PDA

View Full Version : Infected XP Security 2012



FlaCajun
2011-12-16, 04:54
Windows XP Professional v2002 SP2
IE Explorer 8
McAfee
Malwarebytes

Unable to run Malwarebytes
Unable to the Internet with IE Explorer 8
Unable to run SpyBot nor turn off tea timer.
Unable to run Solitaire, XP Security 2012 window pops up.

Infected Desktop has been disconnected from router.
Another computer was used via clean thumb drive to transfer DDS program and corresponding files to this post.
Unable to run ERUNT.
Unable to zip any files.

Thank you for your help.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Raymond Green at 21:24:25 on 2011-12-15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1500 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\opre0.46251654147068555.exe
C:\program files\real\realplayer\update\realsched.exe
C:\WINDOWS\System32\ping.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\igfxsrvc.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.comcast.net/toolbar2.0/search/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111114131554.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{9AB6A42E-2FE1-AD7B-10AE-2A861F770994}] "c:\documents and settings\raymond green\application data\osojl\zaeh.exe"
mRun: [LaunchApp] Alaunch
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [MozillaAgent] c:\windows\temp\_ex-68.exe
StartupFolder: c:\docume~1\raymon~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166462899750
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{59387631-056E-4C7A-85DB-39C08EC0F541} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-8-2 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-8-2 89792]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-2 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-8-2 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-8-2 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-8-2 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-8-2 150856]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-8-2 180816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-8-2 59456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-8-2 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-8-2 83856]
R3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-15 50704]
RUnknown 5689;5689; [x]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-8-2 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-8-2 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-8-2 87656]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [2003-8-15 3456]
.
=============== File Associations ===============
.
.exe=87V
.
=============== Created Last 30 ================
.
2011-12-15 16:14:52 -------- d-----w- c:\documents and settings\raymond green\application data\Voypab
2011-12-15 16:14:52 -------- d-----w- c:\documents and settings\raymond green\application data\Osojl
2011-12-15 16:04:10 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-15 16:04:10 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-15 16:04:10 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-15 15:37:12 339968 ----a-w- c:\documents and settings\raymond green\local settings\application data\tvn.exe
2011-12-14 22:31:38 -------- d-----w- c:\documents and settings\raymond green\local settings\application data\WMTools Downloaded Files
2011-12-08 03:27:50 -------- d-sh--w- c:\documents and settings\raymond green\PrivacIE
2011-12-08 03:20:17 -------- d-sh--w- c:\documents and settings\raymond green\IETldCache
2011-12-08 03:17:37 -------- d-----w- c:\windows\ie8updates
2011-12-08 03:15:05 -------- dc-h--w- c:\windows\ie8
2011-12-08 02:59:27 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-08 02:59:27 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-08 02:59:26 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-12-08 02:59:24 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-08 02:59:24 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-08 02:59:23 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-12-08 02:59:21 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-11-29 23:44:09 -------- d-----w- c:\program files\common files\xing shared
.
==================== Find3M ====================
.
2011-11-10 22:57:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 19:32:30 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 18:16:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 18:16:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 18:16:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
.
============= FINISH: 21:26:39.45 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12/18/2006 12:07:58 PM
System Uptime: 12/11/2011 8:06:28 PM (97 hours ago)
.
Motherboard: Acer | | M945G
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Socket 775 | 3391/200mhz
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Socket 775 | 3391/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 220 GiB total, 46.677 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 8.265 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 233 GiB total, 63.704 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1471: 11/26/2011 8:59:28 PM - System Checkpoint
RP1472: 11/27/2011 9:30:43 PM - System Checkpoint
RP1473: 11/28/2011 9:55:21 PM - System Checkpoint
RP1474: 11/29/2011 11:08:28 PM - System Checkpoint
RP1475: 12/1/2011 10:22:48 AM - System Checkpoint
RP1476: 12/3/2011 1:03:35 PM - System Checkpoint
RP1477: 12/4/2011 5:20:07 PM - System Checkpoint
RP1478: 12/6/2011 8:47:48 AM - System Checkpoint
RP1479: 12/7/2011 7:14:02 PM - System Checkpoint
RP1480: 12/7/2011 10:03:26 PM - Software Distribution Service 3.0
RP1481: 12/7/2011 10:07:25 PM - Installed Windows XP KB932823-v3.
RP1482: 12/7/2011 10:16:24 PM - Installed Windows Internet Explorer 8.
RP1483: 12/7/2011 10:17:12 PM - Software Distribution Service 3.0
RP1484: 12/8/2011 11:13:02 PM - System Checkpoint
RP1485: 12/10/2011 10:08:42 AM - System Checkpoint
RP1486: 12/11/2011 10:52:50 AM - System Checkpoint
RP1487: 12/12/2011 12:04:31 PM - System Checkpoint
RP1488: 12/13/2011 12:11:06 PM - System Checkpoint
RP1489: 12/14/2011 12:34:48 PM - System Checkpoint
RP1490: 12/15/2011 5:45:02 PM - System Checkpoint
.
==== Installed Programs ======================
.
Acer eDataSecurity Management
Adobe Flash Player 11 ActiveX
Adobe Reader 8.2.6
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVIVO Codecs
Clean Water Action TriMini Reminder by We-Care.com v5.0.3.2
Comcast Toolbar
DING!
eSignal
Fibonacci Trader 4
Fibonacci/Galactic Trader 4
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
HP Officejet Pro K550 Series
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Internet Security
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Standard Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Misc
Mozilla Thunderbird (3.1.16)
MP3 Splitter
Musicnotes Software Suite 1.5.5
News Rover -- Usenet newsreader
NTI Backup NOW! 4
NTI CD & DVD-Maker
PartitionMagic
PowerDVD
PowerQuest PartitionMagic 8.0
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek High Definition Audio Driver
RealUpgrade 1.1
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Sentinel System Driver
Spybot - Search & Destroy
Super MP3 Splitter 1.5.0.1219
Toolbox
UGuide
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB932823-v3)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
.
==== Event Viewer Messages From Past Week ========
.
12/11/2011 8:06:59 PM, error: Dhcp [1002] - The IP address lease 192.168.1.6 for the Network Card with network address 001617DEE6AB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
12/10/2011 11:01:47 PM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
12/10/2011 11:01:46 PM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

ken545
2011-12-18, 15:44
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR


Your infected with the Zero Access Rootkit. This rootkit has backdoor functionality that has the ability to download other garbage to your computer, steal passwords, credit card numbers, it can monitor internet traffic both in and out of your computer. You wise to keep this compute offline until we get it cleaned. I would strongly urge you to use a known clean computer to change all your passwords for sites you frequent like banking and shopping sites


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

FlaCajun
2011-12-18, 18:51
Disabled McAfee antivirus
Don't know if Tea-timer is disabled, unable to run Spybot.

Connected desktop computer back to the internet, connection successful.
Transfered 'Combofix' via thumb drive, IE Explorer 8 is hijacked unable to surf.

Combofix will not run, 'XP Security 2012 Firewall Alert' message pops up.

FlaCajun

ken545
2011-12-18, 19:14
Combofix will remove this Rootkit, do this first



Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.




1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

FlaCajun
2011-12-19, 01:36
Rkill ran on the 1st execution. It seemed to work.
Ran Rkill again to be sure.
Both txt files indicated that Rkill had done its job.

Ran ComboFix and went into reboot mode (no log).
An hour later the desktop computer hasn't completed the reboot cycle.
Icons are gone on desktop, see only the wall paper.
Harddrive indicator light blinks itermitentantly.
The Task Manager does come up (ctrl+alt+del).
The Windows key doesn't respond.
Alt+F4 (old fashion) doesn't work.

Should a hard reboot be done?

Thanks,
FlaCajun

ken545
2011-12-19, 01:49
Yes, do a hard reboot and we will go from there

FlaCajun
2011-12-19, 02:36
Hard boot successful.
ComboFix ran on Startup.
No internet connectivity.

ken545
2011-12-19, 02:58
Try downloading this program and transfer to the infected one and run it and see if it fixes your internet connection

http://www.snapfiles.com/get/winsockxpfix.html

http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

FlaCajun
2011-12-19, 03:28
Both Winsockfix and WinsockxpFix were run, still no internet connectivity.
ComboFix was run only once.

ken545
2011-12-19, 10:49
This rootkit is very destructive, it may have damaged your internet connection along the way.

