1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

searchqu virus & computer won't respond to anything

Discussion in 'Virus & Other Malware Removal' started by spqr05, Feb 19, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    Hi there, my dad and mom have a computer that she uses. We are running windows xp pro with sp3 and eset smart security. I noticed searchqu on this computer as I had been removing it from my girfriends, it must have spread across my network or email she sent to them. ESET remoted-in and supposidly removed the virus but nothing is working or responding now 2 weeks after they did this. It worked fine I just believe they didn't know the virus took what they needed, cleaned the registry it was fine then a week later it takes longer to load and it's still there. I have had help for this before on some other computers searchqu virus.

    now it takes days to just load the a program like firefox or window and has not responding when I click on my computer, my documents etc. It takes about 10 - 15 minutes just to load windows now once it gets to the login. Something has taken over this computer and the resources as sometimes in the taskmanager it goes up to 80 cpu usage without anything loading and running sporatically.

    In other words I know I had the searchqu virus, don't know whether this is the after effects of that or what.

    I have the logs but it's tough to even get a browser to load, or window for that fact. I turned off everything in the start up and ran gmer, hijackthis and dds.

    Please help as this computer cannot do anything now it just keeps choking and freezing. I know there are a few updates to run and my father believes this all happened from a windows update but I doubt that with search qu on here. Thanks for your help

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:12:18 AM, on 2/17/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\Program Files\Bonjour\mDNSResponder.exe
    D:\Program Files\ESET\ESET Smart Security\ekrn.exe
    D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\Maxtor\Sync\SyncServices.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\SearchIndexer.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\ESET\ESET Smart Security\egui.exe
    D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
    D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: DataMngr - {9D717F81-9148-4f12-8568-69135F087DB0} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [HP OfficeJet Series 700] "D:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install"
    O4 - HKLM\..\Run: [PPort11reminder] "D:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "D:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
    O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248491122484
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1260480585390
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/support/ieatgpc.cab
    O20 - AppInit_DLLs:
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
    O23 - Service: ACT! Scheduler - Sage Software, Inc. - D:\Program Files\ACT\Act for Windows\Act.Scheduler.exe
    O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Maxtor Service (Maxtor Sync Services) - Seagate Technology LLC - D:\Program Files\Maxtor\Sync\SyncServices.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

    --
    End of file - 9205 bytes

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
    Run by Terry Durham at 11:13:55 on 2012-02-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1035 [GMT -8:00]
    .
    AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    D:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    D:\Program Files\Bonjour\mDNSResponder.exe
    D:\Program Files\ESET\ESET Smart Security\ekrn.exe
    D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\Maxtor\Sync\SyncServices.exe
    D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    D:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    D:\WINDOWS\system32\svchost.exe -k imgsvc
    D:\WINDOWS\system32\SearchIndexer.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\ESET\ESET Smart Security\egui.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\system32\SearchProtocolHost.exe
    D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=d:\windows\system32\userinit.exe
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - d:\windows\system32\dla\tfswshx.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
    BHO: {9d717f81-9148-4f12-8568-69135f087db0} - DataMngr
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - d:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - d:\program files\google\google toolbar\GoogleToolbar_32.dll
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    mRun: [egui] "d:\program files\eset\eset smart security\egui.exe" /hide /waitservice
    mRun: [HP OfficeJet Series 700] "d:\program files\hewlett-packard\hp officejet series 700\bin\ktchnsnk.exe" -reg "software\hewlett-packard\officejet series 700\Install"
    mRun: [PPort11reminder] "d:\program files\scansoft\paperport\ereg\ereg.exe" -r "d:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
    IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
    IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
    DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248491122484
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260480585390
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/support/ieatgpc.cab
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    TCP: Interfaces\{8D1DA6AE-0BCC-4990-812F-26950057E35E} : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    AppInit_DLLs:
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
    FF - component: d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
    FF - component: d:\documents and settings\terry durham\application data\mozilla\firefox\profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: d:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: browser.cache.disk_cache_ssl - true); user_pref(content.max.tokenizing.time, 2250000); user_pref(content.notify.backoffcount, 5); user_pref(content.notify.interval, 750000); user_pref(content.notify.ontimer, true); user_pref(content.switch.threshold, 750000); user_pref(network.http.max-connections, 48 user_pref(network.http.max-connections-per-server,
    16);
    user_pref(network.http.max-persistent-connections-per-proxy,
    16);
    user_pref(network.http.max-persistent-connections-per-server,
    8);
    FF - user.js: network.http.pipelining - true); user_pref(network.http.pipelining.maxrequests, 8); user_pref(network.http.proxy.pipelining, true); user_pref(nglayout.initialpaint.delay, 750
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
    .
    =============== Created Last 30 ================
    .
    2012-02-03 22:26:09 -------- d-----w- d:\windows\system32\winrm
    2012-02-03 22:26:02 -------- dc-h--w- d:\windows\$968930Uinstall_KB968930$
    2012-02-03 20:13:28 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-02-03 20:13:28 476904 ----a-w- d:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2012-02-03 20:13:28 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-01-23 17:53:25 -------- d-----w- d:\program files\iPod
    2012-01-23 17:53:20 -------- d-----w- d:\program files\iTunes
    .
    ==================== Find3M ====================
    .
    2012-02-16 16:58:31 952 --sha-w- d:\documents and settings\all users\application data\KGyGaAvL.sys
    2012-01-13 13:26:26 414368 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 23:24:06 20464 ----a-w- d:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57:19 293376 ----a-w- d:\windows\system32\winsrv.dll
    2011-11-23 13:25:32 1859584 ----a-w- d:\windows\system32\win32k.sys
    .
    ============= FINISH: 11:15:51.47 ===============

