PDA

View Full Version : Microsoft Security Center Disabled



ffemtjacque
2010-11-09, 20:51
Microsoft Security Center is disabled and will not turn on. DDS Log, Spybot item that cannot be removed posted below and attach.txt attached.


DDS (Ver_10-11-09.01) - NTFSx86
Run by Jaques at 10:34:17.89 on Tue 11/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2188 [GMT -8:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS1\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS1\System32\svchost.exe -k netsvcs
C:\WINDOWS1\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\system32\rundll32.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS1\System32\nvsvc32.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS1\System32\svchost.exe -k imgsvc
C:\Program Files\Tether\TBService.exe
C:\WINDOWS1\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS1\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jaques\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.inhs.org/exchweb/bin/auth/owalogon.asp?url=https://webmail.inhs.org/exchange&reason=0
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows1\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jaques\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows1\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows1\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\jaques\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows1\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet

explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246919370187
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
TCP: {9F5E4696-3E91-45E0-903D-08192DB8E800} = 208.67.222.222,208.67.220.220
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows1\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jaques\applic~1\mozilla\firefox\profiles\id4rr2da.default\
FF - prefs.js: browser.startup.homepage -

hxxp://www.cnn.com|http://www.krem.com|http://webmail.freshabundance.com|http://www.gmail.com|http://www.google.com/ig|www.facebook.com (http://www.krem.com%7Chttp://webmail.freshabundance.com%7Chttp://www.gmail.com%7Chttp://www.google.com/ig%7Cwww.facebook.com)
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\jaques\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jaques\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jaques\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows1\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows1\system32\drivers\imdrvfsf.sys [2006-2-10 15616]
R1 AW_HOST;AW_HOST;c:\windows1\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows1\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows1\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 MSSQL$METRIX;MSSQL$METRIX;c:\program files\msde 2000\mssql$metrix\binn\sqlservr.exe -smetrix --> c:\program files\msde 2000\mssql$metrix\binn\sqlservr.exe

-sMETRIX [?]
R2 Tether;Tether;c:\program files\tether\TBService.exe [2010-1-27 52664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows1\system32\drivers\nvhda32.sys [2009-8-21 57248]
S2 gupdate1c97d7c903f3d10;Google Update Service (gupdate1c97d7c903f3d10);c:\program files\google\update\GoogleUpdate.exe [2008-10-8 133104]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 qrkis;Tether Miniport;c:\windows1\system32\drivers\qrkis.sys [2009-3-7 45608]
S3 SQLAgent$METRIX;SQLAgent$METRIX;c:\program files\msde 2000\mssql$metrix\binn\sqlagent.exe -i metrix --> c:\program files\msde

2000\mssql$metrix\binn\sqlagent.EXE -i METRIX [?]

=============== Created Last 30 ================

2010-11-08 22:03:25 6146896 ----a-w- c:\docume~1\alluse~1.win\applic~1\microsoft\microsoft antimalware\definition

updates\{5734c6d5-b543-4b74-8f2e-5c87507e19ef}\mpengine.dll
2010-11-08 21:54:58 109056 --sha-r- c:\windows1\system32\msdatgrd2.dll
2010-10-13 00:00:48 974848 -c----w- c:\windows1\system32\dllcache\mfc42.dll
2010-10-13 00:00:48 953856 -c----w- c:\windows1\system32\dllcache\mfc40u.dll
2010-10-13 00:00:09 617472 -c----w- c:\windows1\system32\dllcache\comctl32.dll

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows1\system32\MpSigStub.exe
2010-09-18 19:23:26 974848 ----a-w- c:\windows1\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows1\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows1\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows1\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows1\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows1\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows1\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows1\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows1\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows1\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows1\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows1\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows1\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows1\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows1\system32\rpcrt4.dll
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 10:35:12.89 ===============


=============SPYBOT RESULTS==============


Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-07-11 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-10-12 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-09-22 Includes\Dialer.sbi (*)
2010-10-12 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-03 Includes\Hijackers.sbi (*)
2010-11-03 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-10-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-09-13 Includes\Malware.sbi (*)
2010-11-02 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-10-12 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-10-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-10-26 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-11-02 Includes\Trojans.sbi (*)
2010-10-12 Includes\TrojansC-02.sbi (*)
2010-10-12 Includes\TrojansC-03.sbi (*)
2010-10-12 Includes\TrojansC-04.sbi (*)
2010-11-02 Includes\TrojansC-05.sbi (*)
2010-10-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

As I'm primarily a Firefox user I didn't notice this till now. But searches in IE are re-directed.

ken545
2010-11-13, 23:02
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Sorry for the delay, but we get kind of busy most times but I am linked to you now.


Generally when there are redirects there could be a rootkit type of infection involved, lets run this scanner and see what it finds, then run the other scanner that will show more of whats going on on your system.



http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries







Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

ffemtjacque
2010-11-14, 23:02
Thanks for the assistance!!


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-11-14 00:37:43
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 ST9200827AS rev.3.BHA
Running: gmer.exe; Driver: C:\DOCUME~1\Jaques\LOCALS~1\Temp\pgtdypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 11/14/2010 12:53:53 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Jaques\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS1 | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 120.40 Gb Free Space | 65.14% Space Free | Partition Type: NTFS

Computer Name: JACQUE | User Name: Jaques | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Jaques\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Jaques\Desktop\gmer\gmer.exe ()
PRC - C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\Tether\TBService.exe ()
PRC - C:\WINDOWS1\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Iomega\REV System Software\RevUDF.exe (Iomega Corp)
PRC - C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe (EMC Corporation)
PRC - C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (Executive Software International, Inc.)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Jaques\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS1\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (Tether) -- C:\Program Files\Tether\TBService.exe ()
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (RevUDFService) -- C:\Program Files\Iomega\REV System Software\RevUDF.exe (Iomega Corp)
SRV - (Retrospect Helper) -- C:\Program Files\Retrospect\Retrospect 7.5\rthlpsvc.exe (EMC Corporation)
SRV - (RetroLauncher) -- C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe (EMC Corporation)
SRV - (awhost32) -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)
SRV - (MSSQL$METRIX) -- C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SQLAgent$METRIX) -- C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlagent.EXE (Microsoft Corporation)
SRV - (Diskeeper) -- C:\Program Files\Executive Software\DiskeeperLite\DKService.exe (Executive Software International, Inc.)