If this computer is hooked up to a router, turn off your Cable or DSL modem, turn off your router, then close down your computer.

Now, fire up the cable modem, then the router and then your computer and see if that got you internet access, if not then do this


Again, transfer it by disk, you can hold off on the scan and log for now, I just want this program on your desktop


OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.





Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL


:Services

:Reg

:Files
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces

ken545
2011-12-19, 20:40
Lets see if this program can locate and fix a bad file, that may be the problem.

Again, download to a working computer and transfer by disk

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

FlaCajun
2011-12-20, 01:39
I haven't run OLT.
It looks like I am to use TDSSKiller instead of OLT.
Is this correct?

Thanks,
FlaCajun

ken545
2011-12-20, 01:43
Go ahead and run them both, first OTL and then TDSSkiller. Zero Access Rootkit which you are infected with is a fairly new infection and we are finding out that by removing it sometimes it damages your internet connection, I am in touch with other helpers and we will figure this out.

ken545
2011-12-20, 02:22
After you do the above, if still no internet connection than try this


Try this:

Please copy the entire contents of the codebox below into Notepad:


Open Notepad
Copy the contents of the codebox below using CTRL C



Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]



Now return to Notepad and use CTRL V to paste the script
Verify that you have pasted the complete script
Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
Locate FixReg.reg on your desktop
Double click to run, and when prompted Allow the file to merge with your registry
OK your way out.

After that, Reboot your computer.


After the reboot, we will reinstall TCP/IP
Go to Start the Settings and choose Network Connections
Right click on your normal connection icon, and choose Properties
Click the Install button
Choose Protocol then click Add
Click Have disk
In the drop down box, type in: C:\WINDOWS\INF and click OK
In the next dialog, click Internet Protocol (TCP/IP) then click OK
Click Close to leave the properties box

After that, Reboot your computer and see if you have regained your connection.

FlaCajun
2011-12-21, 04:43
The computer is substantially slow to re-boot.
Icons take substantial time to initialize and become visually recognizeable.

OTL.txt log below.
Extras.txt log in next post.

OTL logfile created on: 12/20/2011 8:00:19 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Raymond Green\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.27% Memory free
5.85 Gb Paging File | 5.24 Gb Available in Paging File | 89.69% Paging File free
Paging file location(s): C:\pagefile.sys 4092 10000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 219.72 Gb Total Space | 47.25 Gb Free Space | 21.50% Space Free | Partition Type: NTFS
Drive D: | 8.26 Gb Total Space | 8.26 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive F: | 232.88 Gb Total Space | 63.71 Gb Free Space | 27.35% Space Free | Partition Type: NTFS
Drive G: | 1.86 Gb Total Space | 1.85 Gb Free Space | 99.40% Space Free | Partition Type: FAT32

Computer Name: RAYMOND-DESKTOP | User Name: Raymond Green | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Raymond Green\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
PRC - C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - c:\Program Files\McAfee.com\Agent\mcupdate.exe (McAfee, Inc.)
PRC - C:\Program Files\NewsRover\NewsRover.exe (S&H Computer Systems, Inc.
1027-A 17th Ave. South
Nashville, TN 37212 USA
615-327-3670
www.NewsRover.com)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
PRC - C:\acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
PRC - C:\acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
PRC - C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe (Hewlett-Packard Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\NewsRover\libeay32.dll ()
MOD - C:\acer\Empowering Technology\eRecovery\it41.dll ()
MOD - C:\acer\Empowering Technology\eRecovery\imagefile.dll ()


========== Win32 Services (SafeList) ==========

SRV - (mfevtp) -- C:\WINDOWS\system32\mfevtps.exe (McAfee, Inc.)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe ()
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)


========== Driver Services (SafeList) ==========

DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (MPFP) -- C:\WINDOWS\system32\drivers\Mpfp.sys (McAfee, Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (int15.sys) -- C:\acer\Empowering Technology\eRecovery\int15.sys ()
DRV - (HdAudAddService) -- C:\WINDOWS\system32\drivers\Hdaudio.sys (Windows (R) Server 2003 DDK provider)
DRV - (IPSec) -- C:\WINDOWS\system32\drivers\ipsec.sys ()
DRV - (PortRW) -- C:\WINDOWS\system32\drivers\PortRW.sys (acer)
DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (Sentinel) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS (Rainbow Technologies, Inc.)
DRV - (SNTNLUSB) -- C:\WINDOWS\system32\drivers\SNTNLUSB.SYS (Rainbow Technologies Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.kitco.com/
IE - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
IE - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {e2fda1a4-762b-4020-b5ad-a41df1933103}:1.0b2

FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@Musicnotes.com/Musicnotes Viewer: C:\Program Files\Musicnotes\npmusicn.dll (Musicnotes, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.0.198: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.0.198: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.0.198: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.0.198: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.0.198: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@Sibelius.com/Scorch Plugin: C:\Program Files\Musicnotes\npsibelius.dll ()

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/11/29 18:44:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2011/12/19 00:33:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2011/11/29 18:43:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 3.1.16\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2011/01/30 17:14:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Raymond Green\Application Data\Mozilla\Extensions
[2011/01/30 17:14:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Raymond Green\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/03/09 16:47:23 | 000,000,000 | ---D | M] (Lightning) -- C:\DOCUMENTS AND SETTINGS\RAYMOND GREEN\APPLICATION DATA\THUNDERBIRD\PROFILES\BPR9V7G8.DEFAULT\EXTENSIONS\{E2FDA1A4-762B-4020-B5AD-A41DF1933103}

