Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

searchqu virus & computer won't respond to anything

(In Progress)
(!)

spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
19-Feb-2012, 04:12 PM #1
searchqu virus & computer won't respond to anything
Hi there, my dad and mom have a computer that she uses. We are running windows xp pro with sp3 and eset smart security. I noticed searchqu on this computer as I had been removing it from my girfriends, it must have spread across my network or email she sent to them. ESET remoted-in and supposidly removed the virus but nothing is working or responding now 2 weeks after they did this. It worked fine I just believe they didn't know the virus took what they needed, cleaned the registry it was fine then a week later it takes longer to load and it's still there. I have had help for this before on some other computers searchqu virus.

now it takes days to just load the a program like firefox or window and has not responding when I click on my computer, my documents etc. It takes about 10 - 15 minutes just to load windows now once it gets to the login. Something has taken over this computer and the resources as sometimes in the taskmanager it goes up to 80 cpu usage without anything loading and running sporatically.

In other words I know I had the searchqu virus, don't know whether this is the after effects of that or what.

I have the logs but it's tough to even get a browser to load, or window for that fact. I turned off everything in the start up and ran gmer, hijackthis and dds.

Please help as this computer cannot do anything now it just keeps choking and freezing. I know there are a few updates to run and my father believes this all happened from a windows update but I doubt that with search qu on here. Thanks for your help

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:12:18 AM, on 2/17/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Maxtor\Sync\SyncServices.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [HP OfficeJet Series 700] "D:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
O4 - HKLM\..\Run: [PPort11reminder] "D:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "D:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/Driver...reqlab_nvd.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1248491122484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1260480585390
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/W...rt/ieatgpc.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: ACT! Scheduler - Sage Software, Inc. - D:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Maxtor Service (Maxtor Sync Services) - Seagate Technology LLC - D:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 9205 bytes

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Terry Durham at 11:13:55 on 2012-02-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1035 [GMT -8:00]
.
AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled*
.
============== Running Processes ===============
.
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Maxtor\Sync\SyncServices.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\SearchIndexer.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ESET\ESET Smart Security\egui.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\SearchProtocolHost.exe
D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=d:\windows\system32\userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - d:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: {9d717f81-9148-4f12-8568-69135f087db0} - DataMngr
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [egui] "d:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [HP OfficeJet Series 700] "d:\program files\hewlett-packard\hp officejet series 700\bin\ktchnsnk.exe" -reg "software\hewlett-packard\officejet series 700\Install"
mRun: [PPort11reminder] "d:\program files\scansoft\paperport\ereg\ereg.exe" -r "d:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248491122484
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260480585390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/support/ieatgpc.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
TCP: Interfaces\{8D1DA6AE-0BCC-4990-812F-26950057E35E} : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
FF - component: d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: d:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.disk_cache_ssl - true); user_pref(content.max.tokenizing.time, 2250000); user_pref(content.notify.backoffcount, 5); user_pref(content.notify.interval, 750000); user_pref(content.notify.ontimer, true); user_pref(content.switch.threshold, 750000); user_pref(network.http.max-connections, 48 user_pref(network.http.max-connections-per-server,
16);
user_pref(network.http.max-persistent-connections-per-proxy,
16);
user_pref(network.http.max-persistent-connections-per-server,
8);
FF - user.js: network.http.pipelining - true); user_pref(network.http.pipelining.maxrequests, 8); user_pref(network.http.proxy.pipelining, true); user_pref(nglayout.initialpaint.delay, 750
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
.
=============== Created Last 30 ================
.
2012-02-03 22:26:09 -------- d-----w- d:\windows\system32\winrm
2012-02-03 22:26:02 -------- dc-h--w- d:\windows\$968930Uinstall_KB968930$
2012-02-03 20:13:28 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-02-03 20:13:28 476904 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll
2012-02-03 20:13:28 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-01-23 17:53:25 -------- d-----w- d:\program files\iPod
2012-01-23 17:53:20 -------- d-----w- d:\program files\iTunes
.
==================== Find3M ====================
.
2012-02-16 16:58:31 952 --sha-w- d:\documents and settings\all users\application data\KGyGaAvL.sys
2012-01-13 13:26:26 414368 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24:06 20464 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- d:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- d:\windows\system32\win32k.sys
.
============= FINISH: 11:15:51.47 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-19 12:21:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f WDC_WD5000AAKB-00H8A0 rev.05.04E05
Running: ilyflpzo.exe; Driver: D:\DOCUME~1\TERRYD~1\LOCALS~1\Temp\pxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT 89D4CC90 ZwAssignProcessToJobObject
SSDT 89D4D200 ZwDebugActiveProcess
SSDT 89D4D2F0 ZwDuplicateObject
SSDT 89D4C590 ZwOpenProcess
SSDT 89D4C800 ZwOpenThread
SSDT 89D4CFD0 ZwProtectVirtualMemory
SSDT 89D4D0E0 ZwQueueApcThread
SSDT 89D4CEC0 ZwSetContextThread
SSDT 89D4CD90 ZwSetInformationThread
SSDT 89D49DA0 ZwSetSecurityObject
SSDT 89D4CB90 ZwSuspendProcess
SSDT 89D4CA80 ZwSuspendThread
SSDT 89D4C6E0 ZwTerminateProcess
SSDT 89D4CA50 ZwTerminateThread
SSDT 89D4D6D0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7A0A380, 0x550AF5, 0xE8000020]
? D:\DOCUME~1\TERRYD~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\ESET\ESET Smart Security\ekrn.exe[212] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text D:\WINDOWS\system32\SearchIndexer.exe[724] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C D:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
20-Feb-2012, 09:28 AM #2
Hi spqr05 and welcome to the forums!
I'm Sunyata and I will be helping you with your computer problems.

Please read the following guidelines which will help to make cleaning your machine easier:

  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • The fixes I will give you are specific to your problem and should only be used for this issue on this machine.
  • Please make sure to carefully read any instructions posted. If you're not sure, please stop and ask!
  • Please stay with this thread until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that all malware is gone.
  • PLEASE DO NOT install/uninstall any programs unless asked to.
  • PLEASE DO NOT run any malware scans other than those requested.
  • Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
  • I will reply back shortly with instructions


Note to Vista and Windows 7 users:
  1. These tools MUST be run from the executable. (.exe) every time you run them
  2. These tools MUST be run With Admin Rights (Right click, choose "Run as Administrator")


Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
20-Feb-2012, 09:47 PM #3
thanks for your help, I really appreciate it. Here's the results of the scan. By the way this was done in safe mode with networking, do you want me to try it in normal mode? In normal mode I disabled all the start up items except eset. We used to use this computer as the server so it has a total of 3 different hard drives as additional insight into the system.

aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
Run date: 2012-02-20 18:18:54
-----------------------------
18:18:54.640 OS Version: Windows 5.1.2600 Service Pack 3
18:18:54.640 Number of processors: 1 586 0x801
18:18:54.640 ComputerName: SPQR UserName:
18:18:54.984 Initialize success
18:20:31.234 AVAST engine defs: 12022002
18:20:54.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f
18:20:54.453 Disk 0 Vendor: WDC_WD5000AAKB-00H8A0 05.04E05 Size: 476940MB BusType: 3
18:20:54.453 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-17
18:20:54.468 Disk 1 Vendor: Maxtor_6Y060L0 YAR41VW0 Size: 58644MB BusType: 3
18:20:54.500 Disk 0 MBR read successfully
18:20:54.500 Disk 0 MBR scan
18:20:54.562 Disk 0 Windows XP default MBR code
18:20:54.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 60000 MB offset 63
18:20:54.593 Disk 0 Partition - 00 0F Extended LBA 416929 MB offset 122881185
18:20:54.625 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 416929 MB offset 122881248
18:20:54.640 Disk 0 scanning sectors +976752000
18:20:54.703 Disk 0 scanning D:\WINDOWS\system32\drivers
18:21:12.171 Service scanning
18:22:32.156 Service GMSIPCI F:\INSTALL\GMSIPCI.SYS **LOCKED** 23
18:22:51.500 Modules scanning
18:22:55.187 Disk 0 trace - called modules:
18:22:55.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
18:22:55.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2bdab8]
18:22:55.921 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\00000064[0x8a2c39e8]
18:22:56.171 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-f[0x8a2a3940]
18:22:56.812 AVAST engine scan D:\WINDOWS
18:23:08.046 AVAST engine scan D:\WINDOWS\system32
18:28:06.156 AVAST engine scan D:\WINDOWS\system32\drivers
18:28:29.812 AVAST engine scan D:\Documents and Settings\Terry Durham
18:32:44.546 AVAST engine scan D:\Documents and Settings\All Users
18:35:00.281 Scan finished successfully
18:44:46.250 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\Terry Durham\Desktop\MBR.dat"
18:44:46.265 The log file has been saved successfully to "D:\Documents and Settings\Terry Durham\Desktop\aswMBR.txt"
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
21-Feb-2012, 09:48 AM #4
Hello spqr05

Quote:
sometimes in the taskmanager it goes up to 80 cpu usage
Can you tell me the name of the program in the task manager that behaves this way?

Quote:
this was done in safe mode with networking, do you want me to try it in normal mode?
Do you have a specific reason for running scans in safe mode? It is OK for the aswMBR scan. This next scan, however, please perform in Normal Mode if possible.




Please read through these instructions to familarize yourself with what to expect when this tool runs

Please download ComboFix from one of the following locations:

**IMPORTANT! Save ComboFix to your Desktop. Read the following thoroughly
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link :How to Disable your Security Programs
  • Double click on 'ComboFix.exe' & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message box:


Click on 'Yes', to continue scanning for malware.

When finished, it will produce a log for you.
Please include the contents of C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.
5. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply please post the log created by ComboFix.
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
21-Feb-2012, 11:56 PM #5
Hello spqr05

Quote:
sometimes in the taskmanager it goes up to 80 cpu usage
Can you tell me the name of the program in the task manager that behaves this way?

Earlier it was firefox. But I've had it just running up and nothing is in the task manager running. I've seen csrss or lsass, search protocol but these are all running at low cpu. Firefox is high, plus this serachindexer.exe Im not sure if that's microsoft but we dont' use that one. i do see it in my toolbar.

Quote:
this was done in safe mode with networking, do you want me to try it in normal mode?
Do you have a specific reason for running scans in safe mode? It is OK for the aswMBR scan. This next scan, however, please perform in Normal Mode if possible.

The computer was struggling to do anything so I was trying to simply get it to load a browser. In safe mode overnight it was going crazy. I clicked once on mozilla and it loaded it over 100 times, then it was saying things about my database act and microsoft like it was trying to access information when I had not clicked on anything. It was ok to load after like 5 - 10 restarts this evening in normal mode but a pain in the bhind. thanks for your help again. firefox seems to take up lots of resources at times but 10 - 20%

ComboFix 12-02-21.02 - Terry Durham 02/21/2012 20:37:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1014 [GMT -8:00]
Running from: d:\documents and settings\Terry Durham\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\my documents\~WRL0807.tmp
d:\documents and settings\Terry Durham\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
2012-02-09 17:08 . 2012-02-09 17:08 -------- d-----w- d:\documents and settings\Administrator.SPQR.000
2012-02-03 22:26 . 2012-02-03 22:26 -------- d-----w- d:\windows\system32\winrm
2012-02-03 22:26 . 2012-02-03 22:26 -------- dc-h--w- d:\windows\$968930Uinstall_KB968930$
2012-02-03 20:13 . 2012-02-03 20:13 -------- d-----w- d:\program files\Common Files\Java
2012-02-03 20:13 . 2012-02-03 20:13 476904 ----a-w- d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2012-02-03 20:13 . 2012-02-03 20:13 73728 ----a-w- d:\windows\system32\javacpl.cpl
2012-02-03 20:13 . 2012-02-03 20:13 472808 ----a-w- d:\windows\system32\deployJava1.dll
2012-02-03 20:13 . 2012-02-03 20:13 -------- d-----w- d:\program files\Java
2012-02-03 19:59 . 2012-02-03 19:59 -------- d-----w- d:\documents and settings\Terry Durham\Application Data\ArcSoft
2012-01-23 17:53 . 2012-01-23 17:53 -------- d-----w- d:\program files\iPod
2012-01-23 17:53 . 2012-01-23 17:54 -------- d-----w- d:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-16 16:58 . 2010-03-03 00:08 952 --sha-w- d:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2012-01-13 13:26 . 2011-05-25 16:23 414368 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 23:24 . 2009-08-27 15:33 20464 ----a-w- d:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- d:\windows\system32\winsrv.dll
2012-01-29 15:55 . 2011-11-09 15:57 134104 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP OfficeJet Series 700"="d:\program files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe -reg Software\Hewlett-Packard\OfficeJet Series 700\Install" [X]
"egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"PPort11reminder"="d:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=d:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=d:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\D:^Documents and Settings^Terry Durham^Start Menu^Programs^Startup^FAXRX.lnk]
path=d:\documents and settings\Terry Durham\Start Menu\Programs\Startup\FAXRX.lnk
backup=d:\windows\pss\FAXRX.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 09:12 483328 ----a-w- d:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2010-01-21 04:21 331776 ----a-w- d:\program files\ACT\Act for Windows\ActSage.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2010-01-21 04:12 28672 ----a-w- d:\program files\ACT\Act for Windows\Act.Outlook.Service.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2011-10-06 08:52 59240 ----a-w- d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 07:25 59240 ----a-w- d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-01-19 15:37 1150976 ------r- d:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2009-01-09 22:53 114688 ------w- d:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- d:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2003-03-12 08:03 114741 ----a-w- d:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2009-09-21 16:36 122368 ----a-w- d:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2008-07-10 06:05 46368 ----a-w- d:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-17 01:22 421736 ----a-w- d:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mssSort]
2008-08-05 14:54 1647960 ----a-w- d:\program files\Maxtor\ManagerApp\msssort.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2008-08-05 14:54 169312 ----a-w- d:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-01-12 06:17 13666408 ----a-w- d:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-01-12 06:17 110696 ----a-w- d:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2008-07-10 06:07 29984 ----a-w- d:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 21:28 421888 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2002-09-11 02:57 46592 ----a-r- d:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2006-10-25 16:03 210472 ----a-w- d:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-06-18 07:01 155648 ----a-w- d:\program files\VERITAS Software\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 21:06 254696 ----a-w- d:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-21 16:36 39408 ----a-w- d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"d:\\Program Files\\Maxtor\\ManagerApp\\MaxUtilities.exe"=
"d:\\Program Files\\Brother\\Brmfl08l\\FAXRX.exe"=
"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"54925:UDP"= 54925:UDP:BrotherNetwork Scanner
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
R2 Maxtor Sync Services;Maxtor Service;d:\program files\Maxtor\Sync\SyncServices.exe [8/5/2008 6:54 AM 181600]
R2 MSSQL$ACT7;SQL Server (ACT7);d:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
S2 ACT! Scheduler;ACT! Scheduler;d:\program files\ACT\Act for Windows\Act.Scheduler.exe [1/20/2010 8:23 PM 81920]
S2 nvTUNEP;nVidia WDM TVTuner;d:\windows\system32\drivers\NVTUNEP.SYS [7/24/2009 6:39 PM 15968]
S2 nvtvSND;nVidia WDM TVAudio Crossbar;d:\windows\system32\drivers\NVTVSND.SYS [7/24/2009 6:39 PM 13776]
S3 PLCND532;PLCND532 NDIS Protocol Driver;d:\windows\system32\drivers\PLCND532.sys [8/18/2008 1:35 PM 26656]
S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-13 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
FF - ProfilePath - d:\documents and settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
FF - user.js: browser.cache.disk_cache_ssl - true); user_pref(content.max.tokenizing.time, 2250000); user_pref(content.notify.backoffcount, 5); user_pref(content.notify.interval, 750000); user_pref(content.notify.ontimer, true); user_pref(content.switch.threshold, 750000); user_pref(network.http.max-connections, 48 user_pref(network.http.max-connections-per-server,
16);
user_pref(network.http.max-persistent-connections-per-proxy,
16);
user_pref(network.http.max-persistent-connections-per-server,
8);
FF - user.js: network.http.pipelining - true); user_pref(network.http.pipelining.maxrequests, 8); user_pref(network.http.proxy.pipelining, true); user_pref(nglayout.initialpaint.delay, 750
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
ShellIconOverlayIdentifiers-{b75ab0c8-03d5-4592-9821-a48d54d66b14} - MssShellExt.dll
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-zzzHPSETUP - F:\Setup.exe
AddRemove-NVIDIA Display Control Panel - d:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-21 20:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-02-21 20:48:46
ComboFix-quarantined-files.txt 2012-02-22 04:48
.
Pre-Run: 26,866,565,120 bytes free
Post-Run: 26,570,072,064 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - FF74FEABCE87E4A29FCC0AAE2D67DA54
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
22-Feb-2012, 09:27 AM #6
Hello spqr05

