computer. As it was attempting to shut down, it told me that Chrome had to finish downloading something. (I'm not aware, nor have I ever experienced, Chrome downloading something. Then I had to force shutdown because something was running in the background.The restart seemed to take a long time and at one point the monitor just went light purple for a couple minutes. Then it started as usual.

This morning I was researching the AMD failure message I mentioned the other day when the ATI Tehcnologies Inc- Display- ATI Radeon HD 4200 update ran. I did download the DriverUpdater from cnet, ran it. It said all 6 drivers were outdated or missing. i didn't run the "fix" because I started to panic. I also did this http://support.amd.com/us/gpudownload/windows/Pages/radeonmob_win7-64.aspx and the result was that it couldn't be dowloaded because of the incompatible hardware/software on the computer. I know both of these things are prime examples why novices should NOT try to fix things on their won. It's highly probable that I should not have done that and won't do anything more until told by you. You said I should tell you if I deviate from the plan, and that may have been a deviation. ...not sure at this point. Should i run the DDS scan again and repost?

You also said to let you know of any software running that encrypt my harddrive. i don't know of any. Do you have an example?

Yes, this is my home computer. I have two laptops that run off the router that is hooked up to it. (and ps3/wii)

The problem that prompted the system restore was my clicking on a video that I shouldn't have and the screen instantly went blue with a large warning across the top. I didn't read the warning. I scrambled to unplug the computer in a lame attempt to stop what was happening- all the while knowing it was too late. when it was restarted in safe mode, a message came on screen saying "The screen saver can't run because it requires a newer video card or one that's compatible with Direct 3D". Also when i restarted in normal mode, there was a ominous, new sticky note pinned amongst my own sticky notes stating something about being afraid, not expecting this, anger setting in, not being controlled. It was shortly after that that I panicked, backed up a few (less than 100) files and ran recovery discs. Prior to clicking on the video, I wasn't experiencing any problems. This all happened last Tuesday- 4/24/12.

This has obviously got me pretty scared. I'll follow your instruction. If I don't understand, I'll let you know. I hope I covered everything.

Thank you....

[CheyrlB]

A couple other quick questions: How limited do I have to be on this computer? Am I free to check email, facebook? any banking/bill pay?

Also, is it odd that Microsoft Security Essentials scans almost a million items when there's virtually nothing on this computer because I just ran the recovery discs? I have no documents/pictures/programs/etc on here. Just the printer i believe.

Forgot to meniton that I uninstalled H&R Block tax program this morning and Mozy online backup.

[CheyrlB]

Also, i was looking over the logs that I posted. this entry iseemed strange because it was the middle of the night and no one was on the computer. I don't know if that's relevant or not.

4/29/2012 3:38:40 AM, Error: Service Control Manager [7023]  - The Windows Modules Installer service terminated with the following error:  The process cannot access the file because it is being used by another process.

[Hoov]

First, apologies for not responding yesterday. I was under the weather. I tried responding, but I read your responses 3 times and could not even get past the first sentence.

First, rest assured you did the right thing by unplugging your computer. I probably would have just used the power button, but the power cord is correct as well. The computer does not really like that, but sometime you have to do that to save yourself.

About the encryption software, if you don't know what it is, then you don't have it. It is software that you have to login to before windows can even try starting. I ask that because it can cause unrecoverable problems.

About limitations, I would not do any banking, or anything with a highly personal nature until we are sure we have gotten it clean. Basic browsing the internet and checking e-mail should be fine. Once we are done, you should change passwords on your various accounts though.

About the programs you uninstalled, that generally doesn't cause a problem, it's the installation that causes the problem.

And errors can happen in the middle of the night if the computer is running. There are still a lot of process's going on even when it seems to be doing nothing.

First, I would like you to go into the control panel and to the device manager and see if there are any devices with a red x or yellow ! next to them. If there are, let me know which device has which problem.

Second, start Malwarebytes' Anti-Malware and update it, then run a full scan. If it finds something, fix it and then post the log. If it finds nothing, just post the log.

[CheyrlB]

Thanks for replying. Hopefully you're feeling better today. 

Nothing in Device Manager had a red or yellow !.

Malwarebytes found nothing. Below is the log.

Did you get a chance to look at the DDS logs? Even with my untrained eyes, I spotted some bad/suspicious things. 