O1 HOSTS File: ([2011/12/18 20:21:09 | 000,000,736 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111114131554.dll (McAfee, Inc.)
O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\Documents and Settings\All Users\Application Data\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
O3 - HKLM\..\Toolbar: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll ()
O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll (HiTRUST)
O3 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\..\Toolbar\WebBrowser: (Comcast Toolbar) - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\Program Files\ComcastToolbar\comcasttoolbar.dll ()
O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe ()
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe (HiTRUST)
O4 - HKLM..\Run: [eRecoveryService] C:\acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [HPWUTOOLBOX] C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [ntiMUI] c:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\Update\realsched.exe (RealNetworks, Inc.)
O4 - Startup: C:\Documents and Settings\Raymond Green\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166462899750 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{59387631-056E-4C7A-85DB-39C08EC0F541}: DhcpNameServer = 192.168.1.1
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Raymond Green\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Raymond Green\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/11/27 08:00:42 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/20 19:49:16 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Raymond Green\Desktop\OTL.exe
[2011/12/19 00:32:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/12/19 00:01:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/12/18 20:08:42 | 001,445,888 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Raymond Green\Desktop\WinsockxpFix.exe
[2011/12/18 20:08:42 | 001,413,120 | ---- | C] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Raymond Green\Desktop\winsockfix.exe
[2011/12/18 14:52:40 | 000,187,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\acpi.sys
[2011/12/18 14:46:01 | 004,342,882 | R--- | C] (Swearware) -- C:\Documents and Settings\Raymond Green\Desktop\ComboFix.exe
[2011/12/15 21:28:31 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Raymond Green\Desktop\dds.scr
[2011/12/15 21:24:08 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Raymond Green\Desktop\erunt-setup.exe
[2011/12/15 16:52:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\RealNetworks
[2011/12/15 16:52:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/12/15 14:03:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/12/15 11:14:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Green\Application Data\Voypab
[2011/12/14 17:31:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Raymond Green\Local Settings\Application Data\WMTools Downloaded Files
[2011/12/07 22:27:50 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Raymond Green\PrivacIE
[2011/12/07 22:20:17 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Raymond Green\IETldCache
[2011/12/07 22:17:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2011/12/07 22:15:05 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2011/12/07 21:59:27 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeeds.dll
[2011/12/07 21:59:27 | 000,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msfeedsbs.dll
[2011/12/07 21:59:24 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2011/12/07 21:59:23 | 001,985,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iertutil.dll
[2011/12/07 21:59:21 | 011,076,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ieframe.dll
[2011/11/29 18:44:09 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2011/11/29 18:43:53 | 000,198,832 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/11/29 18:43:36 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/11/29 18:43:36 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/11/29 18:43:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Real
[2006/12/18 12:18:36 | 000,016,384 | ---- | C] ( ) -- C:\WINDOWS\System32\ClearEvent.exe
[2006/12/18 12:15:37 | 000,049,152 | ---- | C] ( ) -- C:\WINDOWS\System32\SysMonitor.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/20 19:36:32 | 000,486,105 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Infected XP Security 2012 - Safer-Networking Forums.mht
[2011/12/20 19:36:10 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Raymond Green\Desktop\OTL.exe
[2011/12/20 19:34:58 | 001,557,791 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\tdsskiller.zip
[2011/12/19 00:35:10 | 000,000,703 | ---- | M] () -- C:\WINDOWS\NewsRover.INI
[2011/12/19 00:32:18 | 000,001,599 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2011/12/19 00:30:14 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
[2011/12/19 00:27:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/18 20:21:09 | 000,000,736 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/12/18 20:07:26 | 001,413,120 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Raymond Green\Desktop\winsockfix.exe
[2011/12/18 20:03:56 | 001,445,888 | ---- | M] (Option^Explicit Software Solutions) -- C:\Documents and Settings\Raymond Green\Desktop\WinsockxpFix.exe
[2011/12/18 19:12:18 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.bak
[2011/12/18 14:39:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/18 14:29:58 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\uSeRiNiT.exe
[2011/12/18 14:29:44 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\WiNlOgOn.exe
[2011/12/18 14:29:30 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.scr
[2011/12/18 14:29:16 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.com
[2011/12/18 14:28:58 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.exe
[2011/12/18 11:47:51 | 000,015,422 | -HS- | M] () -- C:\Documents and Settings\Raymond Green\Local Settings\Application Data\411012n4x265a652f306x3jkm4y5
[2011/12/18 11:47:51 | 000,015,422 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\411012n4x265a652f306x3jkm4y5
[2011/12/18 11:35:44 | 004,342,882 | R--- | M] (Swearware) -- C:\Documents and Settings\Raymond Green\Desktop\ComboFix.exe
[2011/12/15 21:19:44 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Raymond Green\Desktop\dds.scr
[2011/12/15 21:15:28 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Raymond Green\Desktop\erunt-setup.exe
[2011/12/14 21:34:44 | 000,000,330 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Harry Gilbert's Holiday Super Series Home.url
[2011/12/14 19:22:20 | 000,000,257 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\KJV Bible -- Browse.url
[2011/12/14 17:34:10 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
[2011/12/12 23:06:27 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Amazon.com John F. Walvoord Books, Biography, Blog, Audiobooks, Kindle.url
[2011/12/11 20:10:29 | 000,000,291 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\smashtennis1's Channel - YouTube.url
[2011/12/07 22:20:40 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/12/07 22:16:57 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/05 22:04:39 | 000,000,765 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\RealPlayer.lnk
[2011/12/04 21:50:20 | 000,000,204 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Mt. Sinai Found.url
[2011/12/04 11:49:32 | 000,000,347 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Member Experience.url
[2011/11/29 18:44:31 | 000,000,747 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2011/11/29 18:43:53 | 000,198,832 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/11/29 18:43:36 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/11/29 18:43:36 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/11/29 18:43:35 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2011/11/29 18:37:40 | 002,922,831 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Diferença_sala_chefe_e_a_sua1.wmv_.zip
[2011/11/27 13:17:47 | 000,000,318 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Yoga Beginner Videos - Step-by-Step Yoga for Beginners YogaGlo.com.url
[2011/11/26 08:19:11 | 000,941,543 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Small_Group_Basics_booklet[1].pdf
[2011/11/26 00:51:41 | 000,000,599 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\50yrs of MK-Ultra BETA Sex Slaves (GRAPHIC w-VIDEOS) - Julie Newmar - Zimbio.url
[2011/11/25 11:15:44 | 000,268,844 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Revelation - Barnhouse outline.pdf
[2011/11/23 13:47:10 | 000,001,013 | ---- | M] () -- C:\Documents and Settings\Raymond Green\Desktop\Full List - The 50 Most Beautiful Women Over 50 - StyleBistro.url
[2011/11/21 14:57:34 | 000,360,136 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/12/20 19:49:22 | 001,557,791 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\tdsskiller.zip
[2011/12/20 19:49:18 | 000,486,105 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Infected XP Security 2012 - Safer-Networking Forums.mht
[2011/12/18 14:33:48 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\uSeRiNiT.exe
[2011/12/18 14:33:45 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\WiNlOgOn.exe
[2011/12/18 14:33:40 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.scr
[2011/12/18 14:33:35 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.com
[2011/12/18 14:33:09 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\rkill.exe
[2011/12/15 11:23:44 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/12/15 10:37:12 | 000,015,422 | -HS- | C] () -- C:\Documents and Settings\Raymond Green\Local Settings\Application Data\411012n4x265a652f306x3jkm4y5
[2011/12/15 10:37:12 | 000,015,422 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\411012n4x265a652f306x3jkm4y5
[2011/12/14 21:34:44 | 000,000,330 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Harry Gilbert's Holiday Super Series Home.url
[2011/12/12 23:06:26 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Amazon.com John F. Walvoord Books, Biography, Blog, Audiobooks, Kindle.url
[2011/12/11 20:10:29 | 000,000,291 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\smashtennis1's Channel - YouTube.url
[2011/12/05 22:04:39 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\RealPlayer.lnk
[2011/12/04 21:50:20 | 000,000,204 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Mt. Sinai Found.url
[2011/12/04 11:49:31 | 000,000,347 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Member Experience.url
[2011/11/29 18:44:31 | 000,000,747 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2011/11/29 18:37:38 | 002,922,831 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Diferença_sala_chefe_e_a_sua1.wmv_.zip
[2011/11/27 13:17:47 | 000,000,318 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Yoga Beginner Videos - Step-by-Step Yoga for Beginners YogaGlo.com.url
[2011/11/26 08:19:09 | 000,941,543 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Small_Group_Basics_booklet[1].pdf
[2011/11/26 00:51:41 | 000,000,599 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\50yrs of MK-Ultra BETA Sex Slaves (GRAPHIC w-VIDEOS) - Julie Newmar - Zimbio.url
[2011/11/25 11:15:44 | 000,268,844 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Revelation - Barnhouse outline.pdf
[2011/11/23 13:47:10 | 000,001,013 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Desktop\Full List - The 50 Most Beautiful Women Over 50 - StyleBistro.url
[2011/06/22 15:05:43 | 000,000,703 | ---- | C] () -- C:\WINDOWS\NewsRover.INI
[2011/06/20 16:38:56 | 000,108,890 | ---- | C] () -- C:\WINDOWS\News Rover Uninstaller.exe
[2011/06/10 18:54:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\CDMKR32.INI
[2011/03/20 19:35:44 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/02/27 11:30:55 | 000,000,783 | ---- | C] () -- C:\WINDOWS\NTIWVEDT.INI
[2011/02/26 17:13:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Jcmkr32.INI
[2011/02/26 16:54:17 | 000,000,280 | -HS- | C] () -- C:\Documents and Settings\Raymond Green\Application Data\s0510.cfg
[2011/01/30 17:14:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/12/19 09:38:31 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/12/19 09:38:31 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/12/19 09:38:31 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/12/19 09:38:31 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/12/19 09:38:31 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/12/11 08:12:07 | 000,015,872 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/05/19 11:54:49 | 000,060,593 | ---- | C] () -- C:\WINDOWS\hpwins03.dat
[2007/05/19 11:54:48 | 000,001,238 | ---- | C] () -- C:\WINDOWS\hpwmdl03.dat
[2007/05/15 19:28:45 | 000,000,197 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2007/01/03 09:26:30 | 000,000,024 | ---- | C] () -- C:\WINDOWS\KADJISYS.INI
[2007/01/03 09:26:15 | 000,000,322 | ---- | C] () -- C:\WINDOWS\astros.ini
[2007/01/03 09:25:55 | 000,000,023 | ---- | C] () -- C:\WINDOWS\FTROBOT.INI
[2007/01/03 09:25:53 | 000,000,466 | ---- | C] () -- C:\WINDOWS\FTGT32.INI
[2007/01/03 09:07:26 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\CompDLL.dll
[2007/01/03 09:07:26 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\SX32W.DLL
[2007/01/03 09:07:25 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\CTA32.dll
[2007/01/02 19:18:29 | 000,004,408 | ---- | C] () -- C:\WINDOWS\WinSig.Ini
[2007/01/02 19:18:29 | 000,000,144 | ---- | C] () -- C:\WINDOWS\Reader.Ini
[2007/01/02 19:18:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\proxydll.dll
[2007/01/02 19:18:16 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2007/01/02 19:17:23 | 000,002,521 | ---- | C] () -- C:\WINDOWS\WinRos.Ini
[2006/12/18 14:25:14 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
[2006/12/18 14:25:02 | 000,133,246 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2006/12/18 12:20:06 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/12/18 12:18:13 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Raymond Green\Local Settings\Application Data\fusioncache.dat
[2006/05/05 01:58:32 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/05/05 01:57:12 | 000,360,136 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/05/05 01:54:16 | 000,405,640 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/05/05 01:54:16 | 000,064,064 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/05/04 19:26:28 | 000,000,093 | ---- | C] () -- C:\WINDOWS\alaunch.ini
[2006/03/08 20:19:28 | 001,421,824 | ---- | C] () -- C:\WINDOWS\System32\UIVCL.dll
[2006/03/08 20:11:30 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\APISlice.dll
[2006/03/08 20:10:46 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\InstallCheck.dll
[2006/03/02 22:35:48 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\HTCA_SelfExtract.bin
[2006/01/10 14:28:48 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\drivers\installnetawa.exe
[2005/11/28 16:53:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/11/27 08:01:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/11/27 08:00:14 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/11/27 08:00:14 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/11/27 08:00:14 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/11/27 08:00:14 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/11/27 07:42:56 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/11/27 07:41:10 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/11/17 01:11:52 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\Kill1211.exe
[2005/11/10 14:27:42 | 000,003,218 | ---- | C] () -- C:\WINDOWS\System32\drivers\WINIO.sys
[2005/10/26 03:25:28 | 000,008,073 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/07/14 20:48:46 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/07/12 17:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2005/06/27 18:12:58 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\NETMNT.sys
[2005/04/12 08:53:10 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/03/28 09:14:38 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2004/12/17 20:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/08/04 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 00:00:00 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\drivers\ipsec.sys
[2004/08/04 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 00:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 00:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 00:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/04 00:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/03/23 19:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2003/08/07 12:51:32 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\System32\reboot.exe
[2003/08/06 22:32:24 | 000,024,576 | -H-- | C] () -- C:\WINDOWS\System32\KCMDNIns.exe
[2003/03/14 15:24:00 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\ZyDelReg.exe
[2002/05/24 03:34:46 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMOVE.EXE
[2001/12/26 19:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/04 02:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/08/25 21:04:08 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/25 21:02:42 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/30 19:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/24 01:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2001/07/06 15:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2007/02/12 16:29:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Avocent AdminWorks
[2011/11/06 12:57:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2011/11/01 17:13:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder
[2007/02/12 16:29:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Avocent AdminWorks
[2011/08/04 19:27:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Elluminate
[2010/12/14 06:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Leadertech
[2011/11/01 17:12:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\OpenCandy
[2011/09/21 17:22:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Southwest Airlines
[2011/01/30 17:14:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Thunderbird
[2008/01/10 09:05:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Trading Rooms
[2011/12/15 22:34:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Raymond Green\Application Data\Voypab