Please download OTL to your desktop.
  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s >
%systemroot%\*. /rp /s
d:\windows\$968930Uinstall_KB968930$\* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
winsrv.dll
/md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
22-Feb-2012, 01:45 PM #7
OTL logfile created on: 2/22/2012 10:39:08 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = D:\Documents and Settings\Terry Durham\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 62.13% Memory free
3.35 Gb Paging File | 2.94 Gb Available in Paging File | 87.54% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 407.16 Gb Total Space | 343.72 Gb Free Space | 84.42% Space Free | Partition Type: NTFS
Drive D: | 58.59 Gb Total Space | 24.83 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 11.50 Gb Free Space | 30.87% Space Free | Partition Type: NTFS
Drive H: | 20.00 Gb Total Space | 5.16 Gb Free Space | 25.81% Space Free | Partition Type: NTFS

Computer Name: SPQR | User Name: Terry Durham | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - D:\Documents and Settings\Terry Durham\Desktop\OTL.exe (OldTimer Tools)
PRC - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
PRC - D:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
PRC - D:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
PRC - D:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (No Company Name) ==========

MOD - D:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll ()
MOD - D:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Dat a.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a \System.Configuration.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\Syste m.Drawing.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e 089\System.Runtime.Remoting.dll ()
MOD - D:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a\System.EnterpriseServices.dll ()
MOD - D:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\Sy stem.Transactions.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xm l.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3 a\System.ServiceProcess.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089 \System.Windows.Forms.dll ()
MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f 2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll ()
MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9ba e319f2bfb13\System.ni.dll ()
MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839ab be7d4bc9c6721\mscorlib.ni.dll ()
MOD - D:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - D:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb3 6a8ea\Intuit.Spc.Map.Reporter.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.13 6.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540 d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateSer vicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application. UpdateServicePlugin.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateSer vice\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateS ervice.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateSe rviceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remotin g.UpdateServiceWorker.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateSer vice.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Appl ication.UpdateService.PluginContract.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321 \Intuit.Spc.Esd.Core.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__ 540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540 d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d481 6ead86321\Intuit.Spc.Esd.Client.Common.dll ()
MOD - D:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\Sy stem.Data.SQLite.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\4.0.11 4.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb3 6a8ea\Intuit.Spc.Map.Reporter.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateSer vicePlugin\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application .UpdateServicePlugin.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateSe rviceWorker\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoti ng.UpdateServiceWorker.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\2.1.72.22__54 0d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.145.4__540d4816ead8632 1\Intuit.Spc.Esd.Core.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\2.1.72.22_ _540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\2.1.72.22__54 0d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\2.1.72.22__540d48 16ead86321\Intuit.Spc.Esd.Client.Common.dll ()
MOD - D:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\Sy stem.Data.SQLite.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.10 4.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb3 6a8ea\Intuit.Spc.Map.Reporter.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__54 0d4816ead86321\Intuit.Spc.Foundations.Portability.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandli ng\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandli ng.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2 __540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2_ _540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateSer vicePlugin\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application .UpdateServicePlugin.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.0.335.0__54 0d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateSe rviceWorker\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoti ng.UpdateServiceWorker.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.445.0__540d4816ead8632 1\Intuit.Spc.Esd.Core.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.0.335.0_ _540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.0.335.0__54 0d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.0.335.0__540d48 16ead86321\Intuit.Spc.Esd.Client.Common.dll ()
MOD - D:\Program Files\Brother\BrUtilities\BrLogAPI.dll ()
MOD - D:\WINDOWS\system32\BrMuSNMP.dll ()