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.03.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
CherylB :: CHERYLB-HP [administrator]

5/3/2012 10:20:19 AM
mbam-log-2012-05-03 (10-20-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 379450
Time elapsed: 29 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Hoov]

Nothing serious. What do you have a question about? I might have missed something.  I do see a few things we will need to cleanup, but its not critical right now.

[CheyrlB]

Well, again, I'm no expert so I hate to make presumptions about stuff I see. What I've been doing is looking at the DDS logs, copying/pasting a line into google to see what comes up. For example the syswow64 stuff under Find3M portion of the log. Some of the posts say it's virus/malware. one said it wasn't. So my investigation may simply be muddying up the process.

Another instance was this c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe. For whatever reason, that seemed odd to me and of course there are links that say it's bad.

Also, Firefox is redirecting to kona5.kontera.com. Not sure if that means anything. just observing.

Just fyi- in the running process portion of the log, chrome is named. i've uninstalled that so that line alerted me. incidentally, i was in chrome when i clicked the video that prompted this entire fiasco. And right after it crashed, Chrome was gone, didn't exist. When i tried to reinstall, it said it was going to take 8 hours, then 4 hours, 2 minutes, back to 2 hours, etc.

Let's just proceed according to your plan. I want to make sure we get this thing. I don't want to do a "fluffy" fix and be done. i want my peace of mind back..... 

[Hoov]

Unfortunately that is one of the downsides to doing research on the internet. You have to be able to distinguish the good information and the people who are paranoid. It is true that most of those files can be infected, but as far as we can tell right now they are fine.

MOM.exe in the ATI folder is part of the Catalyst Control Center, which is the GUI for the ATI Radeon graphics cards.

kontera is an advertising company. Have you ever been to a website where certain words are underlined and when you put your mouse cursor on it, you get a popup ad? That is one of the companies that does that sort of thing. One thing you may want to install to help block a lot of that kind of thing is Ghostery. I was just recently introduced to Ghostery and I really like it. It stops a lot of the popup ads and the like.


* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix''s window while it''s running. That may cause it to stall

[CheyrlB]

Malwarebytes can't be disabled, correct? Should I uninstall?

[Hoov]

If you are using the free version, there is nothing to disable. If you have the pro version then just start the task manager and kill the mbamservice.exe. That is all you need to do.

[CheyrlB]

Should I turn off Windows Firewall?

[Hoov]

Yes, disable any firewall you have running, also any Antivirus, as well as any program that blocks registry changes.

[CheyrlB]

Here's the Malwarebytes scan from Laptop #1


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.11.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
ARB2 :: ALYX-PC [administrator]

5/11/2012 9:47:37 AM
mbam-log-2012-05-11 (12-49-33).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 458036
Time elapsed: 2 hour(s), 2 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (PUP.MyWebSearch) -> No action taken.
HKCR\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (PUP.MyWebSearch) -> No action taken.
HKCR\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (PUP.MyWebSearch) -> No action taken.
HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\FocusInteractive (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Fun Web Products (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\MyWebSearch (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (PUP.MyWebSearch) -> No action taken.

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data:  -> No action taken.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> Data:  -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 12
C:\Program Files (x86)\FunWebProducts (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\FunWebProducts\ScreenSaver (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\FunWebProducts\ScreenSaver\Images (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\1.bin (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\2.bin (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\2.bin\ThirdPartyInstallers (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\3.bin (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\3.bin\ThirdPartyInstallers (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\4.bin (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\Settings (PUP.MyWebSearch) -> No action taken.

Files Detected: 12
C:\$RECYCLE.BIN\S-1-5-21-3548233839-656413462-1145383277-1000\$R4ZRLGR.EXE (PUP.MyWebSearch) -> No action taken.
C:\$RECYCLE.BIN\S-1-5-21-3548233839-656413462-1145383277-1000\$RCLLOO6.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\2.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\2.bin\MWSSVC.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\3.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\3.bin\MWSSVC.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\4.bin\M3HIGHIN.EXE (PUP.MyWebSearch) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\4.bin\MWSSVC.EXE (PUP.MyWebSearch) -> No action taken.
C:\Windows\System32\f3PSSavr.scr (PUP.FunWebProducts) -> No action taken.
C:\Windows\System32\f3PSSavr.scr (Trojan.Agent) -> No action taken.
C:\Windows\SysWOW64\f3PSSavr.scr (Trojan.Agent) -> No action taken.
C:\Program Files (x86)\MyWebSearch\bar\Settings\s_pid.dat (PUP.MyWebSearch) -> No action taken.

(end)