========== Purity Check ==========



========== Files - Unicode (All) ==========
[2011/10/28 17:29:40 | 000,001,870 | ---- | M] ()(C:\Documents and Settings\Raymond Green\Desktop\??? ???????? ?????? - MarketGid.url) -- C:\Documents and Settings\Raymond Green\Desktop\Кто УГРОЖАЕТ Лолите - MarketGid.url
[2011/10/28 17:29:40 | 000,001,870 | ---- | C] ()(C:\Documents and Settings\Raymond Green\Desktop\??? ???????? ?????? - MarketGid.url) -- C:\Documents and Settings\Raymond Green\Desktop\Кто УГРОЖАЕТ Лолите - MarketGid.url
[2011/10/28 17:29:24 | 000,000,753 | ---- | M] ()(C:\Documents and Settings\Raymond Green\Desktop\You-Tube ????????? ?? ?????.url) -- C:\Documents and Settings\Raymond Green\Desktop\You-Tube Блондинка за рулем.url
[2011/10/28 17:29:24 | 000,000,753 | ---- | C] ()(C:\Documents and Settings\Raymond Green\Desktop\You-Tube ????????? ?? ?????.url) -- C:\Documents and Settings\Raymond Green\Desktop\You-Tube Блондинка за рулем.url

< End of report >

FlaCajun
2011-12-21, 04:45
Extras.txt log below.
OTL log run with script to follow in next post.

OTL Extras logfile created on: 12/20/2011 8:00:19 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Raymond Green\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.55 Gb Available Physical Memory | 77.27% Memory free
5.85 Gb Paging File | 5.24 Gb Available in Paging File | 89.69% Paging File free
Paging file location(s): C:\pagefile.sys 4092 10000 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 219.72 Gb Total Space | 47.25 Gb Free Space | 21.50% Space Free | Partition Type: NTFS
Drive D: | 8.26 Gb Total Space | 8.26 Gb Free Space | 100.00% Space Free | Partition Type: FAT32
Drive F: | 232.88 Gb Total Space | 63.71 Gb Free Space | 27.35% Space Free | Partition Type: NTFS
Drive G: | 1.86 Gb Total Space | 1.85 Gb Free Space | 99.40% Space Free | Partition Type: FAT32

Computer Name: RAYMOND-DESKTOP | User Name: Raymond Green | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"23133:UDP" = 23133:UDP:*:Enabled:UDP 23133
"27193:TCP" = 27193:TCP:*:Enabled:TCP 27193

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\eSignal\winros.exe" = C:\Program Files\eSignal\winros.exe:*:Enabled:eSignal Data Manager -- (eSignal)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03EA3D6E-D92B-11D0-892B-00A0C91827B3}" = eSignal
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{1F5C9A13-6966-45F7-B39E-B9C3462535A7}" = ATI Catalyst Control Center
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{30E10267-3B27-42CC-B727-681DEBD30C4D}" = Clean Water Action TriMini Reminder by We-Care.com v5.0.3.2
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150090}" = J2SE Runtime Environment 5.0 Update 9
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{46097540-46DC-4946-BA9F-1ACEBABAE7FB}_is1" = Super MP3 Splitter 1.5.0.1219
"{4AD13F68-CADA-4C6B-9759-C33753F89908}" = Acer eDataSecurity Management
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6A3F9D74-BB80-4451-8CA1-4B3A857F1359}" = Apple Application Support
"{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PartitionMagic
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}" = Sentinel System Driver
"{84031A18-BA9A-4156-A74F-E05B52DDFCE2}" = DING!
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC60C8C1-855E-45AB-8D95-1D16F8A38E78}" = UGuide
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.6
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BA7A3288-228D-4031-A93A-B5F6B3415E15}" = Misc
"{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}" = Windows Rights Management Client with Service Pack 2
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{C941F1F1-25B3-4DF5-83E6-888C51A1AAB6}" = AVIVO Codecs
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{EC905264-BCFE-423B-9C42-C3A106266790}" = Windows Rights Management Client Backwards Compatibility SP2
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1CD25A0-5401-40B2-BAA9-E267408B16DF}" = Toolbox
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"ComcastToolbar" = Comcast Toolbar
"ENTERPRISER" = Microsoft Office Enterprise 2007
"Fibonacci Trader 4" = Fibonacci Trader 4
"Fibonacci/Galactic Trader 4" = Fibonacci/Galactic Trader 4
"HP Officejet Pro K550 Series" = HP Officejet Pro K550 Series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}" = PowerQuest PartitionMagic 8.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Thunderbird (3.1.16)" = Mozilla Thunderbird (3.1.16)
"MP3 Splitter_is1" = MP3 Splitter
"MSC" = McAfee Internet Security
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.5.5
"News Rover" = News Rover -- Usenet newsreader
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 15.0" = RealPlayer
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/23/2011 9:14:31 AM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.11, faulting module
mshtml.dll, version 7.0.5730.11, fault address 0x000a0986.

Error - 11/26/2011 3:07:49 AM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application newsrover.exe, version 16.2.0.0, faulting module
newsrover.exe, version 16.2.0.0, fault address 0x00202003.