========== Win32 Services (SafeList) ==========

SRV - (wuauserv) -- File not found
SRV - (IntuitUpdateService) -- D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
SRV - (ACT! Scheduler) -- D:\Program Files\ACT\Act for Windows\Act.Scheduler.exe (Sage Software, Inc.)
SRV - (EhttpSrv) -- D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
SRV - (ekrn) -- D:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
SRV - (Maxtor Sync Services) -- D:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
SRV - (PSI_SVC_2) -- D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (epfwtdi) -- D:\WINDOWS\system32\drivers\epfwtdi.sys (ESET)
DRV - (Epfwndis) -- D:\WINDOWS\system32\drivers\epfwndis.sys (ESET)
DRV - (epfw) -- D:\WINDOWS\system32\drivers\epfw.sys (ESET)
DRV - (ehdrv) -- D:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
DRV - (eamon) -- D:\WINDOWS\system32\drivers\eamon.sys (ESET)
DRV - (PLCND532) -- D:\WINDOWS\system32\drivers\PLCND532.sys (Intellon, Inc.)
DRV - (pfc) -- D:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (ALCXWDM) Service for Avance AC97 Audio (WDM) -- D:\WINDOWS\system32\drivers\ALCXWDM.SYS (Avance Logic, Inc.)
DRV - (nvcap) nVidia WDM Video Capture (universal) -- D:\WINDOWS\system32\drivers\NVCAP.SYS (NVIDIA Corporation)
DRV - (nvTUNEP) -- D:\WINDOWS\system32\drivers\NVTUNEP.SYS (NVIDIA Corporation)
DRV - (nvtvSND) -- D:\WINDOWS\system32\drivers\NVTVSND.SYS (NVIDIA Corporation)
DRV - (NVXBAR) -- D:\WINDOWS\system32\drivers\NVXBAR.SYS (NVIDIA Corporation)
DRV - (viaagp1) -- D:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (DumaNT) -- D:\WINDOWS\system32\drivers\dumant.sys (NVIDIA Corporation)
DRV - (winachsf) -- D:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems)
DRV - (basic2) -- D:\WINDOWS\system32\drivers\basic2.sys (Conexant Systems)
DRV - (V124) -- D:\WINDOWS\system32\drivers\v124nt.sys (Conexant Systems)
DRV - (Rksample) -- D:\WINDOWS\system32\drivers\rksample.sys (Conexant Systems)
DRV - (Cnxtdiag) -- D:\WINDOWS\system32\drivers\cnxtdiag.sys (Conexant Systems)
DRV - (K56) -- D:\WINDOWS\system32\drivers\k56nt.sys (Conexant)
DRV - (Fsks) -- D:\WINDOWS\system32\drivers\fsksnt.sys (Conexant)
DRV - (SoftFax) -- D:\WINDOWS\system32\drivers\faxnt.sys (Conexant)
DRV - (Tones) -- D:\WINDOWS\system32\drivers\tonesnt.sys (Conexant)
DRV - (Fallback) -- D:\WINDOWS\system32\drivers\fallback.sys (Conexant)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
FF - prefs.js..network.proxy.http: "localhost"
FF - prefs.js..network.proxy.http_port: 7070


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: D:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/27 17:04:06 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2012/02/06 12:09:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2012/02/03 12:13:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com : D:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/12/08 13:55:28 | 000,000,000 | ---D | M]