========== Driver Services (SafeList) ==========

DRV - (UIUSys) -- C:\WINDOWS1\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (HdAudAddService) -- C:\WINDOWS1\System32\drivers\CHDAud.sys File not found
DRV - (NVHDA) -- C:\WINDOWS1\system32\drivers\nvhda32.sys (NVIDIA Corporation)
DRV - (qrkis) -- C:\WINDOWS1\system32\drivers\qrkis.sys (Tether)
DRV - (SymEvent) -- C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (BCM43XX) -- C:\WINDOWS1\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS1\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (nv) -- C:\WINDOWS1\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (nvsmu) -- C:\WINDOWS1\system32\drivers\nvsmu.sys (NVIDIA Corporation)
DRV - (NVENETFD) -- C:\WINDOWS1\system32\drivers\NVENETFD.sys (NVIDIA Corporation)
DRV - (nvnetbus) -- C:\WINDOWS1\system32\drivers\nvnetbus.sys (NVIDIA Corporation)
DRV - (CnxtHdAudService) -- C:\WINDOWS1\system32\drivers\CHDAU32.sys (Conexant Systems Inc.)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS1\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS1\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (SynTP) -- C:\WINDOWS1\system32\drivers\SynTP.sys (Synaptics, Inc.)
DRV - (HSF_DPV) -- C:\WINDOWS1\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWAZL) -- C:\WINDOWS1\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS1\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (HpqRemHid) -- C:\WINDOWS1\system32\drivers\HpqRemHid.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HpqKbFiltr) -- C:\WINDOWS1\system32\drivers\HpqKbFiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (AmdPPM) -- C:\WINDOWS1\system32\drivers\AmdPPM.sys (Advanced Micro Devices)
DRV - (imdrvfsf) -- C:\WINDOWS1\system32\DRIVERS\imdrvfsf.sys (Iomega Corporation)
DRV - (AW_HOST) -- C:\WINDOWS1\system32\drivers\AW_HOST5.sys (Symantec Corporation)
DRV - (awlegacy) -- C:\WINDOWS1\System32\Drivers\awlegacy.sys (Symantec Corporation)
DRV - (Gernuwa) -- C:\WINDOWS1\System32\drivers\GERNUWA.sys (Symantec Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://webmail.inhs.org/exchweb/bin/auth/owalogon.asp?url=https://webmail.inhs.org/exchange&reason=0
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.cnn.com|http://www.krem.com|http://webmail.freshabundance.com|http://www.gmail.com|http://www.google.com/ig|www.facebook.com"
FF - prefs.js..extensions.enabledItems: {000a9d1c-beef-4f90-9363-039d445309b8}:0.5.36.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}:5.0.17
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0


FF - HKLM\software\mozilla\Firefox\Extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\Program Files\Google\Google Gears\Firefox\ [2010/03/05 10:51:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 14:57:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/28 14:57:17 | 000,000,000 | ---D | M]

[2009/01/27 14:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Mozilla\Extensions
[2009/01/27 14:13:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Mozilla\Extensions\uploadr@flickr.com
[2010/11/13 14:20:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Mozilla\Firefox\Profiles\id4rr2da.default\extensions
[2010/04/30 05:43:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Jaques\Application Data\Mozilla\Firefox\Profiles\id4rr2da.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/13 14:20:47 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/03/16 05:51:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}