Error - 11/26/2011 3:20:05 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.5730.11, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/26/2011 3:20:05 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.5730.11, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/27/2011 7:37:32 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.11, faulting module
mshtml.dll, version 7.0.5730.11, fault address 0x0008a672.

Error - 12/1/2011 12:10:51 AM | Computer Name = RAYMOND-DESKTOP | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.5730.11, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/2/2011 8:47:54 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.5730.11, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00018fea.

Error - 12/12/2011 11:57:57 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module unknown, version 0.0.0.0, fault address 0x0074007b.

Error - 12/15/2011 12:50:41 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application _ex-68.exe, version 8.0.52140.33806, faulting
module _ex-68.exe, version 8.0.52140.33806, fault address 0x0001f713.

Error - 12/15/2011 12:51:51 PM | Computer Name = RAYMOND-DESKTOP | Source = Application Error | ID = 1000
Description = Faulting application _ex-68.exe, version 8.0.52140.33806, faulting
module _ex-68.exe, version 8.0.52140.33806, fault address 0x000af498.

[ System Events ]
Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7000
Description = The TCP/IP Protocol Driver service failed to start due to the following
error: %%2

Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%2

Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7000
Description = The TCP/IP Protocol Driver service failed to start due to the following
error: %%2

Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%2

Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7000
Description = The TCP/IP Protocol Driver service failed to start due to the following
error: %%2

Error - 12/19/2011 1:30:08 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%2

Error - 12/19/2011 1:30:11 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7000
Description = The TCP/IP Protocol Driver service failed to start due to the following
error: %%2

Error - 12/19/2011 1:30:11 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%2

Error - 12/19/2011 1:30:15 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7000
Description = The TCP/IP Protocol Driver service failed to start due to the following
error: %%2

Error - 12/19/2011 1:30:15 AM | Computer Name = RAYMOND-DESKTOP | Source = Service Control Manager | ID = 7001
Description = The Network Location Awareness (NLA) service depends on the TCP/IP
Protocol Driver service which failed to start because of the following error: %%2


< End of report >

FlaCajun
2011-12-21, 04:50
OTL log with script run.
No Internet connnectivity regardless of re-cycling network system.

Will run the next programs.

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.
Additional information: Unable to query host name.
C:\Documents and Settings\Raymond Green\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Raymond Green\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 40354 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 23361 bytes
->Flash cache emptied: 38662 bytes

User: Raymond Green
->Temp folder emptied: 588831 bytes
->Temporary Internet Files folder emptied: 11939041 bytes
->Java cache emptied: 13322961 bytes
->Flash cache emptied: 790 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 25.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 12202011_212930

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

ken545
2011-12-21, 04:54
Please download Farbar Service Scanner (download.bleepingcomputer.com/farbar/FSS.exe) and run it on the computer with the issue.

http://i121.photobucket.com/albums/o239/kevinf80/FSS1a.png

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply

FlaCajun
2011-12-21, 05:17
Below is the TDSSKiller log.
Nothing malicious found.
Re-booted, no internet connectivity.

FixReg.reg hasn't been run.
Do you want FixReg.reg run or go on to the latest directive?
If you want FixReg.reg run, where do I go to download the file?

