Running MalwareBytes

[Skulduggery]

I originally posted an issue on Nov 2nd. I appreaciate the response and am attempting to carefully implement the instructions I received exactly.

I have downloaded, installed and run the following programs:

Defogger

DDS

GMER

If this works properly, I should be uploading three log files labeled as:

DDS.txt

Attach.txt

Ark.txt

My thanks in advance. If I did this incorrectly just let me know. If you need anything else, the same.

KP

DDS.txt

Attach.txt

ark.txt

[Elise]

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

• The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  
• Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  
• The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  
• Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
  

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
    

  [*]Save it to your desktop.

  [*]Double click on the icon on your desktop.

  [*]Click the "Scan All Users" checkbox.

  [*]Push the Quick Scan button.

  [*]Two reports will open, copy and paste them in a reply here:

  • OTListIt.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized
    

Please download Rootkit Unhooker and save it to your Desktop

• Double-click on RKUnhookerLE to run it
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth and uncheck the rest
  
• Click OK
  
• Wait until it's finished and then go to File > Save Report
  
• Save the report to your Desktop
  

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

• A detailed description of your problems
  
• A new OTL log (don't forget extra.txt)
  
• RKU log
  

Thanks and again sorry for the delay.

[Skulduggery]

Hello, Elise. I will paste both the OTL.txt log, and the Extras.txt log below.

I was unable to download Rootkit Unhooker. My efforts in that regard always resulted in my being informed that my internet connection was broken.

This has been a recurring theme since the trouble began. Oddly enough, I am able to surf the internet without difficulty, but I am on occasion being informed that my net connection is broken.

I have already checked with my DSL provider and they have confirmed by connection is functioning properly.

I have downloaded and installed MalwareBytes, but I am unable to actually run it.

I have also downloaded both AVG anti-virus and Trend Micro anti-virus, but have been unable to install. When I try I am informed that my internet connection is broken.

I uploaded the the Ark.txt, Attach.txt, and DDS.txt log files Friday. I did not paste them to the body of an email. I am not copying them into this email as I have not been so instructed. I still have them and can send them if you require them.

Thank you in advance.

OTL logfile created on: 11/8/2010 9:29:03 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\KRIS\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 93.00 Mb Available Physical Memory | 18.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 57.04 Gb Free Space | 76.53% Space Free | Partition Type: NTFS

Drive D: | 621.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: CATLAILS | User Name: KRIS | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/08 09:28:11 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KRIS\Desktop\OTL.exe

PRC - [2010/10/12 10:08:06 | 000,724,152 | ---- | M] (iolo technologies, LLC) -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe

PRC - [2010/09/14 13:03:58 | 000,984,352 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

PRC - [2010/09/14 11:45:30 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

PRC - [2010/09/13 06:43:41 | 000,038,200 | ---- | M] () -- C:\WINDOWS\DOWNLO~1\MyWebEx\319\raagtx.exe

PRC - [2010/09/13 06:42:32 | 000,103,736 | ---- | M] () -- C:\WINDOWS\DOWNLO~1\MyWebEx\319\RAAGTAPP.EXE

PRC - [2010/01/16 12:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe

PRC - [2010/01/16 12:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe

PRC - [2010/01/16 12:30:02 | 000,206,120 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe

PRC - [2009/09/11 06:24:32 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe

PRC - [2009/09/11 06:23:46 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe

PRC - [2009/09/10 12:15:32 | 000,016,792 | ---- | M] () -- C:\WINDOWS\DOWNLO~1\MyWebEx\319\atnthost.exe

PRC - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

PRC - [2007/06/13 02:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2004/09/10 15:32:48 | 000,053,248 | ---- | M] (Brother Industries, Ltd.) -- C:\WINDOWS\system32\BrmfBAgS.exe

========== Modules (SafeList) ==========

MOD - [2010/11/08 09:28:11 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KRIS\Desktop\OTL.exe

MOD - [2010/01/16 12:30:06 | 000,116,008 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Qwest\Quickcare\bin\sprthook.dll

MOD - [2006/08/25 07:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll

MOD - [2004/08/03 23:56:43 | 001,392,671 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvbvm60.dll

MOD - [2004/08/03 23:56:43 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll

MOD - [2004/08/03 23:56:42 | 000,159,232 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dinput.dll

MOD - [2001/10/04 16:50:08 | 000,040,820 | ---- | M] (SoundMAX) -- C:\WINDOWS\system32\Syncor11.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)

SRV - [2010/10/12 10:08:06 | 000,724,152 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloSystemService)

SRV - [2010/10/12 10:08:06 | 000,724,152 | ---- | M] (iolo technologies, LLC) [Auto | Running] -- C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe -- (ioloFileInfoList)

SRV - [2010/09/14 11:45:30 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2010/01/16 12:31:40 | 000,382,320 | ---- | M] (SupportSoft, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\supportsoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)

SRV - [2010/01/16 12:30:16 | 000,185,640 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\tgsrvc.exe -- (tgsrvc_quickcare) SupportSoft Repair Service (quickcare)

SRV - [2010/01/16 12:30:10 | 000,206,120 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Qwest\Quickcare\bin\sprtsvc.exe -- (sprtsvc_quickcare) SupportSoft Sprocket Service (quickcare)

SRV - [2009/09/11 06:33:18 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)

SRV - [2009/09/11 06:24:32 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)

SRV - [2009/09/10 12:15:32 | 000,016,792 | ---- | M] () [Auto | Running] -- C:\WINDOWS\DOWNLO~1\MyWebEx\319\atnthost.exe -- (atnthost)

SRV - [2009/01/14 16:53:02 | 000,226,656 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)

SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2008/01/08 12:02:16 | 001,213,728 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe -- (sprtlisten)

SRV - [2004/09/10 15:32:48 | 000,053,248 | ---- | M] (Brother Industries, Ltd.) [Auto | Running] -- C:\WINDOWS\System32\BrmfBAgS.exe -- (brmfbags)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\wdcsam.sys -- (WDC_SAM)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\DRIVERS\atimtag.sys -- (atimtag)

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\KRIS\LOCALS~1\Temp\ATICDSDr.sys -- (ATICDSDr)

DRV - [2009/09/11 06:26:24 | 000,055,768 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdi.sys -- (epfwtdi)

DRV - [2009/09/11 06:26:20 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epfw.sys -- (epfw)