O1 HOSTS File: ([2010/11/09 01:55:37 | 000,424,909 | R--- | M]) - C:\WINDOWS1\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 14645 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS1\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS1\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS1\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [SkyTel] C:\WINDOWS1\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\Jaques\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS1\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246919370187 (MUWebControl Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab (Java Plug-in 1.5.0_17)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab (RIM AxLoader)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS1\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS1\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jaques\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jaques\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/02 09:25:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{02e45730-2883-11df-bc8a-001d7260f19a}\Shell\AutoRun\command - "" = slacker.synclauncher.exe
O33 - MountPoints2\{02e45730-2883-11df-bc8a-001d7260f19a}\Shell\slacker\command - "" = slacker.synclauncher.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/13 14:18:49 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Jaques\Desktop\OTL.exe
[2010/11/13 14:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jaques\Desktop\gmer
[2010/11/09 10:29:28 | 000,000,000 | ---D | C] -- C:\WINDOWS1\ERDNT
[2010/11/09 10:28:58 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/11/08 10:17:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jaques\My Documents\divorce 20120
[2010/10/29 06:37:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jaques\Desktop\print
[1998/12/08 18:53:54 | 000,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 18:53:54 | 000,099,840 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 18:53:54 | 000,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 18:53:54 | 000,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 18:53:54 | 000,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- C:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 18:53:54 | 000,017,920 | ---- | C] (Symantec Corp.) -- C:\Program Files\Common Files\IRASRIAL.DLL
[2 C:\WINDOWS1\*.tmp files -> C:\WINDOWS1\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/14 12:55:10 | 000,000,982 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1003UA.job
[2010/11/14 00:01:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskMachineUA.job
[2010/11/13 14:18:50 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jaques\Desktop\OTL.exe
[2010/11/13 14:15:42 | 000,288,107 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\gmer.zip
[2010/11/13 13:45:57 | 000,450,754 | ---- | M] () -- C:\WINDOWS1\System32\perfh009.dat
[2010/11/13 13:45:57 | 000,075,160 | ---- | M] () -- C:\WINDOWS1\System32\perfc009.dat
[2010/11/13 13:41:57 | 000,013,646 | ---- | M] () -- C:\WINDOWS1\System32\wpa.dbl
[2010/11/13 13:41:30 | 000,000,238 | ---- | M] () -- C:\WINDOWS1\tasks\OGALogon.job
[2010/11/13 13:41:23 | 000,201,568 | ---- | M] () -- C:\WINDOWS1\System32\nvapps.xml
[2010/11/13 13:41:15 | 000,000,882 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskMachineCore.job
[2010/11/13 13:41:14 | 000,000,322 | -HS- | M] () -- C:\WINDOWS1\tasks\Toxcruqb.job
[2010/11/13 13:41:09 | 000,002,048 | --S- | M] () -- C:\WINDOWS1\bootstat.dat
[2010/11/13 10:03:42 | 000,035,725 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\newspaper.jpg
[2010/11/09 10:32:22 | 000,630,272 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\dds.scr
[2010/11/09 10:29:15 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\Jaques\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/09 10:28:59 | 000,000,598 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\ERUNT.lnk
[2010/11/09 01:55:37 | 000,424,909 | R--- | M] () -- C:\WINDOWS1\System32\drivers\etc\hosts
[2010/11/09 01:54:25 | 000,424,909 | R--- | M] () -- C:\WINDOWS1\System32\drivers\etc\hosts.20101109-015537.backup
[2010/11/08 13:54:58 | 000,109,056 | RHS- | M] () -- C:\WINDOWS1\System32\msdatgrd2.dll
[2010/11/08 12:05:19 | 000,123,680 | ---- | M] () -- C:\Documents and Settings\Jaques\My Documents\verizon credit dispute results.pdf
[2010/11/06 06:53:32 | 000,201,216 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\MS November.xls
[2010/11/04 11:44:39 | 000,081,408 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\2010 November fd.doc
[2010/11/03 11:48:34 | 000,067,263 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\IMG00015-20101103-1214.jpg
[2010/11/01 11:26:39 | 000,005,688 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\slumberparty.jpg
[2010/11/01 08:59:52 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\Jaques\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet.lnk
[2010/10/29 11:49:05 | 000,014,848 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\onna kitchen.xls
[2010/10/28 16:37:41 | 000,049,664 | ---- | M] () -- C:\Documents and Settings\Jaques\My Documents\fire10 newsletter nov 2010.doc
[2010/10/28 15:33:59 | 000,025,061 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\2010-10-28_13_31_00.jpeg
[2010/10/28 06:53:10 | 000,082,750 | ---- | M] () -- C:\Documents and Settings\Jaques\Desktop\dadandphyllis.jpg
[2010/10/27 17:33:53 | 000,000,140 | ---- | M] () -- C:\Documents and Settings\Jaques\.hemsFavorites.dat
[2010/10/27 05:55:00 | 000,000,930 | ---- | M] () -- C:\WINDOWS1\tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1003Core.job
[2010/10/19 12:51:33 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS1\System32\MpSigStub.exe
[2010/10/19 07:25:45 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\Jaques\My Documents\Please send a dissolution of marriage without children package to Jacque Hendrix 404 E.doc
[2010/10/16 06:16:41 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\Jaques\Application Data\Microsoft\Internet Explorer\Quick Launch\Tether.lnk
[2 C:\WINDOWS1\*.tmp files -> C:\WINDOWS1\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/13 14:15:36 | 000,288,107 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\gmer.zip
[2010/11/13 10:03:42 | 000,035,725 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\newspaper.jpg
[2010/11/09 10:32:21 | 000,630,272 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\dds.scr
[2010/11/09 10:29:15 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\Jaques\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/11/09 10:28:59 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\ERUNT.lnk
[2010/11/08 13:54:58 | 000,109,056 | RHS- | C] () -- C:\WINDOWS1\System32\msdatgrd2.dll
[2010/11/08 13:54:58 | 000,000,322 | -HS- | C] () -- C:\WINDOWS1\tasks\Toxcruqb.job
[2010/11/08 12:05:19 | 000,123,680 | ---- | C] () -- C:\Documents and Settings\Jaques\My Documents\verizon credit dispute results.pdf
[2010/11/06 06:53:31 | 000,201,216 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\MS November.xls
[2010/11/04 11:44:39 | 000,081,408 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\2010 November fd.doc
[2010/11/03 11:48:33 | 000,067,263 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\IMG00015-20101103-1214.jpg
[2010/11/01 11:26:38 | 000,005,688 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\slumberparty.jpg
[2010/11/01 08:59:52 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\Jaques\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet.lnk
[2010/10/28 15:54:23 | 000,049,664 | ---- | C] () -- C:\Documents and Settings\Jaques\My Documents\fire10 newsletter nov 2010.doc
[2010/10/28 15:34:11 | 000,025,061 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\2010-10-28_13_31_00.jpeg
[2010/10/28 06:53:09 | 000,082,750 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\dadandphyllis.jpg
[2010/10/21 18:22:56 | 000,014,848 | ---- | C] () -- C:\Documents and Settings\Jaques\Desktop\onna kitchen.xls
[2010/10/19 07:25:45 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\Jaques\My Documents\Please send a dissolution of marriage without children package to Jacque Hendrix 404 E.doc
[2010/01/27 14:06:16 | 000,106,496 | R--- | C] () -- C:\WINDOWS1\System32\vshp1020.dll
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS1\System32\OGACheckControl.dll
[2009/02/18 10:06:36 | 000,000,116 | ---- | C] () -- C:\WINDOWS1\NeroDigital.ini
[2009/01/27 14:11:47 | 000,087,552 | ---- | C] () -- C:\Documents and Settings\Jaques\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/21 11:47:59 | 000,087,552 | ---- | C] () -- C:\WINDOWS1\System32\cpwmon2k.dll
[2009/01/16 12:16:01 | 000,000,379 | ---- | C] () -- C:\WINDOWS1\ODBC.INI
[2009/01/14 16:32:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jaques\Local Settings\Application Data\QSwitch.txt
[2009/01/14 16:32:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jaques\Local Settings\Application Data\DSwitch.txt
[2009/01/14 16:32:48 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Jaques\Local Settings\Application Data\AtStart.txt
[2009/01/14 06:13:48 | 000,004,205 | ---- | C] () -- C:\WINDOWS1\ODBCINST.INI
[2008/10/07 13:33:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS1\System32\nvwdmcpl.dll
[2008/10/07 13:33:00 | 001,486,848 | ---- | C] () -- C:\WINDOWS1\System32\nview.dll
[2008/10/07 13:33:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS1\System32\nvwimg.dll
[2008/10/07 13:33:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS1\System32\nvshell.dll
[2008/10/07 13:33:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS1\System32\nvnt4cpl.dll
[1999/01/22 10:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS1\System32\MSRTEDIT.DLL
[1998/06/14 06:53:26 | 000,044,544 | ---- | C] () -- C:\WINDOWS1\System32\Anigif.dll