22:01:31.0578 3868 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
22:01:31.0593 3868 ============================================================
22:01:31.0593 3868 Current date / time: 2011/12/20 22:01:31.0593
22:01:31.0593 3868 SystemInfo:
22:01:31.0593 3868
22:01:31.0593 3868 OS Version: 5.1.2600 ServicePack: 2.0
22:01:31.0593 3868 Product type: Workstation
22:01:31.0593 3868 ComputerName: RAYMOND-DESKTOP
22:01:31.0593 3868 UserName: Raymond Green
22:01:31.0593 3868 Windows directory: C:\WINDOWS
22:01:31.0593 3868 System windows directory: C:\WINDOWS
22:01:31.0593 3868 Processor architecture: Intel x86
22:01:31.0593 3868 Number of processors: 2
22:01:31.0593 3868 Page size: 0x1000
22:01:31.0593 3868 Boot type: Normal boot
22:01:31.0593 3868 ============================================================
22:01:32.0250 3868 Initialize success
22:01:35.0015 1340 ============================================================
22:01:35.0015 1340 Scan started
22:01:35.0015 1340 Mode: Manual;
22:01:35.0015 1340 ============================================================
22:01:35.0625 1340 Abiosdsk - ok
22:01:35.0640 1340 abp480n5 - ok
22:01:35.0703 1340 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:01:35.0703 1340 ACPI - ok
22:01:35.0796 1340 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:01:35.0796 1340 ACPIEC - ok
22:01:35.0812 1340 adpu160m - ok
22:01:35.0875 1340 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
22:01:35.0875 1340 aec - ok
22:01:35.0890 1340 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
22:01:35.0890 1340 AFD - ok
22:01:35.0890 1340 Aha154x - ok
22:01:35.0906 1340 aic78u2 - ok
22:01:35.0906 1340 aic78xx - ok
22:01:35.0937 1340 AliIde - ok
22:01:35.0937 1340 amsint - ok
22:01:35.0984 1340 asc - ok
22:01:36.0000 1340 asc3350p - ok
22:01:36.0000 1340 asc3550 - ok
22:01:36.0046 1340 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:01:36.0046 1340 AsyncMac - ok
22:01:36.0062 1340 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:01:36.0062 1340 atapi - ok
22:01:36.0078 1340 Atdisk - ok
22:01:36.0171 1340 ati2mtag (86a7a22f3670465ef575614e001159c0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
22:01:36.0171 1340 ati2mtag - ok
22:01:36.0203 1340 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:01:36.0203 1340 Atmarpc - ok
22:01:36.0250 1340 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:01:36.0250 1340 audstub - ok
22:01:36.0265 1340 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:01:36.0265 1340 Beep - ok
22:01:36.0390 1340 catchme - ok
22:01:36.0421 1340 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:01:36.0421 1340 cbidf2k - ok
22:01:36.0421 1340 cd20xrnt - ok
22:01:36.0453 1340 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:01:36.0453 1340 Cdaudio - ok
22:01:36.0484 1340 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
22:01:36.0484 1340 Cdfs - ok
22:01:36.0515 1340 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:01:36.0515 1340 Cdrom - ok
22:01:36.0562 1340 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
22:01:36.0578 1340 cfwids - ok
22:01:36.0578 1340 Changer - ok
22:01:36.0609 1340 CmdIde - ok
22:01:36.0656 1340 Cpqarray - ok
22:01:36.0671 1340 dac2w2k - ok
22:01:36.0687 1340 dac960nt - ok
22:01:36.0750 1340 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
22:01:36.0765 1340 Disk - ok
22:01:36.0796 1340 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
22:01:36.0796 1340 dmboot - ok
22:01:36.0812 1340 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
22:01:36.0812 1340 dmio - ok
22:01:36.0828 1340 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:01:36.0828 1340 dmload - ok
22:01:36.0859 1340 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
22:01:36.0859 1340 DMusic - ok
22:01:36.0859 1340 dpti2o - ok
22:01:36.0906 1340 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
22:01:36.0906 1340 drmkaud - ok
22:01:36.0906 1340 eLock2BurnerLockDriver - ok
22:01:36.0937 1340 eLock2FSCTLDriver - ok
22:01:36.0953 1340 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
22:01:36.0968 1340 Fastfat - ok
22:01:37.0109 1340 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:01:37.0125 1340 Fdc - ok
22:01:37.0203 1340 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
22:01:37.0203 1340 Fips - ok
22:01:37.0234 1340 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
22:01:37.0234 1340 Flpydisk - ok
22:01:37.0281 1340 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:01:37.0281 1340 FltMgr - ok
22:01:37.0312 1340 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:01:37.0312 1340 Fs_Rec - ok
22:01:37.0343 1340 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:01:37.0343 1340 Ftdisk - ok
22:01:37.0375 1340 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:01:37.0375 1340 Gpc - ok
22:01:37.0390 1340 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
22:01:37.0406 1340 HdAudAddService - ok
22:01:37.0437 1340 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:01:37.0437 1340 HDAudBus - ok
22:01:37.0453 1340 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:01:37.0453 1340 hidusb - ok
22:01:37.0468 1340 hpn - ok
22:01:37.0500 1340 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
22:01:37.0500 1340 HTTP - ok
22:01:37.0515 1340 i2omgmt - ok
22:01:37.0531 1340 i2omp - ok
22:01:37.0562 1340 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:01:37.0562 1340 i8042prt - ok
22:01:37.0609 1340 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:01:37.0671 1340 ialm - ok
22:01:37.0703 1340 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:01:37.0703 1340 Imapi - ok
22:01:37.0718 1340 ini910u - ok
22:01:37.0875 1340 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
22:01:37.0875 1340 int15.sys - ok
22:01:37.0984 1340 IntcAzAudAddService (284bcb80391783d328a8d8163e97fd58) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:01:38.0000 1340 IntcAzAudAddService - ok
22:01:38.0046 1340 IntelIde - ok
22:01:38.0093 1340 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:01:38.0093 1340 intelppm - ok
22:01:38.0140 1340 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:01:38.0140 1340 Ip6Fw - ok
22:01:38.0171 1340 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:01:38.0171 1340 IpFilterDriver - ok
22:01:38.0218 1340 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:01:38.0218 1340 IpInIp - ok
22:01:38.0296 1340 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:01:38.0296 1340 IpNat - ok
22:01:38.0328 1340 IPSec (ea66d9a13e73b54f7e9ae34a0d835114) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:01:38.0328 1340 IPSec - ok
22:01:38.0375 1340 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:01:38.0375 1340 IRENUM - ok
22:01:38.0421 1340 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:01:38.0421 1340 isapnp - ok
22:01:38.0468 1340 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:01:38.0468 1340 Kbdclass - ok
22:01:38.0500 1340 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:01:38.0500 1340 kbdhid - ok
22:01:38.0562 1340 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
22:01:38.0562 1340 kmixer - ok
22:01:38.0609 1340 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
22:01:38.0609 1340 KSecDD - ok
22:01:38.0625 1340 lbrtfdc - ok
22:01:38.0718 1340 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
22:01:38.0718 1340 mfeapfk - ok
22:01:38.0750 1340 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
22:01:38.0750 1340 mfeavfk - ok
22:01:38.0750 1340 mfeavfk01 - ok
22:01:38.0765 1340 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
22:01:38.0781 1340 mfebopk - ok
22:01:38.0828 1340 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
22:01:38.0843 1340 mfefirek - ok
22:01:38.0875 1340 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
22:01:38.0875 1340 mfehidk - ok
22:01:38.0921 1340 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:01:38.0921 1340 mfendisk - ok
22:01:38.0921 1340 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
22:01:38.0921 1340 mfendiskmp - ok
22:01:38.0968 1340 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
22:01:38.0968 1340 mferkdet - ok
22:01:39.0031 1340 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
22:01:39.0031 1340 mfetdi2k - ok
22:01:39.0062 1340 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:01:39.0062 1340 mnmdd - ok
22:01:39.0109 1340 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
22:01:39.0109 1340 Modem - ok
22:01:39.0171 1340 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
22:01:39.0171 1340 MODEMCSA - ok
22:01:39.0218 1340 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:01:39.0234 1340 Mouclass - ok
22:01:39.0265 1340 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:01:39.0265 1340 mouhid - ok
22:01:39.0281 1340 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
22:01:39.0296 1340 MountMgr - ok
22:01:39.0343 1340 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys
22:01:39.0343 1340 MPFP - ok
22:01:39.0359 1340 mraid35x - ok
22:01:39.0375 1340 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:01:39.0375 1340 MRxDAV - ok
22:01:39.0437 1340 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:01:39.0453 1340 MRxSmb - ok
22:01:39.0468 1340 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
22:01:39.0468 1340 Msfs - ok
22:01:39.0484 1340 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:01:39.0484 1340 MSKSSRV - ok
22:01:39.0500 1340 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:01:39.0500 1340 MSPCLOCK - ok
22:01:39.0531 1340 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
22:01:39.0531 1340 MSPQM - ok
22:01:39.0562 1340 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:01:39.0562 1340 mssmbios - ok
22:01:39.0578 1340 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
22:01:39.0578 1340 Mup - ok
22:01:39.0625 1340 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
22:01:39.0625 1340 NDIS - ok
22:01:39.0656 1340 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:01:39.0656 1340 NdisTapi - ok
22:01:39.0687 1340 Ndisuio (8d3ce6b579cde8d37acc690b67dc2106) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:01:39.0703 1340 Ndisuio - ok
22:01:39.0734 1340 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:01:39.0734 1340 NdisWan - ok
22:01:39.0781 1340 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
22:01:39.0781 1340 NDProxy - ok
22:01:39.0812 1340 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:01:39.0812 1340 NetBIOS - ok
22:01:39.0843 1340 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:01:39.0843 1340 NetBT - ok
22:01:39.0890 1340 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
22:01:39.0890 1340 Npfs - ok
22:01:39.0953 1340 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
22:01:39.0968 1340 Ntfs - ok
22:01:40.0000 1340 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
22:01:40.0000 1340 NTIDrvr - ok
22:01:40.0046 1340 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:01:40.0046 1340 Null - ok
22:01:40.0093 1340 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:01:40.0093 1340 NwlnkFlt - ok
22:01:40.0109 1340 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:01:40.0109 1340 NwlnkFwd - ok
22:01:40.0140 1340 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
22:01:40.0140 1340 Parport - ok
22:01:40.0171 1340 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
22:01:40.0171 1340 PartMgr - ok
22:01:40.0203 1340 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:01:40.0203 1340 ParVdm - ok
22:01:40.0250 1340 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
22:01:40.0250 1340 PCI - ok
22:01:40.0265 1340 PCIDump - ok
22:01:40.0312 1340 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:01:40.0312 1340 PCIIde - ok
22:01:40.0343 1340 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:01:40.0343 1340 Pcmcia - ok
22:01:40.0359 1340 PDCOMP - ok
22:01:40.0390 1340 PDFRAME - ok
22:01:40.0390 1340 PDRELI - ok
22:01:40.0406 1340 PDRFRAME - ok
22:01:40.0437 1340 perc2 - ok
22:01:40.0453 1340 perc2hib - ok
22:01:40.0531 1340 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
22:01:40.0531 1340 Point32 - ok
22:01:40.0546 1340 PortRW (a7e67865db59e54801122077df8ade36) C:\WINDOWS\system32\Drivers\PortRW.sys
22:01:40.0546 1340 PortRW - ok
22:01:40.0593 1340 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:01:40.0593 1340 PptpMiniport - ok
22:01:40.0656 1340 PQNTDrv (b26019a686d36e22f954e67c8fec4297) C:\WINDOWS\system32\drivers\PQNTDrv.sys
22:01:40.0656 1340 PQNTDrv - ok
22:01:40.0687 1340 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
22:01:40.0687 1340 PSched - ok
22:01:40.0765 1340 psdfilter (00b670d8a36c7134cfc66b446a18cc92) C:\WINDOWS\system32\Drivers\psdfilter.sys
22:01:40.0765 1340 psdfilter - ok
22:01:40.0796 1340 psdvdisk (e9a60343cb7c39090638b1dd574f26eb) C:\WINDOWS\system32\Drivers\psdvdisk.sys
22:01:40.0796 1340 psdvdisk - ok
22:01:40.0828 1340 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:01:40.0828 1340 Ptilink - ok
22:01:40.0843 1340 ql1080 - ok
22:01:40.0859 1340 Ql10wnt - ok
22:01:40.0875 1340 ql12160 - ok
22:01:40.0921 1340 ql1240 - ok
22:01:40.0968 1340 ql1280 - ok
22:01:41.0046 1340 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:01:41.0046 1340 RasAcd - ok
22:01:41.0125 1340 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:01:41.0125 1340 Rasl2tp - ok
22:01:41.0171 1340 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:01:41.0171 1340 RasPppoe - ok
22:01:41.0234 1340 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:01:41.0234 1340 Raspti - ok
22:01:41.0312 1340 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:01:41.0312 1340 Rdbss - ok
22:01:41.0359 1340 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:01:41.0359 1340 RDPCDD - ok
22:01:41.0406 1340 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:01:41.0406 1340 rdpdr - ok
22:01:41.0468 1340 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
22:01:41.0468 1340 RDPWD - ok
22:01:41.0515 1340 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:01:41.0515 1340 redbook - ok
22:01:41.0593 1340 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:01:41.0593 1340 Secdrv - ok
22:01:41.0671 1340 Sentinel (8627c992b8a80504fc477b2e8ff8ec4f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
22:01:41.0671 1340 Sentinel - ok
22:01:41.0703 1340 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:01:41.0703 1340 serenum - ok
22:01:41.0750 1340 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
22:01:41.0750 1340 Serial - ok
22:01:41.0812 1340 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:01:41.0812 1340 Sfloppy - ok
22:01:41.0828 1340 Simbad - ok
22:01:41.0843 1340 SNTNLUSB (87f799c486302aceff098e067d481d9c) C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS
22:01:41.0843 1340 SNTNLUSB - ok
22:01:41.0859 1340 Sparrow - ok
22:01:41.0921 1340 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
22:01:41.0921 1340 splitter - ok
22:01:41.0953 1340 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
22:01:41.0984 1340 sr - ok
22:01:42.0156 1340 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
22:01:42.0171 1340 Srv - ok
22:01:42.0203 1340 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:01:42.0203 1340 swenum - ok
22:01:42.0250 1340 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
22:01:42.0250 1340 swmidi - ok
22:01:42.0265 1340 symc810 - ok
22:01:42.0296 1340 symc8xx - ok
22:01:42.0296 1340 sym_hi - ok
22:01:42.0343 1340 sym_u3 - ok
22:01:42.0375 1340 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
22:01:42.0375 1340 sysaudio - ok
22:01:42.0453 1340 Tcpip (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:01:42.0453 1340 Tcpip - ok
22:01:42.0484 1340 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:01:42.0484 1340 TDPIPE - ok
22:01:42.0515 1340 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
22:01:42.0515 1340 TDTCP - ok
22:01:42.0562 1340 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:01:42.0562 1340 TermDD - ok
22:01:42.0625 1340 TosIde - ok
22:01:42.0640 1340 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
22:01:42.0656 1340 UBHelper - ok
22:01:42.0671 1340 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
22:01:42.0687 1340 Udfs - ok
22:01:42.0703 1340 ultra - ok
22:01:42.0734 1340 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
22:01:42.0734 1340 Update - ok
22:01:42.0750 1340 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:01:42.0765 1340 usbccgp - ok
22:01:42.0781 1340 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:01:42.0781 1340 usbehci - ok
22:01:42.0812 1340 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:01:42.0812 1340 usbhub - ok
22:01:42.0875 1340 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:01:42.0875 1340 usbprint - ok
22:01:42.0921 1340 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:01:42.0921 1340 usbscan - ok
22:01:42.0984 1340 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:01:42.0984 1340 USBSTOR - ok
22:01:43.0000 1340 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:01:43.0000 1340 usbuhci - ok
22:01:43.0031 1340 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
22:01:43.0031 1340 VgaSave - ok
22:01:43.0062 1340 ViaIde - ok
22:01:43.0078 1340 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
22:01:43.0078 1340 VolSnap - ok
22:01:43.0109 1340 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:01:43.0109 1340 Wanarp - ok
22:01:43.0125 1340 WDICA - ok
22:01:43.0156 1340 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
22:01:43.0156 1340 wdmaud - ok
22:01:43.0218 1340 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
22:01:43.0218 1340 WudfPf - ok
22:01:43.0234 1340 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
22:01:43.0234 1340 WudfRd - ok
22:01:43.0343 1340 yukonwxp (ba6d2b32372a879aa817829c7cd2cb15) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
22:01:43.0343 1340 yukonwxp - ok
22:01:43.0359 1340 ZD1211BU(ZyDAS) - ok
22:01:43.0359 1340 ZD1211U(ZyDAS) - ok
22:01:43.0375 1340 ZDPSp50 - ok
22:01:43.0406 1340 MBR (0x1B8) (99852d5c3a78447c3d6d82b6155fe848) \Device\Harddisk0\DR0
22:01:44.0109 1340 \Device\Harddisk0\DR0 - ok
22:01:44.0125 1340 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
22:01:44.0125 1340 \Device\Harddisk1\DR1 - ok
22:01:44.0125 1340 MBR (0x1B8) (06449e7c4af0550b77e260798769aa40) \Device\Harddisk2\DR8
22:01:44.0140 1340 \Device\Harddisk2\DR8 - ok
22:01:44.0156 1340 Boot (0x1200) (a82133b7861ed553500d80c4a338ae1f) \Device\Harddisk0\DR0\Partition0
22:01:44.0156 1340 \Device\Harddisk0\DR0\Partition0 - ok
22:01:44.0171 1340 Boot (0x1200) (b441ccaa50c9c029c17d9507399e97d7) \Device\Harddisk0\DR0\Partition1
22:01:44.0171 1340 \Device\Harddisk0\DR0\Partition1 - ok
22:01:44.0187 1340 Boot (0x1200) (a45ee1ddad76c4e8f8fef65712138336) \Device\Harddisk2\DR8\Partition0
22:01:44.0187 1340 \Device\Harddisk2\DR8\Partition0 - ok
22:01:44.0187 1340 ============================================================
22:01:44.0187 1340 Scan finished
22:01:44.0187 1340 ============================================================
22:01:44.0203 1984 Detected object count: 0
22:01:44.0203 1984 Actual detected object count: 0
22:02:25.0046 3884 Deinitialize success