DRV - [2009/09/11 06:23:50 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv)

DRV - [2009/09/11 06:17:16 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)

DRV - [2009/06/19 08:10:40 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\epfwndis.sys -- (Epfwndis)

DRV - [2004/11/23 16:39:36 | 000,061,440 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrSerWdm.sys -- (BrSerWdm)

DRV - [2004/10/15 11:50:20 | 000,015,295 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrScnUsb.sys -- (BrScnUsb)

DRV - [2004/09/29 02:24:38 | 000,051,712 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrSerIf.sys -- (BrSerIf)

DRV - [2004/08/03 22:07:44 | 000,063,744 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mf.sys -- (mf)

DRV - [2004/08/03 21:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)

DRV - [2004/01/10 03:28:18 | 000,011,648 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BrUsbSer.sys -- (BrUsbSer)

DRV - [2003/01/15 09:03:45 | 000,240,640 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)

DRV - [2003/01/15 09:03:45 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)

DRV - [2003/01/15 09:03:45 | 000,134,426 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K)

DRV - [2003/01/15 09:03:45 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)

DRV - [2003/01/15 09:03:45 | 000,030,406 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)

DRV - [2003/01/15 09:03:45 | 000,025,674 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)

DRV - [2003/01/15 09:03:45 | 000,023,420 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)

DRV - [2002/07/25 00:17:10 | 000,480,512 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2001/08/17 13:12:24 | 000,003,168 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrParImg.sys -- (brparimg)

DRV - [2001/08/17 13:12:18 | 000,039,552 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrParwdm.sys -- (BrParWdm)

DRV - [2001/08/17 13:12:12 | 000,002,944 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BrFilt.sys -- (brfilt)

DRV - [2001/08/17 04:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ctlmonitors.com

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ctlmonitors.com

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ctlmonitors.com

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ctlmonitors.com

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

IE - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/11/03 14:52:52 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2001/08/18 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (CSMHelperObj Class) - {0F660F64-F4C9-477F-8529-44181B717472} - C:\Program Files\AT&T\WnClient\Programs\CSMBHO.dll ()

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll (Microsoft Corp.)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.

O3 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)

O4 - HKLM..\Run: [intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)

O4 - HKLM..\Run: [KernelFaultCheck] File not found

O4 - HKLM..\Run: [QuickCare] C:\Program Files\Qwest\Quickcare\bin\sprtcmd.exe (SupportSoft, Inc.)

O4 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004..\Run: [MyCleanPC Registry Cleaner] C:\Program Files\CyberDefender\Registry Scanner\CDregclean.exe File not found

O4 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Remote Access.LNK = C:\WINDOWS\DOWNLO~1\MyWebEx\319\raagtx.exe ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O9 - Extra Button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe ()

O15 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\..Trusted Domains: ([]msn in My Computer)

O15 - HKU\S-1-5-21-3790702409-2923229327-2501258402-1004\..Trusted Domains: download.com ([]* in Trusted sites)

O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} file://E:\content\include\XPPatchInstaller.CAB (PatchInstaller.Installer)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1226808827270 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_18)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc.cab (GpcContainer Class)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25

O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\KRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\KRIS\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2003/01/15 08:43:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O32 - AutoRun File - [2009/01/13 09:14:20 | 000,000,114 | R--- | M] () - D:\AUTORUN.INF -- [ UDF ]

O32 - AutoRun File - [2009/01/13 09:14:20 | 000,685,312 | R--- | M] (ESET s.r.o.) - D:\Autorun.exe -- [ UDF ]

O32 - AutoRun File - [2009/10/12 17:32:59 | 000,000,000 | R--D | M] - D:\AutorunConfig -- [ UDF ]

O33 - MountPoints2\D\Shell - "" = AutoRun

O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2009/01/13 09:14:20 | 000,685,312 | R--- | M] (ESET s.r.o.)

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/11/08 09:28:03 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\KRIS\Desktop\OTL.exe

[2010/11/04 15:16:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Desktop\New Folder

[2010/11/03 14:52:45 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/11/03 08:31:48 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache

[2010/11/02 09:15:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Desktop\TrendMicro_Downloader(TAV)

[2010/11/02 09:14:42 | 002,472,640 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\KRIS\Desktop\TrendMicro_Downloader(TAV).exe

[2010/11/02 09:00:52 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/11/02 09:00:50 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/11/02 08:52:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET

[2010/11/01 14:18:16 | 000,724,003 | ---- | C] (Intuit Inc.) -- C:\Documents and Settings\KRIS\Desktop\Nettool.exe

[2010/11/01 12:19:17 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/11/01 12:19:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\iolo

[2010/11/01 08:17:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2010/11/01 08:17:33 | 004,329,496 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\KRIS\My Documents\avg_free_stb_all_2011_1153_cnet.exe

[2010/10/28 08:28:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Local Settings\Application Data\ESET

[2010/10/27 12:36:06 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\KRIS\My Documents\mbam-setup-1.46.exe

[2010/10/27 09:11:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Application Data\ESET

[2010/10/27 09:09:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET

[2010/10/27 08:59:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs

[2010/10/26 09:29:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google

[2010/10/26 09:22:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp

[2010/10/26 09:22:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

[2010/10/26 09:15:51 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software

[2010/10/26 09:15:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2010/10/20 15:56:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Local Settings\Application Data\Threat Expert

[2010/10/20 14:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\KRIS\Application Data\Malwarebytes

[2010/10/20 13:36:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/10/20 12:39:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2010/10/20 11:54:32 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/08 09:29:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/11/08 09:28:11 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\KRIS\Desktop\OTL.exe

[2010/11/08 08:02:46 | 000,433,258 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/11/08 08:02:46 | 000,067,648 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/11/08 07:58:32 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/11/08 07:58:10 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/11/08 07:58:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/11/08 07:57:57 | 536,186,880 | -HS- | M] () -- C:\hiberfil.sys

[2010/11/05 14:28:27 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\List of Sales.doc

[2010/11/04 15:14:08 | 000,545,280 | ---- | M] () -- C:\Documents and Settings\KRIS\Desktop\dds.pif

[2010/11/04 10:03:21 | 000,628,736 | ---- | M] () -- C:\Documents and Settings\KRIS\Desktop\dds.com