========== LOP Check ==========

[2010/03/20 19:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Qwest
[2010/02/26 15:36:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\Retrospect
[2010/01/28 10:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/05/02 07:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/06/28 15:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Blackberry Desktop
[2010/11/10 18:52:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\EditPlus 3
[2010/11/13 10:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\FileZilla
[2009/01/27 14:13:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Flickr
[2009/03/03 09:13:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\gtk-2.0
[2009/05/25 15:19:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Leadertech
[2009/01/16 13:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\OfficeUpdate12
[2009/01/26 16:57:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Research In Motion
[2010/11/07 18:39:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jaques\Application Data\Tether
[2010/11/13 13:41:30 | 000,000,238 | ---- | M] () -- C:\WINDOWS1\Tasks\OGALogon.job
[2010/11/13 13:41:14 | 000,000,322 | -HS- | M] () -- C:\WINDOWS1\Tasks\Toxcruqb.job

========== Purity Check ==========



< End of report >


OTL Extras logfile created on: 11/14/2010 12:53:53 PM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Jaques\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS1 | %ProgramFiles% = C:\Program Files
Drive C: | 184.84 Gb Total Space | 120.40 Gb Free Space | 65.14% Space Free | Partition Type: NTFS

Computer Name: JACQUE | User Name: Jaques | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Symantec\pcAnywhere\Winaw32.exe" = C:\Program Files\Symantec\pcAnywhere\Winaw32.exe:*:Enabled:pcAnywhere Main Executable -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awhost32.exe" = C:\Program Files\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host Service -- (Symantec Corporation)
"C:\Program Files\Symantec\pcAnywhere\awrem32.exe" = C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Enabled:pcAnywhere Remote Service -- (Symantec Corporation)
"C:\Documents and Settings\Jaques\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Jaques\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Jaques\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Jaques\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\FileZilla FTP Client\filezilla.exe" = C:\Program Files\FileZilla FTP Client\filezilla.exe:*:Enabled:FileZilla FTP Client -- (FileZilla Project)
"E:\Setup.exe" = E:\Setup.exe:*:Enabled:Setup -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{03F78428-4DF6-4426-AACD-53FC353D94E0}" = BlackBerry Device Software v4.5.0 for the BlackBerry 8330 smartphone
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{2863C12B-2A02-4258-8495-6220605B2E5C}_is1" = Tether 1.4.3.7
"{2BDCCEB2-3B99-44D3-9140-D0F9B8BE6EEA}" = Metrix Server
"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{58F58158-8DFE-31DA-AC1F-7E5D89A0F74F}" = Google Talk Plugin
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{62880A3B-2F9C-4C58-8FFA-1DA280262B5E}" = BlackBerry Device Software Updater
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{689E0AB3-50B2-4E5A-9DCE-6DA9F5BE1314}" = BlackBerry® Media Sync
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90FF23FE-0E1B-40DF-A22E-B4C0372E5936}" = Iomega Product Registration
"{92596597-71B3-4608-8628-AD48F2664EB9}" = Retrospect 7.5
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3F60446-48FB-48A8-B5FC-BB3430AEF806}" = Diskeeper Lite
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{AEF7A12C-CD9B-4773-8AD1-6916138CA7EA}" = SmartAudio
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B351E5AF-E6E2-46E4-8155-DAB130731F70}" = Iomega REV System Software
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D55895DF-3849-41D2-842D-BDB82B2FF9D6}" = Metrix Client
"{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari
"{E05E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"{F8C04C5B-8876-424D-B428-23626373D2A0}" = BlackBerry Desktop Software 5.0
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AttributeMagic Pro" = AttributeMagic Pro 3.0 beta 13
"BlackBerry_{F8C04C5B-8876-424D-B428-23626373D2A0}" = BlackBerry Desktop Software 5.0
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CNXT_AUDIO_HDA" = Conexant HD Audio
"CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"CutePDF Writer Installation" = CutePDF Writer 2.7
"EditPlus 3" = EditPlus 3
"ERUNT_is1" = ERUNT 1.1j
"FileZilla Client" = FileZilla Client 3.3.4.1
"Flickr Uploadr" = Flickr Uploadr 3.1.3
"HP-LaserJet 1020 series" = LaserJet 1020 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Jasc Paint Shop Pro 8.10 Update Patch" = Jasc Paint Shop Pro 8.10 Update Patch
"Magic M4A to MP3 Converter_is1" = Magic M4A to MP3 Converter 3.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OrderReminder HP LaserJet 1020" = OrderReminder HP LaserJet 1020
"Picasa 3" = Picasa 3
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WinCalendar" = WinCalendar
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinMerge_is1" = WinMerge 2.12.4
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"ADDS HEMS Tool" = ADDS HEMS Tool
"f031ef6ac137efc5" = Dell Driver Download Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/9/2010 1:25:57 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:57 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:58 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:58 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:59 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:59 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:25:59 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:26:00 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:26:00 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 11/9/2010 1:26:00 PM | Computer Name = JACQUE | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 11/12/2010 2:33:37 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7001
Description = The Fast User Switching Compatibility service depends on the Terminal
Services service which failed to start because of the following error: %%126