ken545
2011-12-21, 11:04
Fixreg will be on your desktop after you save that code in Notepad, but before we run it let me ask you, do you have your windows CD ?

So hang off on Fixreg for the moment and run Farbars tool, it may show what was removed that is hampering your internet access

FlaCajun
2011-12-21, 22:25
I believe I have the Windows CD, but I would have to locate it.

Below is the FSS log.

Farbar Service Scanner
Ran by Raymond Green (administrator) on 21-12-2011 at 15:21:22
Microsoft Windows XP Professional Service Pack 2 (X86)
********************************************************

Service Check:
==============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


File Check:
===========
C:\WINDOWS\system32\svchost.exe
[2004-08-04 00:00] - [2004-08-04 00:00] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716

C:\WINDOWS\system32\rpcss.dll
[2005-07-25 23:39] - [2005-07-25 23:39] - 0397824 ____A (Microsoft Corporation) CE94A2BD25E3E9F4D46A7373FF455C6D

C:\WINDOWS\system32\services.exe
[2004-08-04 00:00] - [2004-08-04 00:00] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4

C:\WINDOWS\system32\dhcpcsvc.dll
[2004-08-04 00:00] - [2006-05-19 07:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F

C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-04 00:00] - [2004-08-04 00:00] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B

C:\WINDOWS\system32\Drivers\tcpip.sys
[2006-01-12 21:28] - [2006-04-20 06:51] - 0359808 ____A (Microsoft Corporation) 1DBF125862891817F374F407626967F4

C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-04 00:00] - [2004-08-04 00:00] - 0074752 ____A () EA66D9A13E73B54F7E9AE34A0D835114

C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 00:00] - [2004-08-04 00:00] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D


Connection Status:
==================
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors

**** End of log ****

ken545
2011-12-21, 23:47
You need the standard 32bit version, not the 64

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
64 Bit Version (http://jpshortstuff.247Fixes.com/SystemLook_x64.exe)


Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
ipsec.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

FlaCajun
2011-12-22, 22:13
I have the Windows XP disk.
I presume it is the one for this computer.
I had XP on another older computer.

Here is the SystemLook log.

SystemLook 30.07.11 by jpshortstuff
Log created at 15:01 on 22/12/2011 by Raymond Green
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ipsec.sys --a---- 75264 bytes [19:19 13/04/2008] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\dllcache\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 74752 bytes [05:00 04/08/2004] [05:00 04/08/2004] EA66D9A13E73B54F7E9AE34A0D835114

-= EOF =-

ken545
2011-12-22, 23:53
Hang off on using the disk for now, that file is infected and we are going to replace it.


Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )

and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste

it into Notepad, make sure there is no space before and above FCopy::




FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\drivers\ipsec.sys


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Then check your internet connection

FlaCajun
2011-12-23, 05:54
ComboFix needed to be downloaded again for a full scan to be done.
Re-boot was not automatic.
Re-boot was much faster than previous reboots and fastest since infection.
Internet connectivity is restored.