[2010/11/04 09:56:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\KRIS\defogger_reenable

[2010/11/04 09:55:25 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\KRIS\Desktop\Defogger.exe

[2010/11/04 09:02:23 | 000,295,424 | ---- | M] () -- C:\Documents and Settings\KRIS\Desktop\utjj1fjo.exe

[2010/11/03 15:10:27 | 000,299,640 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/11/03 09:06:33 | 000,010,787 | ---- | M] () -- C:\Documents and Settings\KRIS\Desktop\Doc1.docx

[2010/11/02 12:15:24 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\LetterH.doc

[2010/11/02 09:14:55 | 002,472,640 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\KRIS\Desktop\TrendMicro_Downloader(TAV).exe

[2010/11/02 09:00:55 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/01 14:25:00 | 000,001,141 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QB Connection Diagnostic Tool.lnk

[2010/11/01 14:18:25 | 000,724,003 | ---- | M] (Intuit Inc.) -- C:\Documents and Settings\KRIS\Desktop\Nettool.exe

[2010/11/01 13:36:50 | 000,020,992 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\Multno13.doc

[2010/11/01 08:17:34 | 004,329,496 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\KRIS\My Documents\avg_free_stb_all_2011_1153_cnet.exe

[2010/11/01 08:12:59 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT

[2010/10/28 14:28:38 | 051,515,288 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\setup_av_free.exe

[2010/10/28 13:55:10 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\KRIS\My Documents\mbam-setup-1.46.exe

[2010/10/28 12:46:01 | 000,019,456 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\BeavRe4.doc

[2010/10/26 08:34:40 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\RH.doc

[2010/10/24 13:04:17 | 000,000,090 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini

[2010/10/20 14:16:17 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\KRIS\Application Data\completescan

[2010/10/20 12:15:35 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat

[2010/10/20 07:24:58 | 000,000,006 | ---- | M] () -- C:\Documents and Settings\KRIS\Application Data\start

[2010/10/19 07:33:17 | 000,000,010 | ---- | M] () -- C:\Documents and Settings\KRIS\Application Data\install

[2010/10/19 07:32:30 | 000,000,195 | ---- | M] () -- C:\Documents and Settings\KRIS\Application Data\35259.bat

[2010/10/13 15:24:08 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\CapManPri.doc

[2010/10/13 15:23:39 | 000,025,088 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\Capital Manor Price List.doc

[2010/10/12 11:55:54 | 000,087,688 | ---- | M] (iolo technologies, LLC) -- C:\WINDOWS\System32\IncContxMenu.dll

[2010/10/12 11:55:18 | 000,011,776 | ---- | M] (iolo technologies, LLC) -- C:\WINDOWS\System32\smrgdf.exe

[2010/10/12 11:55:10 | 000,029,696 | ---- | M] (iolo technologies, LLC) -- C:\WINDOWS\System32\iolobtdfg.exe

[2010/10/12 10:08:52 | 002,233,016 | ---- | M] (iolo technologies, LLC) -- C:\WINDOWS\System32\Incinerator.dll

[2010/10/12 09:52:44 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\KRIS\My Documents\J&D17.doc

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/05 14:28:27 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\List of Sales.doc

[2010/11/04 15:14:01 | 000,545,280 | ---- | C] () -- C:\Documents and Settings\KRIS\Desktop\dds.pif

[2010/11/04 10:03:15 | 000,628,736 | ---- | C] () -- C:\Documents and Settings\KRIS\Desktop\dds.com

[2010/11/04 09:56:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\KRIS\defogger_reenable

[2010/11/04 09:55:25 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\KRIS\Desktop\Defogger.exe

[2010/11/04 09:02:20 | 000,295,424 | ---- | C] () -- C:\Documents and Settings\KRIS\Desktop\utjj1fjo.exe

[2010/11/03 08:27:09 | 000,010,787 | ---- | C] () -- C:\Documents and Settings\KRIS\Desktop\Doc1.docx

[2010/11/02 09:10:28 | 536,186,880 | -HS- | C] () -- C:\hiberfil.sys

[2010/11/02 09:00:55 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/11/01 14:25:00 | 000,001,141 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QB Connection Diagnostic Tool.lnk

[2010/10/29 13:17:57 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\Multno13.doc

[2010/10/28 12:46:00 | 000,019,456 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\BeavRe4.doc

[2010/10/26 15:34:38 | 051,515,288 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\setup_av_free.exe

[2010/10/26 09:24:50 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/10/26 09:16:42 | 000,000,896 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/10/26 08:34:28 | 000,020,480 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\RH.doc

[2010/10/19 07:41:01 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\KRIS\Application Data\start

[2010/10/19 07:39:17 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\KRIS\Application Data\completescan

[2010/10/19 07:33:17 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\KRIS\Application Data\install

[2010/10/19 07:32:30 | 000,000,195 | ---- | C] () -- C:\Documents and Settings\KRIS\Application Data\35259.bat

[2010/10/12 09:52:43 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\KRIS\My Documents\J&D17.doc

[2010/03/15 14:10:05 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll

[2010/03/15 14:10:04 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll

[2010/03/15 14:10:04 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll

[2010/03/12 10:04:25 | 000,074,703 | ---- | C] () -- C:\WINDOWS\System32\mfc45.dll

[2009/04/08 08:10:59 | 000,050,652 | ---- | C] () -- C:\WINDOWS\System32\drivers\atntwink.sys

[2009/03/09 09:14:12 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2008/11/17 14:24:28 | 000,001,751 | ---- | C] () -- C:\WINDOWS\BrmfBidi.ini

[2008/11/17 14:24:15 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI

[2008/11/17 14:20:55 | 000,000,225 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini

[2008/11/17 14:20:55 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini

[2008/11/17 14:20:18 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\BRTCPCON.DLL

[2008/11/17 14:20:18 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgP.ini

[2008/11/17 14:20:18 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\BrmfBAgS.ini

[2008/11/17 14:20:17 | 000,000,114 | ---- | C] () -- C:\WINDOWS\System32\BRLMW03A.INI