[2012/02/03 12:27:29 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Extensions
[2012/01/09 16:41:11 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions
[2010/07/18 03:55:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/03 22:00:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/03/31 14:47:08 | 000,005,516 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\searchplugins\copernic-home.xml
[2011/11/30 15:58:38 | 000,002,515 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\searchplugins\Search_Results .xml
[2012/02/06 12:09:37 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
[2012/01/29 07:55:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/02/03 12:13:14 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/01/29 05:36:35 | 000,002,252 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/11/30 15:58:38 | 000,002,515 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
[2012/01/29 05:36:35 | 000,002,040 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/02/21 20:43:21 | 000,000,027 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [egui] D:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [HP OfficeJet Series 700] "D:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install" File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Convert link target to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/Driver...reqlab_nvd.cab (System Requirements Lab Class)
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...1F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1248491122484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/micr...?1260480585390 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/W...rt/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D1DA6AE-0BCC-4990-812F-26950057E35E}: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\userinit.exe) - D:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: D:\Documents and Settings\Terry Durham\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: D:\Documents and Settings\Terry Durham\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - D:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/06/03 14:29:32 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: wuauserv - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/02/22 10:37:18 | 000,583,680 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Terry Durham\Desktop\OTL.exe
[2012/02/21 20:34:58 | 000,000,000 | RHSD | C] -- D:\cmdcons
[2012/02/21 20:33:04 | 000,518,144 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe
[2012/02/21 20:33:04 | 000,406,528 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe
[2012/02/21 20:33:04 | 000,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe
[2012/02/21 20:33:04 | 000,060,416 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe
[2012/02/21 20:32:56 | 000,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[2012/02/21 20:32:50 | 000,000,000 | ---D | C] -- D:\Qoobox
[2012/02/21 20:30:01 | 004,414,945 | R--- | C] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\ComboFix.exe
[2012/02/20 18:17:50 | 004,729,344 | ---- | C] (AVAST Software) -- D:\Documents and Settings\Terry Durham\Desktop\aswMBR.exe
[2012/02/17 10:40:30 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe
[2012/02/17 10:39:08 | 000,607,260 | R--- | C] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\dds.com
[2012/02/03 14:26:09 | 000,000,000 | ---D | C] -- D:\WINDOWS\System32\winrm
[2012/02/03 14:26:02 | 000,000,000 | -H-D | C] -- D:\WINDOWS\$968930Uinstall_KB968930$
[2012/02/03 12:13:46 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sun
[2012/02/03 12:13:44 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\Java
[2012/02/03 12:13:28 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\deployJava1.dll
[2012/02/03 12:13:28 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaws.exe
[2012/02/03 12:13:28 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaw.exe
[2012/02/03 12:13:28 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javacpl.cpl
[2012/02/03 12:13:27 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\java.exe
[2012/02/03 12:13:07 | 000,000,000 | ---D | C] -- D:\Program Files\Java
[2012/02/03 12:12:37 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Terry Durham\Application Data\Sun
[2012/02/03 12:11:02 | 000,910,112 | ---- | C] (Sun Microsystems, Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\jxpiinstall.exe
[2012/02/03 11:59:31 | 000,000,000 | ---D | C] -- C:\My Documents\My Albums
[2012/02/03 11:59:24 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Terry Durham\Application Data\ArcSoft
[2010/03/02 15:54:02 | 021,046,160 | ---- | C] (Sage Software ) -- D:\Documents and Settings\Terry Durham\Application Data\ACT1200HotFix_SS.exe
[6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/22 10:37:36 | 000,583,680 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Terry Durham\Desktop\OTL.exe
[2012/02/21 20:43:21 | 000,000,027 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts
[2012/02/21 20:35:05 | 000,000,327 | RHS- | M] () -- D:\boot.ini
[2012/02/21 20:30:50 | 004,414,945 | R--- | M] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\ComboFix.exe
[2012/02/21 20:24:17 | 000,013,768 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2012/02/21 20:22:53 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2012/02/21 20:22:48 | 1610,141,696 | -HS- | M] () -- D:\hiberfil.sys
[2012/02/20 18:44:46 | 000,000,512 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\MBR.dat
[2012/02/20 18:18:27 | 004,729,344 | ---- | M] (AVAST Software) -- D:\Documents and Settings\Terry Durham\Desktop\aswMBR.exe
[2012/02/17 10:41:13 | 000,302,592 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
[2012/02/17 10:40:30 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe
[2012/02/17 10:39:08 | 000,607,260 | R--- | M] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\dds.com
[2012/02/17 10:30:39 | 016,809,984 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\PandaActiveScanCleaner.msi
[2012/02/16 12:11:01 | 000,000,664 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat
[2012/02/16 08:58:31 | 000,000,952 | -HS- | M] () -- D:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2012/02/16 08:36:22 | 000,261,626 | ---- | M] () -- C:\My Documents\MedSolutions Precertification for Joann Durham CT NECK Procedure 02062012.pdf
[2012/02/13 08:54:01 | 000,000,284 | ---- | M] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/02/08 08:45:35 | 000,000,139 | ---- | M] () -- D:\WINDOWS\msicpl.ini
[2012/02/06 18:35:11 | 000,147,222 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Partners Capital and Worldwide Loan Acquisitions Blanket Confidentiality Agreement 02062012.pdf
[2012/02/06 17:32:23 | 000,098,542 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Referral and Fee Sharing Agreement 02062012.pdf
[2012/02/06 17:16:38 | 000,239,076 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Confi, Non-Circ and Fee Agreement 02062012.pdf
[2012/02/06 12:09:38 | 000,000,724 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/02/03 14:27:54 | 000,001,355 | ---- | M] () -- D:\WINDOWS\imsins.BAK
[2012/02/03 13:20:54 | 000,000,784 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/03 12:13:13 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaws.exe
[2012/02/03 12:13:13 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaw.exe
[2012/02/03 12:13:13 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javacpl.cpl
[2012/02/03 12:13:12 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\java.exe
[2012/02/03 12:13:11 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\deployJava1.dll
[2012/02/03 12:12:00 | 000,910,112 | ---- | M] (Sun Microsystems, Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\jxpiinstall.exe
[2012/02/02 19:12:02 | 000,105,355 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Joann Durham Executed Docs 02022012.pdf
[2012/02/02 19:03:19 | 000,104,475 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Docs Joann Durham.pdf
[2012/02/02 10:55:00 | 000,000,792 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2012/01/30 13:31:12 | 000,099,280 | ---- | M] () -- C:\My Documents\FedEx.pdf
[6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
[1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/21 20:35:05 | 000,000,210 | ---- | C] () -- D:\Boot.bak
[2012/02/21 20:35:03 | 000,260,272 | RHS- | C] () -- D:\cmldr
[2012/02/21 20:33:04 | 000,256,000 | ---- | C] () -- D:\WINDOWS\PEV.exe
[2012/02/21 20:33:04 | 000,208,896 | ---- | C] () -- D:\WINDOWS\MBR.exe
[2012/02/21 20:33:04 | 000,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe
[2012/02/21 20:33:04 | 000,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe
[2012/02/21 20:33:04 | 000,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe
[2012/02/21 20:22:48 | 1610,141,696 | -HS- | C] () -- D:\hiberfil.sys
[2012/02/20 18:44:46 | 000,000,512 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\MBR.dat
[2012/02/19 12:23:27 | 000,000,730 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox (2).lnk
[2012/02/17 10:41:12 | 000,302,592 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
[2012/02/16 08:36:22 | 000,261,626 | ---- | C] () -- C:\My Documents\MedSolutions Precertification for Joann Durham CT NECK Procedure 02062012.pdf
[2012/02/09 10:18:20 | 016,809,984 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\PandaActiveScanCleaner.msi
[2012/02/06 18:35:10 | 000,147,222 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Partners Capital and Worldwide Loan Acquisitions Blanket Confidentiality Agreement 02062012.pdf
[2012/02/06 17:32:23 | 000,098,542 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Referral and Fee Sharing Agreement 02062012.pdf
[2012/02/06 17:12:25 | 000,239,076 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Confi, Non-Circ and Fee Agreement 02062012.pdf
[2012/02/03 14:25:36 | 000,225,262 | ---- | C] () -- D:\WINDOWS\System32\dllcache\msimain.sdb
[2012/02/03 13:20:54 | 000,000,784 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/02/02 19:12:01 | 000,105,355 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Joann Durham Executed Docs 02022012.pdf
[2012/02/02 19:00:03 | 000,104,475 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Docs Joann Durham.pdf
[2012/01/30 13:31:12 | 000,099,280 | ---- | C] () -- C:\My Documents\FedEx.pdf
[2012/01/29 17:49:41 | 005,017,504 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat~
[2010/12/13 12:17:16 | 000,000,552 | ---- | C] () -- D:\WINDOWS\System32\d3d8caps.dat
[2010/05/10 17:44:23 | 000,000,153 | ---- | C] () -- D:\WINDOWS\brpcfx.ini
[2010/05/10 17:44:22 | 000,000,948 | ---- | C] () -- D:\WINDOWS\Brpfx04a.ini
[2010/05/10 17:44:07 | 000,000,419 | ---- | C] () -- D:\WINDOWS\BRWMARK.INI
[2010/05/10 17:43:34 | 000,000,050 | ---- | C] () -- D:\WINDOWS\System32\bridf08c.dat
[2010/05/10 17:42:53 | 000,000,150 | ---- | C] () -- D:\WINDOWS\Brfaxrx.ini
[2010/05/10 17:42:50 | 000,000,000 | ---- | C] () -- D:\WINDOWS\brdfxspd.dat
[2010/05/10 17:42:45 | 000,106,496 | ---- | C] () -- D:\WINDOWS\System32\BrMuSNMP.dll
[2010/05/10 17:37:17 | 000,031,767 | ---- | C] () -- D:\WINDOWS\maxlink.ini
[2010/03/04 08:31:19 | 000,000,664 | ---- | C] () -- D:\WINDOWS\System32\d3d9caps.dat
[2010/03/02 16:08:01 | 000,000,088 | RHS- | C] () -- D:\Documents and Settings\All Users\Application Data\993D0F60B6.sys
[2010/03/02 16:08:00 | 000,000,952 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys

========== LOP Check ==========

[2010/03/02 16:08:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ACT
[2011/12/01 02:47:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\boost_interprocess
[2009/07/24 19:15:28 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ESET
[2009/07/27 16:54:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Maxtor
[2009/07/27 08:53:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sage Software SB, Inc
[2010/03/03 15:03:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sage Software, Inc
[2010/05/25 16:37:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/11/30 15:56:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\WinZip
[2010/05/11 09:15:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Zeon
[2010/03/31 08:33:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/23 10:21:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/28 07:35:51 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/03/29 13:54:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ACT
[2009/07/24 19:16:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ESET
[2010/03/02 16:07:52 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\IsolatedStorage
[2009/07/24 19:10:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Leadertech
[2009/07/27 16:53:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Maxtor Quick Start
[2010/05/10 18:53:17 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\PC-FAX TX
[2010/05/11 09:14:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ScanSoft
[2011/12/01 10:58:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\searchquband
[2009/07/24 18:54:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\VERITAS
[2010/03/02 15:34:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Windows Desktop Search
[2010/03/03 14:29:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Windows Search
[2010/05/11 09:15:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Zeon