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-19 12:21:03
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f WDC_WD5000AAKB-00H8A0 rev.05.04E05
    Running: ilyflpzo.exe; Driver: D:\DOCUME~1\TERRYD~1\LOCALS~1\Temp\pxtdypob.sys


    ---- System - GMER 1.0.15 ----

    SSDT 89D4CC90 ZwAssignProcessToJobObject
    SSDT 89D4D200 ZwDebugActiveProcess
    SSDT 89D4D2F0 ZwDuplicateObject
    SSDT 89D4C590 ZwOpenProcess
    SSDT 89D4C800 ZwOpenThread
    SSDT 89D4CFD0 ZwProtectVirtualMemory
    SSDT 89D4D0E0 ZwQueueApcThread
    SSDT 89D4CEC0 ZwSetContextThread
    SSDT 89D4CD90 ZwSetInformationThread
    SSDT 89D49DA0 ZwSetSecurityObject
    SSDT 89D4CB90 ZwSuspendProcess
    SSDT 89D4CA80 ZwSuspendThread
    SSDT 89D4C6E0 ZwTerminateProcess
    SSDT 89D4CA50 ZwTerminateThread
    SSDT 89D4D6D0 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    .text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB7A0A380, 0x550AF5, 0xE8000020]
    ? D:\DOCUME~1\TERRYD~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text D:\Program Files\ESET\ESET Smart Security\ekrn.exe[212] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
    .text D:\WINDOWS\system32\SearchIndexer.exe[724] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C D:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET)

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hi spqr05 and welcome to the forums!
    I'm Sunyata and I will be helping you with your computer problems.

    Please read the following guidelines which will help to make cleaning your machine easier:


    • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
    • The fixes I will give you are specific to your problem and should only be used for this issue on this machine.
    • Please make sure to carefully read any instructions posted. If you're not sure, please stop and ask!
    • Please stay with this thread until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that all malware is gone.
    • PLEASE DO NOT install/uninstall any programs unless asked to.
    • PLEASE DO NOT run any malware scans other than those requested.
    • Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
    • I will reply back shortly with instructions


    Note to Vista and Windows 7 users:

    1. These tools MUST be run from the executable. (.exe) every time you run them
    2. These tools MUST be run With Admin Rights (Right click, choose "Run as Administrator")


    Please download aswMBR to your desktop.
    • Double click the aswMBR icon to run it.
    • When asked if you want to download Avast's virus definitions please select Yes.
    • Click the Scan button to start scan.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.
    [​IMG]
     
  3. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    thanks for your help, I really appreciate it. Here's the results of the scan. By the way this was done in safe mode with networking, do you want me to try it in normal mode? In normal mode I disabled all the start up items except eset. We used to use this computer as the server so it has a total of 3 different hard drives as additional insight into the system.

    aswMBR version 0.9.9.1618 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-20 18:18:54
    -----------------------------
    18:18:54.640 OS Version: Windows 5.1.2600 Service Pack 3
    18:18:54.640 Number of processors: 1 586 0x801
    18:18:54.640 ComputerName: SPQR UserName:
    18:18:54.984 Initialize success
    18:20:31.234 AVAST engine defs: 12022002
    18:20:54.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-f
    18:20:54.453 Disk 0 Vendor: WDC_WD5000AAKB-00H8A0 05.04E05 Size: 476940MB BusType: 3
    18:20:54.453 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-17
    18:20:54.468 Disk 1 Vendor: Maxtor_6Y060L0 YAR41VW0 Size: 58644MB BusType: 3
    18:20:54.500 Disk 0 MBR read successfully
    18:20:54.500 Disk 0 MBR scan
    18:20:54.562 Disk 0 Windows XP default MBR code
    18:20:54.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 60000 MB offset 63
    18:20:54.593 Disk 0 Partition - 00 0F Extended LBA 416929 MB offset 122881185
    18:20:54.625 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 416929 MB offset 122881248
    18:20:54.640 Disk 0 scanning sectors +976752000
    18:20:54.703 Disk 0 scanning D:\WINDOWS\system32\drivers
    18:21:12.171 Service scanning
    18:22:32.156 Service GMSIPCI F:\INSTALL\GMSIPCI.SYS **LOCKED** 23
    18:22:51.500 Modules scanning
    18:22:55.187 Disk 0 trace - called modules:
    18:22:55.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
    18:22:55.671 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a2bdab8]
    18:22:55.921 3 CLASSPNP.SYS[f7647fd7] -> nt!IofCallDriver -> \Device\00000064[0x8a2c39e8]
    18:22:56.171 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-f[0x8a2a3940]
    18:22:56.812 AVAST engine scan D:\WINDOWS
    18:23:08.046 AVAST engine scan D:\WINDOWS\system32
    18:28:06.156 AVAST engine scan D:\WINDOWS\system32\drivers
    18:28:29.812 AVAST engine scan D:\Documents and Settings\Terry Durham
    18:32:44.546 AVAST engine scan D:\Documents and Settings\All Users
    18:35:00.281 Scan finished successfully
    18:44:46.250 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\Terry Durham\Desktop\MBR.dat"
    18:44:46.265 The log file has been saved successfully to "D:\Documents and Settings\Terry Durham\Desktop\aswMBR.txt"
     