[2008/11/17 14:19:58 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll

[2008/11/17 14:17:55 | 000,027,019 | ---- | C] () -- C:\WINDOWS\maxlink.ini

[2008/11/15 23:20:57 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini

[2004/05/18 21:33:18 | 000,000,662 | ---- | C] () -- C:\WINDOWS\tlknw5.ini

[2003/10/23 20:08:45 | 000,000,040 | ---- | C] () -- C:\WINDOWS\nero.INI

[2003/09/24 17:55:56 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt

[2003/01/19 17:03:33 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2003/01/18 16:20:21 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CIV.INI

[2003/01/18 16:13:27 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL

[2003/01/18 15:55:19 | 000,000,067 | ---- | C] () -- C:\WINDOWS\TV4WIN.INI

[2003/01/16 23:14:42 | 000,000,692 | ---- | C] () -- C:\WINDOWS\SIERRA.INI

[2003/01/15 12:58:11 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2003/01/15 08:53:46 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll

[2003/01/15 07:33:37 | 000,000,374 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2003/01/15 00:37:32 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI

[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

[2001/08/10 13:14:16 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ImapiRoxPS.dll

[1999/01/22 10:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

[1998/01/12 00:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2010/10/21 07:08:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\iolo

[2010/10/28 14:32:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software

[2003/09/24 17:39:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC

[2008/11/15 23:20:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES

[2010/10/27 09:09:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET

[2010/11/01 08:52:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo

[2009/11/05 16:08:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kaspersky SDK

[2009/01/14 15:13:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier

[2010/11/01 12:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData

[2003/01/19 17:07:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT

[2008/11/17 14:17:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft

[2008/11/16 12:07:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10

[2010/10/06 11:08:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft

[2010/10/21 17:17:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/12/30 14:21:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Western Digital

[2009/11/05 15:43:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\CheckPoint

[2010/10/27 09:11:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\ESET

[2010/02/15 12:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\GE Catalogs

[2010/03/12 11:42:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\iolo

[2008/12/09 08:10:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\ScanSoft

[2010/03/15 14:38:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\KRIS\Application Data\Western DigitalTemp

[2010/03/12 10:08:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\iolo

[2010/11/01 12:19:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\iolo

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8

< End of report >

OTL Extras logfile created on: 11/8/2010 9:29:03 AM - Run 1

OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\KRIS\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 93.00 Mb Available Physical Memory | 18.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 61.00% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.53 Gb Total Space | 57.04 Gb Free Space | 76.53% Space Free | Partition Type: NTFS

Drive D: | 621.62 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: CATLAILS | User Name: KRIS | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)

"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:TrueVector Service -- File not found

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business

"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Disc 2

"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR

"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime

"{18A5DC99-6EC9-45B2-88DF-CA07A56ED4EA}_is1" = GE Lighting Catalog 1.3

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 18

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{4998FF95-709A-430A-B104-92A009ABB848}" = QuickConnect

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4A31C596-64D5-4613-83FD-D655A421588C}" = ESET Smart Security

"{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1" = iolo technologies' System Mechanic

"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service

"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{71C97545-E547-4A8B-B0C8-61FF853270AC}" = PaperPort

"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system

"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003

"{9211CCBB-BEFE-4A0C-9199-D7A535DBFE5F}" = Brother MFL-Pro Suite

"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway

"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr

"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009

"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks

"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack

"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom

"{A63E18AC-B504-4045-AFE6-A279BBABB988}" = Qwest QuickAssist Desktop Tools

"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4

"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar

"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{D3903688-F924-4AD8-B762-259CF2946C4E}" = QuickConnect

"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}" = Google Toolbar for Internet Explorer

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"AT&T Connection Services Software" = AT&T WorldNet Service

"ATI Display Driver" = ATI Display Driver

"Civilization II Multiplayer Gold Edition" = Civilization II Multiplayer Gold Edition

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"HD Tach_is1" = HD Tach version 3

"ie8" = Windows Internet Explorer 8

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MyWebExPC" = QuickBooks Remote Access

"Nero - Burning Rom!UninstallKey" = Ahead Nero Burning ROM

"QB Connection Diagnostic Tool" = QB Connection Diagnostic Tool

"QwestQuickCare_is1" = Qwest Quickcare 2.7

"Sierra Utilities" = Sierra Utilities

"TValue 5" = TValue 5

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Zeus" = Zeus

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:54:01 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:03 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:05 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:06 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:12 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:13 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:14 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

[ Application Events ]

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:54:01 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:03 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:05 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:06 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:12 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:13 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:14 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

[ Application Events ]

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:53:26 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance

Hand

Error - 11/8/2010 12:54:01 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:03 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:05 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:06 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:12 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

Error - 11/8/2010 12:54:13 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": InitSystem

CheckDBServerEnvironment fail

Error - 11/8/2010 12:54:14 PM | Computer Name = CATLAILS | Source = QuickBooks | ID = 4

Description = An unexpected error has occured in "QuickBooks Pro 2009": DMError Information:-6176Additional

Info:We were unable to obtain the IP address this was probably caused because the

file is on a distributed file syste

[ System Events ]

Error - 11/8/2010 12:53:23 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\MFC80.DLL.

Reference

error message: The operation completed successfully. .

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842784

Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last

Error was The referenced assembly is not installed on your system.

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference

error message: The referenced assembly is not installed on your system. .

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\MFC80.DLL.

Reference

error message: The operation completed successfully. .

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842784

Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last

Error was The referenced assembly is not installed on your system.

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference

error message: The referenced assembly is not installed on your system. .

Error - 11/8/2010 12:53:44 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\MFC80.DLL.

Reference

error message: The operation completed successfully. .

Error - 11/8/2010 12:53:50 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842784

Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last

Error was The referenced assembly is not installed on your system.

Error - 11/8/2010 12:53:50 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference

error message: The referenced assembly is not installed on your system. .

Error - 11/8/2010 12:53:50 PM | Computer Name = CATLAILS | Source = SideBySide | ID = 16842811

Description = Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6ddd2\MFC80.DLL.

Reference

error message: The operation completed successfully. .

< End of report >

[Elise]

Hello again,

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Skulduggery]

Hello again, Elise. ComboFix downloaded, but will not install. I wonder again if this is related to the phantom non-existence of my internet connection. When I double ckick on the Combo icon, nothing happens. No promts, not errors, nothing at all.

Would trying this is safe mode be of any use?

Best Regards,

KP

[Elise]

Yes, try it from Safe Mode.