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/07/24 11:14:04 | 000,000,210 | ---- | M] () -- D:\Boot.bak
[2012/02/21 20:35:05 | 000,000,327 | RHS- | M] () -- D:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- D:\cmldr
[2012/02/21 20:48:47 | 000,013,987 | ---- | M] () -- D:\ComboFix.txt
[2012/02/21 20:22:48 | 1610,141,696 | -HS- | M] () -- D:\hiberfil.sys
[2010/03/29 21:25:35 | 000,000,109 | ---- | M] () -- D:\mbam-error.txt
[2004/08/04 04:00:00 | 000,047,564 | RHS- | M] () -- D:\NTDETECT.COM
[2009/07/26 20:10:54 | 000,250,048 | RHS- | M] () -- D:\ntldr
[2012/02/21 20:22:46 | 2145,386,496 | -HS- | M] () -- D:\pagefile.sys
[2012/02/03 13:29:21 | 000,070,776 | ---- | M] () -- D:\TDSSKiller.2.7.9.0_03.02.2012_13.21.19_log.txt

< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/07/24 18:25:01 | 000,000,067 | -HS- | M] () -- D:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 04:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 02:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/07/24 11:14:03 | 000,094,208 | ---- | M] () -- D:\WINDOWS\System32\config\default.sav
[2009/07/24 11:14:03 | 000,659,456 | ---- | M] () -- D:\WINDOWS\System32\config\software.sav
[2009/07/24 11:14:03 | 000,880,640 | ---- | M] () -- D:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.līk /x >
[2009/07/26 20:19:45 | 000,000,272 | -HS- | M] () -- D:\Documents and Settings\All Users\Start Menu\desktop.ini
[2009/07/27 20:32:56 | 000,000,802 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\GetDataBack for NTFS.lnk
[2009/12/10 13:29:58 | 000,001,566 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Microsoft Update.lnk
[2011/04/27 09:04:45 | 000,002,433 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
[2010/03/03 12:37:17 | 000,002,515 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
[2009/07/26 20:19:45 | 000,001,563 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2009/07/24 18:25:35 | 000,000,398 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2009/07/24 19:05:05 | 000,001,507 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Deskuop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results Install|LastSuccessTime /rs >

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< %systemroot%\*. /rp /s >

< d:\windows\$968930Uinstall_KB968930$\* /s >
[2007/06/30 10:48:44 | 000,003,504 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_arithmetic_operators.help.txt
[2007/06/30 10:48:44 | 000,015,137 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_assignment_operators.help.txt
[2007/06/30 10:48:44 | 000,003,907 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_automatic_variables.help.txt
[2007/06/30 10:48:44 | 000,004,561 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_break.help.txt
[2007/06/30 10:48:44 | 000,002,615 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_command_syntax.help.txt
[2007/06/30 10:48:44 | 000,002,302 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_commonparameters.help.txt
[2007/06/30 10:48:44 | 000,009,818 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_comparison_operators.help.txt
[2007/06/30 10:48:44 | 000,001,003 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_continue.help.txt
[2007/06/30 10:48:44 | 000,001,819 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_core_commands.help.txt
[2007/06/30 10:48:45 | 000,005,121 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_for.help.txt
[2007/06/30 10:48:45 | 000,009,652 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_foreach.help.txt
[2007/06/30 10:48:45 | 000,005,102 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_history.help.txt
[2007/06/30 10:48:45 | 000,003,367 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_if.help.txt
[2007/06/30 10:48:45 | 000,002,896 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_line_editing.help.txt
[2007/06/30 10:48:45 | 000,003,594 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_parsing.help.txt
[2007/06/30 10:48:45 | 000,005,369 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_path_syntax.help.txt
[2007/06/30 10:48:45 | 000,005,045 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_pssnapins.help.txt
[2007/06/30 10:48:45 | 000,003,040 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_quoting_rules.help.txt
[2007/06/30 10:48:45 | 000,001,782 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_redirection.help.txt
[2007/06/30 10:48:45 | 000,002,177 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_ref.help.txt
[2007/06/30 10:48:45 | 000,002,062 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_reserved_words.help.txt
[2007/06/30 10:48:46 | 000,011,909 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_signing.help.txt
[2007/06/30 10:48:46 | 000,005,415 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_special_characters.help.txt
[2007/06/30 10:48:46 | 000,006,210 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_switch.help.txt
[2007/06/30 10:48:46 | 000,002,711 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_while.help.txt
[2007/06/30 10:48:46 | 000,022,120 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\certificate.format.ps1xml
[2007/06/30 10:48:46 | 000,001,801 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\default.help.txt
[2007/06/30 10:48:47 | 000,060,703 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\dotnettypes.format.ps1xml
[2007/06/30 10:48:47 | 000,019,730 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\filesystem.format.ps1xml
[2007/06/30 10:48:59 | 000,250,197 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\help.format.ps1xml
[2010/03/02 15:34:18 | 000,139,264 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.manageme nt.dll
[2007/06/30 10:49:02 | 000,886,281 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.manageme nt.dll-help.xml
[2010/03/02 15:34:18 | 000,294,912 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.utility. dll
[2007/06/30 10:49:06 | 000,808,787 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.utility. dll-help.xml
[2010/03/02 15:34:18 | 000,200,704 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.consolehost.dll
[2007/06/30 10:49:07 | 000,014,558 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.consolehost.dll-help.xml
[2010/03/02 15:34:18 | 000,065,536 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.security.dll
[2007/06/30 10:49:08 | 000,120,106 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.security.dll-help.xml
[2007/10/30 01:15:42 | 000,330,240 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\powershell.exe
[2007/06/30 10:49:09 | 000,009,216 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\powershell.exe.mui
[2007/06/30 10:49:09 | 000,065,283 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\powershellcore.format.ps1xml
[2007/07/01 00:19:10 | 000,013,394 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\powershelltrace.format.ps1xml
[2007/06/30 10:49:09 | 000,010,475 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\profile.ps1
[2009/10/09 14:57:44 | 000,020,480 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
[2009/10/09 14:56:30 | 000,009,216 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
[2007/06/30 10:49:11 | 000,004,608 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\pwrshmsg.dll
[2007/10/31 20:48:43 | 000,020,992 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\pwrshsip.dll
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00088
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00095
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00096
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00097
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00098
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00099
[2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00100
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00101
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00102
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00103
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00104
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00105
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00106
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00107
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00108
[2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00109
[2007/06/30 10:49:13 | 000,013,540 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\registry.format.ps1xml
[2010/03/02 15:34:18 | 001,564,672 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\system.management.automation.dll
[2007/06/30 10:49:17 | 000,265,939 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\system.management.automation.dll-help.xml
[2007/06/30 10:49:18 | 000,129,836 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\types.ps1xml
[2009/06/17 18:59:52 | 000,221,488 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.exe
[2012/02/03 14:26:39 | 000,081,650 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.inf
[2012/02/03 14:26:05 | 000,017,082 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.txt
[2009/06/17 18:59:52 | 000,379,184 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\spuninst\updspapi.dll