Error - 11/12/2010 7:40:10 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7001
Description = The Fast User Switching Compatibility service depends on the Terminal
Services service which failed to start because of the following error: %%126

Error - 11/12/2010 7:40:10 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7023
Description = The Terminal Services service terminated with the following error:
%%126

Error - 11/13/2010 1:55:05 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7001
Description = The Fast User Switching Compatibility service depends on the Terminal
Services service which failed to start because of the following error: %%126

Error - 11/13/2010 1:55:05 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7023
Description = The Terminal Services service terminated with the following error:
%%126

Error - 11/13/2010 2:22:01 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7001
Description = The Fast User Switching Compatibility service depends on the Terminal
Services service which failed to start because of the following error: %%126

Error - 11/13/2010 2:22:01 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7023
Description = The Terminal Services service terminated with the following error:
%%126

Error - 11/13/2010 5:42:44 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7001
Description = The Fast User Switching Compatibility service depends on the Terminal
Services service which failed to start because of the following error: %%126

Error - 11/13/2010 5:42:44 PM | Computer Name = JACQUE | Source = Service Control Manager | ID = 7023
Description = The Terminal Services service terminated with the following error:
%%126

Error - 11/13/2010 6:37:31 PM | Computer Name = JACQUE | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort3, did not respond within the timeout
period.


< End of report >

ken545
2010-11-14, 23:35
Hi,

Nothing jumping out at me but I dont think you ran GMER correctly. Go back to the instructions I posted for it, click on the picture to enlarge it and make sure you check whats checked in the picture. Then post a new log please.


Then run this program and post the log

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://forums.whatthetech.com/post_a4255_MBAM.PNG
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report and also a new HJT log please

ffemtjacque
2010-11-15, 00:04
I'm sure I ran GMER correctly but am doing it again (it takes a while).

Below is the MBAM log and the new HJT log from DDS. Oddly enough MBAM didn't find anything either.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5116

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/14/2010 1:56:58 PM
mbam-log-2010-11-14 (13-56-58).txt

Scan type: Quick scan
Objects scanned: 210770
Time elapsed: 9 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



DDS (Ver_10-11-09.01) - NTFSx86
Run by Jaques at 13:59:03.71 on Sun 11/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2127 [GMT -8:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS1\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS1\System32\svchost.exe -k netsvcs
C:\WINDOWS1\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
C:\WINDOWS1\system32\rundll32.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\WINDOWS1\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS1\system32\ctfmon.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe
C:\WINDOWS1\System32\nvsvc32.exe
C:\Program Files\Retrospect\Retrospect 7.5\retrorun.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\WINDOWS1\System32\svchost.exe -k imgsvc
C:\Program Files\Tether\TBService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Jaques\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Jaques\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://webmail.inhs.org/exchweb/bin/auth/owalogon.asp?url=https://webmail.inhs.org/exchange&reason=0
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows1\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jaques\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows1\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows1\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [WinCalendar] "c:\program files\sapro systems wincalendar\WinCalendar_SysTray.exe" /q /c
StartupFolder: c:\docume~1\jaques\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows1\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246919370187
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
TCP: {9F5E4696-3E91-45E0-903D-08192DB8E800} = 208.67.222.222,208.67.220.220
Notify: PCANotify - PCANotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows1\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jaques\applic~1\mozilla\firefox\profiles\id4rr2da.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com|http://www.krem.com|http://webmail.freshabundance.com|http://www.gmail.com|http://www.google.com/ig|www.facebook.com
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\jaques\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\jaques\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\jaques\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows1\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows1\system32\drivers\imdrvfsf.sys [2006-2-10 15616]
R1 AW_HOST;AW_HOST;c:\windows1\system32\drivers\AW_HOST5.sys [2003-5-5 24365]
R1 awlegacy;awlegacy;c:\windows1\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows1\system32\drivers\MpFilter.sys [2009-6-18 151216]
R2 MSSQL$METRIX;MSSQL$METRIX;c:\program files\msde 2000\mssql$metrix\binn\sqlservr.exe -smetrix --> c:\program files\msde 2000\mssql$metrix\binn\sqlservr.exe -sMETRIX [?]
R2 Tether;Tether;c:\program files\tether\TBService.exe [2010-1-27 52664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows1\system32\drivers\nvhda32.sys [2009-8-21 57248]
S2 gupdate1c97d7c903f3d10;Google Update Service (gupdate1c97d7c903f3d10);c:\program files\google\update\GoogleUpdate.exe [2008-10-8 133104]
S3 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-5-29 106496]
S3 qrkis;Tether Miniport;c:\windows1\system32\drivers\qrkis.sys [2009-3-7 45608]
S3 SQLAgent$METRIX;SQLAgent$METRIX;c:\program files\msde 2000\mssql$metrix\binn\sqlagent.exe -i metrix --> c:\program files\msde 2000\mssql$metrix\binn\sqlagent.EXE -i METRIX [?]