[Skulduggery]

Regretably, I had no more success running ComboFix in SafeMode than I did in Windows. I have also noticed than when I use Google, my browser will be briefly hijacked. And yet my anti-virus software can find nothing.

[Elise]

Hi, lets see if we might be dealing here with malicious file permissions.

We need to scan the system with this special tool:

* Please download and save:

Junction.zip

* Unzip it and place Junction.exe in the Windows directory (C:\Windows).

* Go to Start => Run... => Copy and paste the following command in the Run box and click OK:

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the log in your next reply.

[Skulduggery]

Well, I don't claim that I can interpret this properly, but this looked interesting:

Junction v1.06 - Windows junction creator and reparse point viewer

Copyright © 2000-2010 Mark Russinovich

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

...

...

Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\MailFrontier\reginfo.xml: Access is denied.

...

...

..

Failed to open \\?\c:\\Documents and Settings\KRIS\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db: Access is denied.

Failed to open \\?\c:\\Documents and Settings\KRIS\Local Settings\Application Data\Microsoft\CardSpace\CardSpaceSP2.db.shadow: Access is denied.

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

...

...

...

[Elise]

That looks okay. Please see if this works:

• Please Download Rootkit Unhooker Save it to your desktop.
  
• extract RKUnhooker to your desktop
  
  • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here -
  http://www.7-zip.org/
  

• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.
  

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

[Skulduggery]

I am pleased to say it downloaded, extracted, installed and ran without a hitch.

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 2)

Number of processors #1

==============================================

>Drivers

==============================================

0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2181376 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2181376 bytes

0x804D7000 RAW 2181376 bytes

0x804D7000 WMIxWDM 2181376 bytes

0xBF800000 Win32k 1851392 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF049000 C:\WINDOWS\System32\ati3d1ag.dll 839680 bytes (ATI Technologies Inc. , ati3d1ag.dll)

0xEF478000 C:\WINDOWS\system32\DRIVERS\eamon.sys 835584 bytes (ESET, Amon monitor)

0xF8523000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF7B96000 C:\WINDOWS\system32\drivers\smwdm.sys 528384 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )

0xF7CA2000 C:\WINDOWS\System32\DRIVERS\ati2mtag.sys 483328 bytes (ATI Technologies Inc., ATI Radeon Miniport Driver)

0xEF775000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF7A37000 C:\WINDOWS\System32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)

0xEF88D000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xEEC64000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xEF977000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 241664 bytes (Roxio, CD-UDF NT Filesystem Driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xEF932000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 208896 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)

0xF7ADA000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF8667000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF84F6000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xEEDFB000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xEE1A6000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xEF7E4000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xEF852000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF8611000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF7B72000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xEF42D000 C:\WINDOWS\system32\DRIVERS\epfw.sys 143360 bytes (ESET, ESET Personal Firewall driver)

0xEF18A000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF7C34000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF7C6B000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xEF80F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xEF831000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)

0x806EC000 ACPI_HAL 131968 bytes

0x806EC000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF85D9000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF8637000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xEF9D2000 C:\WINDOWS\system32\DRIVERS\ehdrv.sys 118784 bytes (ESET, ESET Helper driver)

0xF7C17000 C:\WINDOWS\System32\Drivers\pwd_2K.SYS 118784 bytes (Roxio, Win2000 Framework for Packet Write Driver)

0xF84DB000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF85F9000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xEF684000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF7B5B000 C:\WINDOWS\system32\drivers\aeaudio.sys 94208 bytes (Andrea Electronics Corporation, Andrea Audio Noise Cancellation Driver)

0xF85B0000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF7B44000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xEF0D5000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF7C57000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF7C8E000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xEF87A000 C:\WINDOWS\system32\DRIVERS\epfwtdi.sys 77824 bytes (ESET, ESET Personal Firewall TDI filter)

0xEF8E5000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF85C7000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xEF6C4000 C:\WINDOWS\System32\Drivers\BrSerIf.sys 69632 bytes (Brother Industries Ltd., Brotehr Serial I/F Driver (WDM))

0xF8656000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF7B33000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF8836000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF7D98000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 61440 bytes (Roxio, CDR4_XP CDR Helper)

0xF7D68000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF7D78000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xEF1E5000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF8786000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF7D88000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF86F6000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF8926000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF7D48000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF86D6000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF7D28000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF8706000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)

0xF7D58000 C:\WINDOWS\system32\DRIVERS\Epfwndis.sys 45056 bytes (ESET, ESET Personal Firewall NDIS filter)

0xF7DA8000 C:\WINDOWS\system32\drivers\Imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF86C6000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF7D38000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF8746000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF8736000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF86E6000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF87D6000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF8916000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF86B6000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF7D18000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF87B6000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xEEA4C000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF87A6000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF8A76000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF8A7E000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF8A0E000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF8936000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF89EE000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF8AB6000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF8A16000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)

0xF8A06000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF8A46000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))

0xF89FE000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF89F6000 C:\WINDOWS\System32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)

0xF8A66000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF8A56000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF8A6E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF893E000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF8A2E000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF8A36000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF8A26000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF89E6000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF8A1E000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xF898E000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xEFA0B000 C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys 16384 bytes (Brother Industries Ltd., Brother USB Scanner Driver)

0xF84AB000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xEF474000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF8AC6000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xEFA03000 C:\WINDOWS\System32\Drivers\BrUsbSer.sys 12288 bytes (Brother Industries Ltd., Brother USB Serial Driver )

0xEF908000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF8B9E000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF8B7A000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF8BEE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF8BBC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF8C68000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF8BEC000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF8BBA000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)

0xF8BB6000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF8BF0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF8BFC000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF8BF2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF8BE6000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF8BEA000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF8BB8000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF8D42000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF8DA3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF8D12000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

!!!!!!!!!!!Hidden driver: 0x8268AAEA ?_empty_? 1302 bytes

!!!!!!!!!!!Hidden driver: 0x82AECAE8 ?_empty_? 0 bytes

==============================================

>Stealth

==============================================

0xF85F9000 WARNING: suspicious driver modification [atapi.sys::0x8268AAEA]

0x8277FF53 Unknown page with executable code, 173 bytes

0x82806E44 Unknown page with executable code, 444 bytes

0x011A0000 Hidden Image-->CFScan.dll [ EPROCESS 0x829A7DA0 ] PID: 1532, 45056 bytes

0x8280ED66 Unknown page with executable code, 666 bytes

[Elise]

Hi, unfortunately you have a nasty rootkit on board. Please read the following first before starting the cleanup process.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[Skulduggery]

Well, at least we have identified the problem. Fortunately, I don' keep credit card numbers or anything of the like on the computer. I am using a different PC now. I did have my bank cancel all passwords and the like, and also asked them to watch for anything unusual in my accounts.