< MD5 for: EXPLORER.EXE >
[2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\explorer.exe
[2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 04:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- D:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: EXPLORER.EXE-082F38A9.PF >
[2012/02/21 20:48:57 | 000,084,916 | ---- | M] () MD5=82329DB1D23D5985225018F1DFAC840B -- D:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

< MD5 for: EXPLORER.SCF >
[2004/08/04 04:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- D:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- D:\WINDOWS\Help\iexplore.chm
[2004/08/04 04:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- D:\WINDOWS\ie7\iexplore.chm
[2006/09/01 07:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- D:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2009/06/28 23:25:31 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=02E2754D3E566C11A4934825920C47DD -- D:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
[2009/04/24 21:27:50 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=092A7F2B49A19ECCE5369D3CB2276148 -- D:\WINDOWS\ie7updates\KB972260-IE7\iexplore.exe
[2009/08/26 21:18:42 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=332EC7562F3AA7364F2D4231C56DA986 -- D:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
[2009/06/29 00:35:10 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=3CFC56F73D494FC1AA2B6E981DF15ACD -- D:\WINDOWS\ie7updates\KB974455-IE7\iexplore.exe
[2009/10/27 22:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- D:\WINDOWS\ie8\iexplore.exe
[2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- D:\WINDOWS\ie7\iexplore.exe
[2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- D:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- D:\Program Files\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe
[2009/10/27 22:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- D:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\WINDOWS\ERDNT\cache\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\WINDOWS\system32\dllcache\iexplore.exe
[2009/04/24 21:27:39 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=C0503FD8D163652735C1EE900672A75C -- D:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
[2007/08/13 17:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- D:\WINDOWS\ie7updates\KB969897-IE7\iexplore.exe
[2004/08/04 04:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- D:\WINDOWS\$NtServicePackUninstall$\iexplore.exe
[2009/08/26 21:18:44 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F232BA9F39BC0F722672C7E79E68EBEA -- D:\WINDOWS\ie7updates\KB976325-IE7\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- D:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- D:\Program Files\Internet Explorer\iexplore.exe.mui
[2007/08/13 17:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- D:\WINDOWS\ie8\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-0A31FE70.PF >
[2012/02/21 20:32:46 | 000,013,700 | ---- | M] () MD5=F0399FDBCBC8EA09515C8F42D95618C2 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-0A31FE70.pf

< MD5 for: IEXPLORE.EXE-12915967.PF >
[2012/02/21 20:32:43 | 000,012,098 | ---- | M] () MD5=C25D41BB7DE54303549D591749A6B8A3 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-12915967.pf

< MD5 for: IEXPLORE.EXE-12BBAE74.PF >
[2012/02/21 20:32:43 | 000,010,994 | ---- | M] () MD5=31AA6B64D421F22AE7147463652EA4F8 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-12BBAE74.pf

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2012/02/21 20:51:03 | 000,083,874 | ---- | M] () MD5=B092C0CC4D69195389794029B8BB3B33 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2004/08/04 04:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- D:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EXE >
[2004/08/04 04:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- D:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- D:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\system32\winlogon.exe

< MD5 for: WINLOGON.EXE-32C57D49.PF >
[2012/02/19 12:59:32 | 000,036,132 | ---- | M] () MD5=187307C87A66F838353A6138D09CA253 -- D:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf

< MD5 for: WINSRV.DLL >
[2008/04/13 16:12:09 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=1618F36D4F7F6CCCEB3EE44BA95BE85C -- D:\WINDOWS\$NtUninstallKB2121546$\winsrv.dll
[2008/04/13 16:12:09 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=1618F36D4F7F6CCCEB3EE44BA95BE85C -- D:\WINDOWS\ServicePackFiles\i386\winsrv.dll
[2011/06/20 09:43:21 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=3C733ABE4F13206414F670F86C5F79D8 -- D:\WINDOWS\$hf_mig$\KB2567680\SP3QFE\winsrv.dll
[2010/06/18 09:45:17 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=42B5427FAC23BF6F1F31E466B7FEB084 -- D:\WINDOWS\$NtUninstallKB2507938$\winsrv.dll
[2004/08/04 04:00:00 | 000,290,816 | ---- | M] (Microsoft Corporation) MD5=442D0EAD5534E4ADCF6D4469043C82C0 -- D:\WINDOWS\$NtServicePackUninstall$\winsrv.dll
[2010/06/18 09:43:57 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=6DC05976FB5B8E1358EAC8BEDFD1FA47 -- D:\WINDOWS\$hf_mig$\KB2121546\SP3QFE\winsrv.dll
[2011/11/25 13:57:19 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=8C7DCA4B158BF16894120786A7A5F366 -- D:\WINDOWS\system32\dllcache\winsrv.dll
[2011/11/25 13:57:19 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=8C7DCA4B158BF16894120786A7A5F366 -- D:\WINDOWS\system32\winsrv.dll
[2011/06/20 09:44:52 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=95CF3446911A6E25EE4086DF8A45B2AA -- D:\WINDOWS\$NtUninstallKB2646524$\winsrv.dll
[2011/11/25 13:56:26 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=B23423313519C522E0E73BA170D3CE71 -- D:\WINDOWS\$hf_mig$\KB2646524\SP3QFE\winsrv.dll
[2011/04/26 03:07:50 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=EC0A223C4854E98A3AFB2C31B7B420A0 -- D:\WINDOWS\$NtUninstallKB2567680$\winsrv.dll
[2011/04/26 03:02:48 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=F52D3C601CF618479F9AD43B07599BED -- D:\WINDOWS\$hf_mig$\KB2507938\SP3QFE\winsrv.dll

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[D:\WINDOWS\assembly\GAC_32\Act.UI.Dashboard.Designer\12.1.181.0__ebf6b2ff4d 0a08aa] -> D:\WINDOWS\WinSxS\x86_Act.UI.Dashboard.Designer_ebf6b2ff4d0a08aa_12.1.181.0 _x-ww_66c55b20 -> Junction
[D:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50 a3a] -> D:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> D:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv 2\2.1.72.22__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d 4816ead86321_2.1.72.22_x-ww_a742e49 -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv 2\3.0.335.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d 4816ead86321_3.0.335.0_x-ww_29a6be0d -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv 2\3.1.31.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d 4816ead86321_3.1.31.0_x-ww_8b778a47 -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2. 1.72.22__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816 ead86321_2.1.72.22_x-ww_c5eae641 -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3. 0.335.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816 ead86321_3.0.335.0_x-ww_e51d7605 -> Junction
[D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3. 1.31.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816 ead86321_3.1.31.0_x-ww_46ee423f -> Junction

< End of report >
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
22-Feb-2012, 01:46 PM #8
OTL Extras logfile created on: 2/22/2012 10:39:08 AM - Run 1
OTL by OldTimer - Version 3.2.33.2 Folder = D:\Documents and Settings\Terry Durham\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.50 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 62.13% Memory free
3.35 Gb Paging File | 2.94 Gb Available in Paging File | 87.54% Paging File free
Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 407.16 Gb Total Space | 343.72 Gb Free Space | 84.42% Space Free | Partition Type: NTFS
Drive D: | 58.59 Gb Total Space | 24.83 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
Drive E: | 37.26 Gb Total Space | 11.50 Gb Free Space | 30.87% Space Free | Partition Type: NTFS
Drive H: | 20.00 Gb Total Space | 5.16 Gb Free Space | 25.81% Space Free | Partition Type: NTFS