=============== Created Last 30 ================

2010-11-14 21:45:21 -------- d-----w- c:\docume~1\jaques\applic~1\Malwarebytes
2010-11-14 21:45:08 38224 ----a-w- c:\windows1\system32\drivers\mbamswissarmy.sys
2010-11-14 21:45:06 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-11-14 21:45:05 20952 ----a-w- c:\windows1\system32\drivers\mbam.sys
2010-11-14 21:45:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-08 22:03:25 6146896 ----a-w- c:\docume~1\alluse~1.win\applic~1\microsoft\microsoft antimalware\definition updates\{5734c6d5-b543-4b74-8f2e-5c87507e19ef}\mpengine.dll
2010-11-08 21:54:58 109056 --sha-r- c:\windows1\system32\msdatgrd2.dll

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows1\system32\MpSigStub.exe
2010-09-18 19:23:26 974848 ----a-w- c:\windows1\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows1\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows1\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows1\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows1\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows1\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows1\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows1\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows1\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows1\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows1\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows1\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows1\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows1\system32\spoolsv.exe
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL

============= FINISH: 13:59:58.46 ===============

ffemtjacque
2010-11-15, 00:10
Reference GMER; I just noticed the pic shows to untick 4 boxes and your written directions only say to do 3.

The difference being the pic shows to untick Sections.

I am running it the 2nd time with Sections ticked

Jacque

ken545
2010-11-15, 00:29
I am running it the 2nd time with Sections ticked :bigthumb:

I need to update my instructions

ffemtjacque
2010-11-15, 01:11
With Sections marked GMER locks up. I've tried it twice in normal mode and during Safe Mode the PC shuts down completely. It doesn't even reboot, just turns off.

One thing I noticed that just before it locks up it says that a section is writeable.

ken545
2010-11-15, 01:16
OK, run it with sections unticked

ffemtjacque
2010-11-15, 01:26
I'm on my way to work (posting via BlackBerry) can't get back to it till Tuesday morn. Thanks for the help though. Will get with you then. Thanks again, your help is very much appreciated.

ken545
2010-11-15, 01:28
No problem, I will be here when you return

ffemtjacque
2010-11-15, 04:25
FYI, I don't know if it's significant or not but just before this began occuring I had downloaded and unzipped a file called phpware for tracking inventory. Don't use it though.

I did a google search on it but didn't find anything.

ken545
2010-11-15, 11:58
PSPWare <--Are you referring to this ?

Did you download a legal copy or was it from a cracked site ?

ffemtjacque
2010-11-16, 20:59
No it was definately other. I don't have a psp and it was from what I thought was a legitimate site. Don't have any p2p on the computer.

Running the scan now.

ken545
2010-11-17, 01:42
PSPWare Appears to be legit and from a legit source. If you got it from a bogus site then that could be a problem.

ffemtjacque
2010-11-17, 20:34
Well, I ran GMER again with sections checked and it kept hard locking the computer while in normal mode and in safe mode it just turns off.

With sections unchecked I get the same results:


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Pretty innocuous.

ken545
2010-11-17, 22:59
Lets give this one a shot

Rootkit Unhooker


Please Download Rootkit Unhooker (http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar) and Save it to your desktop.
Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
you can get a free one from here - http://www.7-zip.org/

Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth. Uncheck the rest, then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.


Copy the entire contents of the report and paste it in your next reply here.