I will probably proceed with the reformat and reinstallation, but I did have a couple questions first.

Will it be safe to try and backup files from Quickbooks and MS Word prior to reformat, or would doing so risk backing up the problem as well?

Another question. I will probably be purchasing Malwarebytes for all my PCs. Is the software available in stores, or do we order it via the website?

Thanks for you assistence on this.

Best Regards,

KP

[Elise]

Will it be safe to try and backup files from Quickbooks and MS Word prior to reformat, or would doing so risk backing up the problem as well?

Yes, that should be safe.

Another question. I will probably be purchasing Malwarebytes for all my PCs. Is the software available in stores, or do we order it via the website?

If your PC's are for home use, you can do it using the inbuild function in the program.

If you use MBAM for company computers, you may be interested in corporate licensing. I'm not an MBAM affiliate, but in case you are interested, I can get you some more information on this.

If you're not sure how to reformat or need help with reformatting, please review:

• How to partition and format a hard disk in Windows XP
  
• Prepping for a Clean Install Windows XP.
  

These links include step-by-step instructions with screenshots:

• XP Clean Install Interactive Setup
  
• How to reformat your computer in case of a severe malware infection
  
• Reformat & Clean Install Windows XP
  

Vista users can refer to these instructions:

• Windows Vista Clean Install
  
• How to Do a Clean Install and Setup with a Full Version of Vista
  
• How to Do a Clean Install with a Upgrade Version of Vista
  

Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

[Skulduggery]

Okay. I am going to proceed with the reformat. I was able to successfully backup what I needed to back up.

I am just getting to it now as business has sort of required my attention this week.

I have not been able to successfully run ComboFix. It downloads, but will not execute. If anything springs to mind, feel free to let me know as I suspect I will be spending considerable time reviewing the links you provided before I actually begin the reformat operation.

Thanks again.

KP

[Elise]

If you still want to clean up things before proceeding with the reformat, you can follow the steps below.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If TDSSKiller does not run, try renaming it.
  
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  
• Click the Start Scan button.
  
• Do not use the computer during the scan
  
• If the scan completes with nothing found, click Close to exit.
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  
• Copy and paste the contents of that file in your next reply.
  

[Skulduggery]

It downloaded just fine, installed without a hitch, ran and found some critters.

Log below.

Best regards,

KP

2010/11/18 13:45:51.0490 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12

2010/11/18 13:45:51.0490 ================================================================================

2010/11/18 13:45:51.0490 SystemInfo:

2010/11/18 13:45:51.0490

2010/11/18 13:45:51.0490 OS Version: 5.1.2600 ServicePack: 2.0

2010/11/18 13:45:51.0490 Product type: Workstation

2010/11/18 13:45:51.0490 ComputerName: CATLAILS

2010/11/18 13:45:51.0490 UserName: KRIS

2010/11/18 13:45:51.0490 Windows directory: C:\WINDOWS

2010/11/18 13:45:51.0490 System windows directory: C:\WINDOWS

2010/11/18 13:45:51.0490 Processor architecture: Intel x86

2010/11/18 13:45:51.0490 Number of processors: 1

2010/11/18 13:45:51.0490 Page size: 0x1000

2010/11/18 13:45:51.0490 Boot type: Normal boot

2010/11/18 13:45:51.0490 ================================================================================

2010/11/18 13:45:52.0927 Initialize success

2010/11/18 13:45:54.0521 ================================================================================

2010/11/18 13:45:54.0521 Scan started

2010/11/18 13:45:54.0521 Mode: Manual;

2010/11/18 13:45:54.0521 ================================================================================

2010/11/18 13:45:57.0036 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys

2010/11/18 13:45:57.0271 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/18 13:45:57.0411 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/18 13:45:57.0599 aeaudio (85c33f7f55042f9034818b96948d94c0) C:\WINDOWS\system32\drivers\aeaudio.sys

2010/11/18 13:45:57.0740 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2010/11/18 13:45:57.0990 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2010/11/18 13:45:58.0349 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/18 13:45:59.0146 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/18 13:45:59.0271 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/18 13:45:59.0458 ati2mtag (c0210c8af5e3e14f0b0363331419f021) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/18 13:45:59.0833 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/18 13:45:59.0990 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/18 13:46:00.0146 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/18 13:46:00.0286 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys

2010/11/18 13:46:00.0458 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys

2010/11/18 13:46:00.0615 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys

2010/11/18 13:46:00.0880 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

2010/11/18 13:46:01.0005 BrSerIf (c121e10c64318182a6478acae1855ee0) C:\WINDOWS\system32\Drivers\BrSerIf.sys

2010/11/18 13:46:01.0177 BrSerWdm (16cd6e5a36bd21f80b890ae17fef4b9e) C:\WINDOWS\system32\Drivers\BrSerWdm.sys

2010/11/18 13:46:01.0333 BrUsbSer (7ac85cdc03befd78908b3b6a73d201d0) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

2010/11/18 13:46:01.0474 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/18 13:46:01.0677 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/18 13:46:01.0802 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/18 13:46:01.0958 Cdr4_xp (4209874f131cf454e42087455b16ed10) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

2010/11/18 13:46:02.0099 Cdralw2k (f5cd2ff2a64bad65692ea86d99790c0c) C:\WINDOWS\system32\drivers\Cdralw2k.sys

2010/11/18 13:46:02.0271 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/18 13:46:02.0427 cdudf_xp (bce04a21510e721aaba3f893b6770c12) C:\WINDOWS\system32\drivers\cdudf_xp.sys

2010/11/18 13:46:03.0021 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/18 13:46:03.0255 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/18 13:46:03.0490 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/18 13:46:03.0630 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/18 13:46:03.0755 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/18 13:46:03.0990 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/18 13:46:04.0208 dvd_2K (f5ca443d58a53de968685ee43fbe8f17) C:\WINDOWS\system32\drivers\dvd_2K.sys