Computer Name: SPQR | User Name: Terry Durham | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfil e]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProf ile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNetisabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNetisabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"54925:UDP" = 54925:UDP:*:Enabled:BrotherNetwork Scanner
"5985:TCP" = 5985:TCP:*isabled:Windows Remote Management

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Program Files\ACT\Act for Windows\ActSage.exe" = D:\Program Files\ACT\Act for Windows\ActSage.exe:*:Enabled:ACT! 9.x/2007 -- (Sage Software, Inc.)
"D:\Program Files\Maxtor\ManagerApp\MaxUtilities.exe" = D:\Program Files\Maxtor\ManagerApp\MaxUtilities.exe:*:Enabled:Maxtor Manager -- (Seagate Technology LLC)
"D:\Program Files\Brother\Brmfl08l\FAXRX.exe" = D:\Program Files\Brother\Brmfl08l\FAXRX.exe:*:Enabled:FAXRX.EXE -- (Brother Industries Ltd.)
"D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNetisabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"D:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = D:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{07295ABF-1245-415A-BE06-863271753443}" = ShowBiz
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = VERITAS RecordNow DX Update Manager
"{0A02D347-5E53-48A5-BC49-1469393103FA}" = Brother MFL-Pro Suite MFC-495CW
"{0EECD415-3431-4AAE-B13C-0D23C6AA7990}" = UpgradeTool
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = VERITAS DLA
"{1240EECF-D5E1-4C1A-8337-B236E950D983}" = TurboTax 2010 wcasbpm
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java(TM) 6 Update 30
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ACT7)
"{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
"{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
"{36302351-EAA2-012B-AD1E-000000000000}" = TurboTax 2009 wcasbpm
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{3818E081-EAA2-012B-AD94-000000000000}" = TurboTax 2009 WinBizFedFormset
"{3830D551-EAA2-012B-AD9A-000000000000}" = TurboTax 2009 WinBizReleaseEngine
"{383CBC31-EAA2-012B-AD9D-000000000000}" = TurboTax 2009 WinBizTaxSupport
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3C5A81D1-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{560EFF7F-252D-4841-89CD-4EEB76D5FC1F}" = Maxtor Central Axis Manager
"{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}" = GetDataBack for NTFS
"{5866F83F-5347-4324-A15E-070502A65866}" = TurboTax 2010 WinBizReleaseEngine
"{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
"{6334BBB0-8A2E-4679-B845-9CE27E72DBDA}" = TurboTax 2010 WinBizTaxSupport
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71CBF9BB-7E07-4A9D-BF30-84C11810B242}" = ESET Smart Security
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8855FF30-19CE-4CB1-A654-87B38369CCE1}" = VERITAS RecordNow DX
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" =
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{B023185F-F1EF-4F97-B0BD-AE6D802226D1}" = NVIDIA WDM Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1939820-A945-11D4-86F6-0001031E5712}" = MSI MSIDVD
"{C3ADD937-FD5F-4CC6-AE15-AEDEE2A20165}" = TurboTax 2010 wrapper
"{C7010632-E5EE-4263-B80E-BC9D45439EB0}" = TurboTax 2010 winiper
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E6C0F926-446B-4450-8D15-4405A9431EB7}" = TurboTax 2010 WinBizFedFormset
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
"{F59205C8-E5FB-43F5-AAB2-16C1760D4F59}" = FaceFilter Studio Brother Edition
"{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"ActiveTouchMeetingClient" = WebEx
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"FaxTalk Communicator 4.5" = FaxTalk Communicator 4.5
"HP PrecisionScan LTX" = HP PrecisionScan LTX
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{0EECD415-3431-4AAE-B13C-0D23C6AA7990}" = UpgradeTool
"InstallShield_{560EFF7F-252D-4841-89CD-4EEB76D5FC1F}" = Maxtor Central Axis Manager
"InstallShield_{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
"jZip" = jZip
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox 10.0 (x86 en-US)" = Mozilla Firefox 10.0 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"NVIDIAStereo" = NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
"SystemRequirementsLab" = System Requirements Lab
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"TurboTax 2010" = TurboTax 2010
"TurboTax Business 2009" = TurboTax Business 2009
"TurboTax Business 2010" = TurboTax Business 2010
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
22-Feb-2012, 03:47 PM #9
Hello spqr05

Please run an OTL Fix

  1. Please reopen .
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    Code:
    :Services
    
    :OTL
    FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
    FF - prefs.js..network.proxy.http: "localhost"
    FF - prefs.js..network.proxy.http_port: 7070
    O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...1F/wmvadvd.cab (Reg Error: Key error.)
    [6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
    [1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
    [2012/02/17 10:41:12 | 000,302,592 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
    [2011/12/01 10:58:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\searchquband
    
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [Reboot]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
  7. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

How is the machine behaving now? Are there still issues?
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
23-Feb-2012, 01:01 PM #10
The computer loads after the restart but will not go to the login screen of windows. IT will not move past this point I've tried several times since last night but nothing will move forward past "windows is starting up".
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
23-Feb-2012, 03:51 PM #11
Hello spqr05

Boot the machine into Safe Mode.
Click on Start then Run.
Type chkdsk /r and press Enter.
Reply Y when asked if you want this to be done at next boot.

Reboot normally.

Chkdsk should run. Let it complete. May take awhile depending on the size of your hard drive.

See if that fixes the problem.
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
24-Feb-2012, 01:48 AM #12
same issue, I cannot get it past the windows starting up area. I cannot get to the login area.
Sunyata's Avatar
Sunyata Sunyata is offline Sunyata is authorized to help remove malware.
Computer Specs
Malware Removal Specialist with 97 posts.
 
Join Date: Feb 2012
24-Feb-2012, 09:50 AM #13
Hello spqr05

Start your computer by using the Last Known Good Configuration...
  • Restart your computer.
  • As the computer begins to come back up, tap the F8 key about every second.
  • When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration, then press ENTER.
  • If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.


If the machine comes up in normal mode...
Download RogueKiller to your desktop
  1. Quit all running programs
  2. For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  3. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
  4. Press the Scan button
  5. When the scan completes, press the Report button and the log should appear.
  6. The RKreport.txt log should also be generated onto the desktop.
Please post the contents of the log in your next Reply

Next, Please re-run OTL.
  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s >
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
/md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open OTL.txt . This is saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents and post it with your next reply.

spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
03-Mar-2012, 10:25 AM #14
I will do this tomorrow, I'm sorry for not having done so already but I've been traveling this week for work and return today. I will post the results tomorrow but as of now I couldn't even login to safe mode.
spqr05's Avatar
spqr05 spqr05 is offline
Member with 130 posts.
THREAD STARTER
 
Join Date: Dec 2011
Experience: Intermediate
08-Mar-2012, 12:53 PM #15
It appears the computer will not even load to the last working configuration either. It just sits at the windows is starting up... again.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