Below is ComboFix log with CFScript


ComboFix 11-12-22.04 - Raymond Green 12/22/2011 22:34:47.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1353 [GMT -5:00]
Running from: c:\documents and settings\Raymond Green\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Raymond Green\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
.
.
2011-12-21 02:29 . 2011-12-21 02:29 -------- d-----w- C:\_OTL
2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-12-18 19:52 . 2004-08-04 05:00 187776 ----a-w- c:\windows\system32\dllcache\acpi.sys
2011-12-15 16:14 . 2011-12-16 03:34 -------- d-----w- c:\documents and settings\Raymond Green\Application Data\Voypab
2011-12-14 22:31 . 2011-12-14 22:31 -------- d-----w- c:\documents and settings\Raymond Green\Local Settings\Application Data\WMTools Downloaded Files
2011-12-08 18:05 . 2011-12-08 18:05 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-12-08 03:27 . 2011-12-08 03:27 -------- d-sh--w- c:\documents and settings\Raymond Green\PrivacIE
2011-12-08 03:25 . 2011-12-08 03:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-08 03:20 . 2011-12-08 03:20 -------- d-sh--w- c:\documents and settings\Raymond Green\IETldCache
2011-12-08 03:15 . 2011-12-08 03:16 -------- dc-h--w- c:\windows\ie8
2011-12-08 02:59 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2011-12-08 02:59 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-12-08 02:59 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2011-12-08 02:59 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2011-12-08 02:59 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-12-08 02:59 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2011-12-08 02:59 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2011-11-29 23:44 . 2011-11-29 23:44 -------- d-----w- c:\program files\Common Files\xing shared
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-10 22:57 . 2011-07-09 22:35 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-18 19:32 . 2011-08-02 18:50 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-10-15 18:16 . 2011-08-02 18:50 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-10-15 18:16 . 2011-08-02 18:50 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-10-15 18:16 . 2011-08-02 18:50 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-10-15 18:16 . 2011-08-02 18:50 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-10-15 18:16 . 2011-08-02 18:50 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-10-15 18:16 . 2011-08-02 18:50 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-10-15 18:16 . 2011-08-02 18:50 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-10-15 18:16 . 2011-08-02 18:50 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-10-15 18:16 . 2011-08-02 18:50 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-10-15 18:16 . 2011-08-02 18:50 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-09-28 01:09 . 2011-09-21 22:22 8192 ----a-r- c:\documents and settings\Raymond Green\Application Data\Microsoft\Installer\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}\Icon84031A18.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-19 114688]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 16050176]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"TkBellExe"="c:\progra~1\real\REALPL~1\update\realsched.exe" [2011-11-29 296056]
.
c:\documents and settings\Raymond Green\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23133:UDP"= 23133:UDP:UDP 23133
"27193:TCP"= 27193:TCP:TCP 27193
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/2/2011 1:50 PM 89792]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/2/2011 1:50 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/2/2011 1:50 PM 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/2/2011 1:50 PM 150856]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/2/2011 1:50 PM 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/2/2011 1:50 PM 57600]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/2/2011 1:50 PM 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/2/2011 1:50 PM 87656]
S3 PortRW;PortRW;c:\windows\system32\drivers\PortRW.sys [8/15/2003 5:57 PM 3456]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]
.
2007-12-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
2011-12-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
2011-12-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1072916345-2785684930-38884129-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-08 21:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 22:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B8E1FB93-079B-2B97-101B-0EB5A984DF5A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaoadgjmbdoampifiodljojoflofdp"=hex:64,61,6f,6f,64,61,64,6c,00,85
"oacalbkokdbgmefcbfejcedebenifl"=hex:6a,61,6f,6f,66,61,69,6b,67,6e,64,65,6d,64,
70,66,61,6d,6f,66,00,07
"namabpalabciffjhlfiogkpocmje"=hex:6a,61,70,6f,69,62,66,70,61,61,66,67,6a,6d,
67,6d,69,65,6b,6c,00,07
.
[HKEY_USERS\S-1-5-21-1072916345-2785684930-38884129-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F81AD052-41FF-D428-BFF6-E1945EC1FC35}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ianpealnfohffgmoea"=hex:64,61,6d,66,6d,66,6a,6c,00,70
"iajoeedbfeehambipd"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
68,6b,00,fd
"hapoocjogchlogdi"=hex:6a,61,6d,66,61,67,64,69,68,63,63,70,6a,6b,67,69,67,61,
68,6b,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-12-22 22:41:09
ComboFix-quarantined-files.txt 2011-12-23 03:41
ComboFix2.txt 2011-12-19 05:01
ComboFix3.txt 2011-12-19 00:16
ComboFix4.txt 2010-12-19 14:50
.
Pre-Run: 50,688,737,280 bytes free
Post-Run: 50,670,821,376 bytes free
.
- - End Of File - - EDD98355F4E5E96FA0E6F45D4C4ED329

ken545
2011-12-23, 11:53
:bigthumb:

Lets see if Malwarebytes will run now


Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please






Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

FlaCajun
2011-12-23, 22:30
Malwarebytes was already installed on the desktop computer.
Updated files and ran program.
after about 30,000 files the program encountered an error and stopped.
The 'Send error message to Microsoft' appeared.

Re-installed Malwarebytes from link provided.
2 infected files were found (see log Malwarebytes log below).
Computer reboot performed.

Will run 'aswMBR.exe' next and post log.

Malwarebytes log.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122308

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/23/2011 3:08:46 PM
mbam-log-2011-12-23 (15-08-46).txt

Scan type: Quick scan
Objects scanned: 181671
Time elapsed: 10 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\raymond green\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
c:\documents and settings\raymond green\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

FlaCajun
2011-12-23, 22:33
aswMBR log

aswMBR version 0.9.9.1120 Copyright(c) 2011 AVAST Software
Run date: 2011-12-23 15:30:27
-----------------------------
15:30:27.718 OS Version: Windows 5.1.2600 Service Pack 2
15:30:27.718 Number of processors: 2 586 0x604
15:30:27.718 ComputerName: RAYMOND-DESKTOP UserName: Raymond Green
15:30:28.562 Initialize success
15:31:23.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
15:31:23.687 Disk 0 Vendor: ST3250820AS 3.AAD Size: 238475MB BusType: 3
15:31:23.687 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19
15:31:23.687 Disk 1 Vendor: ST3250820AS 3.AAE Size: 238475MB BusType: 3
15:31:25.718 Disk 0 MBR read successfully
15:31:25.718 Disk 0 MBR scan
15:31:25.718 Disk 0 unknown MBR code
15:31:25.734 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 4996 MB offset 63
15:31:25.750 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 224996 MB offset 10233405
15:31:25.765 Disk 0 Partition 3 00 0C FAT32 LBA MSWIN4.1 8479 MB offset 471025800
15:31:25.796 Disk 0 scanning sectors +488392065
15:31:25.875 Disk 0 scanning C:\WINDOWS\system32\drivers
15:31:30.828 Service scanning
15:31:32.046 Modules scanning
15:31:39.500 Disk 0 trace - called modules:
15:31:39.531 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:31:39.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ab0cab8]
15:31:39.546 3 CLASSPNP.SYS[ba8f905b] -> nt!IofCallDriver -> \Device\00000071[0x8ab9d418]
15:31:39.546 5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x8aaf6940]
15:31:39.546 Scan finished successfully
15:32:00.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\MBR.dat"
15:32:00.437 The log file has been saved successfully to "C:\Documents and Settings\Raymond Green\Desktop\aswMBR.txt"

ken545
2011-12-23, 23:04
:bigthumb:

How are things running now ?

FlaCajun
2011-12-23, 23:15
Running very well.
The computer seems to be back to its pre-virus status.
Boot-up times as well.

ken545
2011-12-23, 23:38
Wonderful :bigthumb:

A Merry Christmas to you and your family


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.

Malwarebytes is the free version and yours to keep and will not be removed



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

FlaCajun
2011-12-23, 23:42
Thanks Ken545 for your help.

Off to get the Christmas meal.
I will perform the latest instructions when I get back.

I will be making a donation.

Thank you again and Merry Christmas.

FlaCajun

ken545
2011-12-24, 00:39
Your very welcome,

Take care,

Ken :)

ken545
2011-12-28, 14:04
Since this issue appears resolved this topic is now closed