2010/11/18 13:46:04.0349 eamon (30372bcc67d63bee538cdfeca755d81c) C:\WINDOWS\system32\DRIVERS\eamon.sys

2010/11/18 13:46:04.0536 ehdrv (6504d6afb75fef830dd99e8c4235d54d) C:\WINDOWS\system32\DRIVERS\ehdrv.sys

2010/11/18 13:46:04.0724 epfw (86895d4413316becc2d7944d2749586c) C:\WINDOWS\system32\DRIVERS\epfw.sys

2010/11/18 13:46:04.0865 Epfwndis (3b47010b2425b69826004767e59045ba) C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

2010/11/18 13:46:05.0005 epfwtdi (6d69809e98df95980060d4699eb6d633) C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

2010/11/18 13:46:05.0302 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/18 13:46:05.0474 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/18 13:46:05.0568 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/18 13:46:05.0661 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/18 13:46:05.0802 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/18 13:46:05.0974 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/18 13:46:06.0177 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/18 13:46:06.0302 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/18 13:46:06.0646 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/18 13:46:06.0927 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/18 13:46:07.0099 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\drivers\Imapi.sys

2010/11/18 13:46:07.0302 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/18 13:46:07.0443 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/18 13:46:07.0599 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/18 13:46:07.0740 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/18 13:46:07.0833 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/18 13:46:07.0990 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/18 13:46:08.0458 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/18 13:46:08.0630 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/18 13:46:08.0802 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/18 13:46:08.0958 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/18 13:46:09.0115 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/18 13:46:09.0271 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/18 13:46:09.0552 mf (729d83e56c29c510258a6e9e79ffddc3) C:\WINDOWS\system32\DRIVERS\mf.sys

2010/11/18 13:46:09.0693 mmc_2K (2739df798b44809407879e9134233de4) C:\WINDOWS\system32\drivers\mmc_2K.sys

2010/11/18 13:46:09.0818 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/18 13:46:09.0958 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/18 13:46:10.0115 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/18 13:46:10.0255 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/18 13:46:10.0536 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/18 13:46:10.0693 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/18 13:46:10.0896 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/18 13:46:11.0052 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/18 13:46:11.0208 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/18 13:46:11.0333 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/18 13:46:11.0490 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/18 13:46:11.0630 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/18 13:46:11.0786 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/18 13:46:11.0927 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/18 13:46:12.0068 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/18 13:46:12.0208 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/18 13:46:12.0349 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/18 13:46:12.0474 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/18 13:46:12.0615 NetBT (a7726cb36914aced60b2e4dac154f3eb) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/18 13:46:12.0630 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: a7726cb36914aced60b2e4dac154f3eb, Fake md5: 0c80e410cd2f47134407ee7dd19cc86b

2010/11/18 13:46:12.0646 NetBT - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/11/18 13:46:12.0849 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/18 13:46:13.0021 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/18 13:46:13.0240 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/18 13:46:13.0365 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/18 13:46:13.0505 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/18 13:46:13.0880 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/18 13:46:14.0005 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/18 13:46:14.0224 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/18 13:46:14.0349 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/18 13:46:14.0583 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/18 13:46:15.0177 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/18 13:46:15.0302 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/11/18 13:46:15.0474 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/18 13:46:15.0599 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/18 13:46:15.0724 pwd_2K (2e162e3856c9c6a3b53e0ece28386fe3) C:\WINDOWS\system32\drivers\pwd_2K.sys

2010/11/18 13:46:16.0224 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/18 13:46:16.0380 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/18 13:46:16.0552 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/18 13:46:16.0677 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/18 13:46:16.0833 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/18 13:46:16.0958 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/18 13:46:17.0161 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/18 13:46:17.0318 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/18 13:46:17.0474 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/18 13:46:17.0693 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2010/11/18 13:46:17.0896 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/18 13:46:18.0099 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/18 13:46:18.0271 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/18 13:46:18.0536 smwdm (21653671be98f2772da766b74419c725) C:\WINDOWS\system32\drivers\smwdm.sys

2010/11/18 13:46:18.0786 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/18 13:46:18.0958 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/18 13:46:19.0146 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/18 13:46:19.0349 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/18 13:46:19.0490 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/18 13:46:19.0911 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/18 13:46:20.0099 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/18 13:46:20.0224 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/18 13:46:20.0365 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/18 13:46:20.0521 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/18 13:46:20.0802 UdfReadr_xp (e398bde2e6c978f357faedff784ffd70) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

2010/11/18 13:46:20.0958 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/18 13:46:21.0271 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/18 13:46:21.0443 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/18 13:46:21.0568 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/18 13:46:21.0693 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/18 13:46:21.0818 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/11/18 13:46:21.0943 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/18 13:46:22.0099 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/18 13:46:22.0224 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/18 13:46:22.0380 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2010/11/18 13:46:22.0583 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/18 13:46:22.0771 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/18 13:46:22.0958 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/18 13:46:23.0271 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/11/18 13:46:23.0443 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/18 13:46:23.0583 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/18 13:46:24.0349 ================================================================================

2010/11/18 13:46:24.0349 Scan finished

2010/11/18 13:46:24.0349 ================================================================================

2010/11/18 13:46:24.0380 Detected object count: 1

2010/11/18 13:56:34.0177 NetBT (a7726cb36914aced60b2e4dac154f3eb) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/18 13:56:34.0177 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: a7726cb36914aced60b2e4dac154f3eb, Fake md5: 0c80e410cd2f47134407ee7dd19cc86b

2010/11/18 13:56:38.0068 Backup copy found, using it..

2010/11/18 13:56:38.0255 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured after reboot

2010/11/18 13:56:38.0255 Rootkit.Win32.TDSS.tdl3(NetBT) - User select action: Cure

2010/11/18 13:56:47.0505 Deinitialize success

[Skulduggery]

As an additional note, when this problem began, I found I was not able to open QuickBooks, and (as I said) MalwareBytes itself would not run on the PC.

This last little program ran, found something, cured it, and now QuickBooks opens as always. Additionally, MalwareBytes ran.

It seems to me it is probably still a good idea to reformat, but I thought I would pass this on.

Regards,

KP

[Elise]

That is okay with me.

Please try to run combofix now and post me the log.

Also run MBAM, update it and run a full scan, post me the log please.

[Elise]

Hi, are you still there?