Note: You may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

ffemtjacque
2010-11-18, 23:53
Here we go:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8BDD000 C:\WINDOWS1\System32\DRIVERS\nv4_mini.sys 6135808 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 178.24 )
0xBF012000 C:\WINDOWS1\System32\nv4_disp.dll 6062080 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 178.24 )
0x804D7000 C:\WINDOWS1\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS1\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB8A75000 C:\WINDOWS1\System32\DRIVERS\bcmwl5.sys 1392640 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xB4329000 C:\WINDOWS1\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xB91B7000 C:\WINDOWS1\System32\DRIVERS\NVNRM.SYS 958464 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)
0xB4473000 C:\WINDOWS1\system32\drivers\CHDAU32.sys 778240 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
0xB4276000 C:\WINDOWS1\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xB9DF2000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB2D6C000 C:\WINDOWS1\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB89BF000 C:\WINDOWS1\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB2EEC000 C:\WINDOWS1\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB0BB1000 C:\WINDOWS1\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS1\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9E7F000 revfs.sys 270336 bytes (Iomega Corporation, Iomega REV System Software)
0xB0918000 C:\WINDOWS1\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9310000 C:\WINDOWS1\system32\DRIVERS\SynTP.sys 225280 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB441B000 C:\WINDOWS1\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xB8A1D000 C:\WINDOWS1\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB0D21000 C:\WINDOWS1\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DC5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA9716000 C:\WINDOWS1\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB2E51000 C:\WINDOWS1\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB92C4000 C:\WINDOWS1\System32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB2E9E000 C:\WINDOWS1\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB2EC6000 C:\WINDOWS1\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB444F000 C:\WINDOWS1\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB92EC000 C:\WINDOWS1\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB92A1000 C:\WINDOWS1\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB3430000 C:\WINDOWS1\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB2E7C000 C:\WINDOWS1\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS1\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9DAB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB2D54000 C:\WINDOWS1\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9ED4000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB8A5E000 C:\WINDOWS1\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0EB4000 C:\WINDOWS1\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB8BC9000 C:\WINDOWS1\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB2F95000 C:\WINDOWS1\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9EC1000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS1\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8A4D000 C:\WINDOWS1\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB417E000 C:\WINDOWS1\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA138000 C:\WINDOWS1\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2D8000 C:\WINDOWS1\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA148000 C:\WINDOWS1\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB93D7000 C:\WINDOWS1\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA2C8000 C:\WINDOWS1\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA268000 C:\WINDOWS1\System32\DRIVERS\NVENETFD.sys 57344 bytes (NVIDIA Corporation, NVIDIA Networking Function Driver.)
0xBA318000 C:\WINDOWS1\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA0E8000 C:\WINDOWS1\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA118000 C:\WINDOWS1\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA2F8000 C:\WINDOWS1\system32\drivers\nvhda32.sys 53248 bytes (NVIDIA Corporation, NVIDIA HDMI Audio Driver)
0xBA168000 C:\WINDOWS1\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA188000 C:\WINDOWS1\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB3366000 C:\WINDOWS1\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA128000 C:\WINDOWS1\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA178000 C:\WINDOWS1\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB9377000 C:\WINDOWS1\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA158000 C:\WINDOWS1\System32\DRIVERS\nvnetbus.sys 40960 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)
0xBA1A8000 C:\WINDOWS1\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA108000 C:\WINDOWS1\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA198000 C:\WINDOWS1\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB36B0000 C:\WINDOWS1\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB0AE9000 C:\WINDOWS1\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xB3376000 C:\WINDOWS1\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA458000 C:\WINDOWS1\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB354A000 C:\WINDOWS1\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA448000 C:\WINDOWS1\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA420000 C:\WINDOWS1\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS1\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA480000 C:\WINDOWS1\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xB3F83000 C:\WINDOWS1\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA428000 C:\WINDOWS1\system32\drivers\aw_host5.sys 24576 bytes (Symantec Corporation, pcAnywhere Host Driver for Windows 2000/XP)
0xBA478000 C:\WINDOWS1\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA430000 C:\WINDOWS1\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA438000 C:\WINDOWS1\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB4F3B000 C:\WINDOWS1\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB3552000 C:\WINDOWS1\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA468000 C:\WINDOWS1\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA470000 C:\WINDOWS1\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA460000 C:\WINDOWS1\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA440000 C:\WINDOWS1\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB73D2000 C:\WINDOWS1\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS1\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB98FB000 C:\WINDOWS1\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA4C8000 Gernuwa.sys 16384 bytes (Symantec Corporation, pcAnywhere AWUNREG Driver)
0xBA4CC000 imdrvfsf.sys 16384 bytes (Iomega Corporation, Iomega Filter Driver)
0xBA578000 C:\WINDOWS1\System32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB0FC1000 C:\WINDOWS1\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xBA574000 C:\WINDOWS1\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9D7F000 C:\WINDOWS1\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB98F7000 C:\WINDOWS1\System32\DRIVERS\nvsmu.sys 16384 bytes (NVIDIA Corporation, NVIDIA nForce(TM) SMU Microcontroller Driver)
0xBA4C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xB3039000 C:\WINDOWS1\System32\Drivers\awlegacy.sys 12288 bytes (Symantec Corporation, pcAnywhere Legacy Driver Module)
0xBA4B8000 C:\WINDOWS1\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB6F75000 C:\WINDOWS1\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB3C68000 C:\WINDOWS1\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB303D000 C:\WINDOWS1\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA554000 C:\WINDOWS1\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB3035000 C:\WINDOWS1\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB98FF000 C:\WINDOWS1\System32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xBA602000 C:\WINDOWS1\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5B2000 C:\WINDOWS1\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA600000 C:\WINDOWS1\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5DE000 C:\WINDOWS1\System32\DRIVERS\HpqRemHid.sys 8192 bytes (Hewlett-Packard Development Company, L.P., HP Remote Control HID Device)
0xBA5A8000 C:\WINDOWS1\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA604000 C:\WINDOWS1\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA606000 C:\WINDOWS1\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5EC000 C:\WINDOWS1\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xBA5EE000 C:\WINDOWS1\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5E0000 C:\WINDOWS1\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS1\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6D1000 C:\WINDOWS1\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB4531000 C:\WINDOWS1\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6C5000 C:\WINDOWS1\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA671000 C:\WINDOWS1\System32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

ken545
2010-11-19, 01:19
Lets do this

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ffemtjacque
2010-11-20, 06:56
It appears that this one found something;

ComboFix 10-11-19.01 - Jaques 11/19/2010 20:43:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.2274 [GMT -8:00]
Running from: c:\documents and settings\Jaques\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\windows1\XSxS

.
((((((((((((((((((((((((( Files Created from 2010-10-20 to 2010-11-20 )))))))))))))))))))))))))))))))
.

2010-11-14 21:45 . 2010-11-14 21:45 -------- d-----w- c:\documents and settings\Jaques\Application Data\Malwarebytes
2010-11-14 21:45 . 2010-04-29 23:39 38224 ----a-w- c:\windows1\system32\drivers\mbamswissarmy.sys
2010-11-14 21:45 . 2010-11-14 21:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS1\Application Data\Malwarebytes
2010-11-14 21:45 . 2010-11-14 21:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-14 21:45 . 2010-04-29 23:39 20952 ----a-w- c:\windows1\system32\drivers\mbam.sys
2010-11-09 18:28 . 2010-11-09 18:29 -------- d-----w- c:\program files\ERUNT
2010-11-09 10:37 . 2010-11-09 10:37 -------- d-sh--w- c:\documents and settings\Administrator.JACQUE\IETldCache
2010-11-08 22:03 . 2010-10-07 23:21 6146896 ----a-w- c:\documents and settings\All Users.WINDOWS1\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5734C6D5-B543-4B74-8F2E-5C87507E19EF}\mpengine.dll
2010-11-08 21:54 . 2010-11-08 21:54 109056 --sha-r- c:\windows1\system32\msdatgrd2.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-06 19:37 . 2010-11-06 19:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 20:51 . 2010-01-27 18:18 222080 ------w- c:\windows1\system32\MpSigStub.exe
2010-10-07 23:21 . 2010-01-29 22:08 6146896 ----a-w- c:\documents and settings\All Users.WINDOWS1\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-09-18 19:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows1\system32\mfc42u.dll
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows1\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ----a-w- c:\windows1\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows1\system32\mfc40u.dll
2010-09-10 05:58 . 2003-03-31 12:00 916480 ----a-w- c:\windows1\system32\wininet.dll
2010-09-10 05:58 . 2003-03-31 12:00 43520 ----a-w- c:\windows1\system32\licmgr10.dll
2010-09-10 05:58 . 2003-03-31 12:00 1469440 ------w- c:\windows1\system32\inetcpl.cpl
2010-09-01 11:51 . 2003-03-31 12:00 285824 ----a-w- c:\windows1\system32\atmfd.dll
2010-08-31 13:42 . 2003-03-31 12:00 1852800 ----a-w- c:\windows1\system32\win32k.sys
2010-08-27 08:02 . 2003-03-31 12:00 119808 ----a-w- c:\windows1\system32\t2embed.dll
2010-08-27 05:57 . 2003-03-31 12:00 99840 ----a-w- c:\windows1\system32\srvsvc.dll
2010-08-26 13:39 . 2003-03-31 12:00 357248 ----a-w- c:\windows1\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 23:58 5120 ----a-w- c:\windows1\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-03-31 12:00 617472 ----a-w- c:\windows1\system32\comctl32.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Jaques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows1\System32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows1\System32\NvMcTray.dll" [2008-10-07 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"SkyTel"="SkyTel.EXE" [2007-11-21 1826816]
"RTHDCPL"="RTHDCPL.EXE" [2008-12-30 18082304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"WinCalendar"="c:\program files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe" [2009-09-13 75192]