[Skulduggery]

Yes. Sorry, I was out of the office all day Friday. On the road. Will run Combo Fix and MalwareBytes now. Could be another funny day. Major snow storm expected in a few hours and we don't know how to drive in snow here on the West Coast.

Regards,

KP

[Elise]

Ouch, I hope it won't be too much snow.

I'll wait for your logs.

[Skulduggery]

Okay. First log is MalwareBytes, then ComboFix:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

11/22/2010 9:35:01 AM

mbam-log-2010-11-22 (09-35-01).txt

Scan type: Full scan (C:\|)

Objects scanned: 175506

Time elapsed: 56 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 10-11-21.02 - KRIS 11/22/2010 8:26.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.294 [GMT -8:00]

Running from: c:\documents and settings\KRIS\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}

FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\KRIS\Application Data\completescan

c:\documents and settings\KRIS\Application Data\install

c:\documents and settings\KRIS\Recent\Book1.xls

.

((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))

.

2010-11-15 22:38 . 2010-11-15 22:38 -------- d-----w- C:\20101511_143321_KRIS

2010-11-11 18:55 . 2010-11-11 18:55 -------- d-----w- c:\program files\MustBeRandomlyNamed

2010-11-11 18:48 . 2010-11-11 18:48 -------- d-----w- c:\program files\7-Zip

2010-11-03 22:52 . 2010-11-03 22:52 -------- d-----w- c:\program files\ESET

2010-11-03 16:31 . 2010-11-03 16:41 -------- d-----w- c:\program files\MSECache

2010-11-02 17:00 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 17:00 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 16:52 . 2010-11-02 16:52 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2010-11-01 20:19 . 2010-11-02 17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-01 20:19 . 2010-11-01 20:19 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo

2010-11-01 16:17 . 2010-11-01 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

2010-10-28 16:28 . 2010-10-28 16:28 -------- d-----w- c:\documents and settings\KRIS\Local Settings\Application Data\ESET

2010-10-27 17:11 . 2010-10-27 17:11 -------- d-----w- c:\documents and settings\KRIS\Application Data\ESET

2010-10-27 17:09 . 2010-10-27 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2010-10-27 16:59 . 2010-10-27 16:59 -------- d-----w- c:\windows\Internet Logs

2010-10-26 17:29 . 2010-10-26 17:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-10-26 17:22 . 2010-10-26 17:23 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

2010-10-26 17:22 . 2010-10-26 17:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-10-26 17:16 . 2010-10-26 17:16 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google

2010-10-26 17:15 . 2010-10-28 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-10-26 17:15 . 2010-10-26 17:15 -------- d-----w- c:\program files\Alwil Software

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-18 21:57 . 2003-01-15 15:32 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2010-11-10 17:04 . 2010-09-07 23:39 150392 ----a-w- c:\windows\junction.exe

2010-10-19 15:32 . 2010-10-19 15:32 195 ----a-w- c:\documents and settings\KRIS\Application Data\35259.bat

2010-10-12 19:55 . 2010-03-12 18:07 87688 ----a-w- c:\windows\system32\IncContxMenu.dll

2010-10-12 19:55 . 2010-03-12 18:07 11776 ----a-w- c:\windows\system32\smrgdf.exe

2010-10-12 19:55 . 2010-03-12 18:07 29696 ----a-w- c:\windows\system32\iolobtdfg.exe

2010-10-12 18:08 . 2010-03-12 18:07 2233016 ----a-w- c:\windows\system32\Incinerator.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickCare"="c:\program files\Qwest\Quickcare\bin\sprtcmd.exe" [2010-01-16 206120]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]

"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

QuickBooks Remote Access.LNK - c:\windows\DOWNLO~1\MyWebEx\319\raagtx.exe [2009-4-8 38200]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [9/11/2009 6:23 AM 108792]

R2 atnthost;WebEx Remote Access Agent;c:\windows\DOWNLO~1\MyWebEx\319\atnthost.exe [4/8/2009 8:10 AM 16792]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [9/11/2009 6:24 AM 735960]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2010 10:07 AM 724152]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [3/12/2010 10:07 AM 724152]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]

R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [10/6/2010 11:09 AM 206120]

R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [10/6/2010 11:09 AM 185640]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/26/2010 9:16 AM 136176]

S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\KRIS\LOCALS~1\Temp\ATICDSDr.sys --> c:\docume~1\KRIS\LOCALS~1\Temp\ATICDSDr.sys [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [11/17/2008 2:24 PM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [11/17/2008 2:24 PM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [11/17/2008 2:24 PM 39552]

S3 BrSerWdm;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [11/17/2008 2:24 PM 61440]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-11-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-26 17:16]

2010-11-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-26 17:16]

2010-11-22 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Connection Wizard,ShellNext = wmplayer.exe

IE: {{0264505A-6793-44E0-AC75-9DCE3B13185C} - c:\program files\AT&T\WnClient\Programs\AnyWho.exe

Trusted Zone: download.com

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll

DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} - file://e:\content\include\XPPatchInstaller.CAB

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-22 08:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

Completion time: 2010-11-22 08:36:01

ComboFix-quarantined-files.txt 2010-11-22 16:35

Pre-Run: 59,323,842,560 bytes free

Post-Run: 59,497,209,856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 5B1CBE2C2E7A8E1653F4C885BB94A47B

[Elise]

That looks okay now. Do you have any problem left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       
       UPDATE XP
       --------------
       Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.
       For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".
       Then go here to check for & install updates to Microsoft applications.
       Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.
       Please reboot and repeat the update process until there are no more updates to install.

[Skulduggery]

Hello, Elise. I hope the holiday went well. I have upgraded to Service Pack 3 and Windows has downloaded and installed a large number of updates. I am also currently running ESET as my anti-virus, anti-spyware software. Its scans are coming up negative.

Hey, I think a while back I asked about upgrading to the professional addition of MalwareBytes for my office's computers, and you said you were not associated with MalwareBytes as I had assumed.

But you have been extraordinary (to say the least) with the infection on my PC. If you were with MalwareBytes I was going to offer to write a letter to whatever superiors you may have recommending you get a raise and some additional commendation, like perhaps hereditary title and estates somewhere.

I am still happy to send such a letter, but you will have to let me know to whom and what affiliation.

Best Regards,

Ken Peterson