c:\documents and settings\Jaques\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-05-29 19:00 8704 ----a-w- c:\windows1\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 11:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 23:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-05-14 06:05 623888 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-02-08 17:23 133104 ----atw- c:\documents and settings\Jaques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Iomega ImIconXP]
2006-04-18 16:35 90112 ----a-w- c:\program files\Iomega\REV System Software\ImIconXp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2007-08-30 18:50 205480 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 13:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows1\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-10-07 21:33 1630208 ----a-w- c:\windows1\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 16:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-17 02:48 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinCalendar]
2009-09-13 23:35 75192 ----a-w- c:\program files\Sapro Systems WinCalendar\WinCalendar_SysTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Jaques\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Jaques\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 imdrvfsf;Iomega File System Filter Driver;c:\windows1\system32\drivers\imdrvfsf.sys [2/10/2006 9:25 AM 15616]
R2 MSSQL$METRIX;MSSQL$METRIX;c:\program files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe -sMETRIX --> c:\program files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe -sMETRIX [?]
R2 Tether;Tether;c:\program files\Tether\TBService.exe [1/27/2010 10:14 AM 52664]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows1\system32\drivers\nvhda32.sys [8/21/2009 8:24 PM 57248]
S2 gupdate1c97d7c903f3d10;Google Update Service (gupdate1c97d7c903f3d10);c:\program files\Google\Update\GoogleUpdate.exe [10/8/2008 6:39 AM 133104]
S3 qrkis;Tether Miniport;c:\windows1\system32\drivers\qrkis.sys [3/7/2009 2:03 PM 45608]
S3 SQLAgent$METRIX;SQLAgent$METRIX;c:\program files\MSDE 2000\MSSQL$METRIX\Binn\sqlagent.EXE -i METRIX --> c:\program files\MSDE 2000\MSSQL$METRIX\Binn\sqlagent.EXE -i METRIX [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - revfs
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows1\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-08 14:39]

2010-11-18 c:\windows1\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-08 14:39]

2010-10-27 c:\windows1\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1003Core.job
- c:\documents and settings\Jaques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-08 17:23]

2010-11-18 c:\windows1\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-179605362-839522115-1003UA.job
- c:\documents and settings\Jaques\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-08 17:23]

2010-11-19 c:\windows1\Tasks\OGALogon.job
- c:\windows1\system32\OGAEXEC.exe [2009-08-03 22:07]
.
.
------- Supplementary Scan -------
.
uStart Page = https://webmail.inhs.org/exchweb/bin/auth/owalogon.asp?url=https://webmail.inhs.org/exchange&reason=0
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows1\system32\GPhotos.scr/200
TCP: {9F5E4696-3E91-45E0-903D-08192DB8E800} = 208.67.222.222,208.67.220.220
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Jaques\Application Data\Mozilla\Firefox\Profiles\id4rr2da.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com|http://www.krem.com|http://webmail.freshabundance.com|http://www.gmail.com|http://www.google.com/ig|www.facebook.com
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Jaques\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Jaques\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Jaques\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows1\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
MSConfigStartUp-QlbCtrl - c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-19 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-19 20:53:46
ComboFix-quarantined-files.txt 2010-11-20 04:53

Pre-Run: 128,852,373,504 bytes free
Post-Run: 129,079,046,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS1
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS1="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - D6706DF3F3E7F149943E8A8526EFFA2B

ken545
2010-11-20, 11:51
Looking pretty good

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

ffemtjacque
2010-11-22, 05:49
We seem to be getting closer..

C:\Documents and Settings\Jaques\Application Data\EditPlus 3\combobox_u.ini HTML/ScrInject.B.Gen virus deleted - quarantined

C:\System Volume Information\_restore{4BDBA4CA-984E-4E71-809C-CC2FC4D11411}\RP3\A0000193.ini HTML/ScrInject.B.Gen virus deleted - quarantined

ken545
2010-11-22, 11:06
Hi,

One of those files that where deleted was in your Windows System Restore Program, there could be more, lets flush it all out and be sure to create a New Restore Point (Very Important)


System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7 operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of malfunctioning or failure. Old restore points can be a source of re-infection.

Please follow the steps below to create a clean restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create.
When the confirmation screen shows the restore point has been created click Close.


Then remove all previous Restore Points

Click Start > Run > copy and paste the following into the run box:

cleanmgr
Choose to scan drive C:\ (if C:\ is your main drive).
At the top, click on More Options tab. Click the Clean up... button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.




Let me know how things are running now ??

ffemtjacque
2010-11-22, 17:09
Seems to be running pretty swimmingly. Searches go where they're supposed to.

I do so very much appreciate the help.

ken545
2010-11-22, 19:06
Your very welcome, glad things are running well again :)

Open up OTL and click on the Cleanup feature and it will remove most of the tools we use to clean your system.



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ken545
2010-11-26, 15:18
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.