  4. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hello spqr05

    Can you tell me the name of the program in the task manager that behaves this way?

    Do you have a specific reason for running scans in safe mode? It is OK for the aswMBR scan. This next scan, however, please perform in Normal Mode if possible.




    Please read through these instructions to familarize yourself with what to expect when this tool runs

    Please download ComboFix from one of the following locations:


    **IMPORTANT! Save ComboFix to your Desktop. Read the following thoroughly

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link :How to Disable your Security Programs
    • Double click on 'ComboFix.exe' & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message box:

    [​IMG]

    Click on 'Yes', to continue scanning for malware.

    When finished, it will produce a log for you.
    Please include the contents of C:\ComboFix.txt in your next reply.

    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    3. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
    4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.
    5. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    In your next reply please post the log created by ComboFix.
     
  5. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    Hello spqr05

    Quote:
    sometimes in the taskmanager it goes up to 80 cpu usage
    Can you tell me the name of the program in the task manager that behaves this way?

    Earlier it was firefox. But I've had it just running up and nothing is in the task manager running. I've seen csrss or lsass, search protocol but these are all running at low cpu. Firefox is high, plus this serachindexer.exe Im not sure if that's microsoft but we dont' use that one. i do see it in my toolbar.

    Quote:
    this was done in safe mode with networking, do you want me to try it in normal mode?
    Do you have a specific reason for running scans in safe mode? It is OK for the aswMBR scan. This next scan, however, please perform in Normal Mode if possible.

    The computer was struggling to do anything so I was trying to simply get it to load a browser. In safe mode overnight it was going crazy. I clicked once on mozilla and it loaded it over 100 times, then it was saying things about my database act and microsoft like it was trying to access information when I had not clicked on anything. It was ok to load after like 5 - 10 restarts this evening in normal mode but a pain in the bhind. thanks for your help again. firefox seems to take up lots of resources at times but 10 - 20%

    ComboFix 12-02-21.02 - Terry Durham 02/21/2012 20:37:07.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1014 [GMT -8:00]
    Running from: d:\documents and settings\Terry Durham\Desktop\ComboFix.exe
    AV: ESET Smart Security 4.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\my documents\~WRL0807.tmp
    d:\documents and settings\Terry Durham\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
    .
    .
    2012-02-09 17:08 . 2012-02-09 17:08 -------- d-----w- d:\documents and settings\Administrator.SPQR.000
    2012-02-03 22:26 . 2012-02-03 22:26 -------- d-----w- d:\windows\system32\winrm
    2012-02-03 22:26 . 2012-02-03 22:26 -------- dc-h--w- d:\windows\$968930Uinstall_KB968930$
    2012-02-03 20:13 . 2012-02-03 20:13 -------- d-----w- d:\program files\Common Files\Java
    2012-02-03 20:13 . 2012-02-03 20:13 476904 ----a-w- d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2012-02-03 20:13 . 2012-02-03 20:13 73728 ----a-w- d:\windows\system32\javacpl.cpl
    2012-02-03 20:13 . 2012-02-03 20:13 472808 ----a-w- d:\windows\system32\deployJava1.dll
    2012-02-03 20:13 . 2012-02-03 20:13 -------- d-----w- d:\program files\Java
    2012-02-03 19:59 . 2012-02-03 19:59 -------- d-----w- d:\documents and settings\Terry Durham\Application Data\ArcSoft
    2012-01-23 17:53 . 2012-01-23 17:53 -------- d-----w- d:\program files\iPod
    2012-01-23 17:53 . 2012-01-23 17:54 -------- d-----w- d:\program files\iTunes
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-02-16 16:58 . 2010-03-03 00:08 952 --sha-w- d:\documents and settings\All Users\Application Data\KGyGaAvL.sys
    2012-01-13 13:26 . 2011-05-25 16:23 414368 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
    2011-12-10 23:24 . 2009-08-27 15:33 20464 ----a-w- d:\windows\system32\drivers\mbam.sys
    2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- d:\windows\system32\winsrv.dll
    2012-01-29 15:55 . 2011-11-09 15:57 134104 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP OfficeJet Series 700"="d:\program files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe -reg Software\Hewlett-Packard\OfficeJet Series 700\Install" [X]
    "egui"="d:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
    "PPort11reminder"="d:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=d:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
    .
    [HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=d:\windows\pss\Windows Search.lnkCommon Startup
    .
    [HKLM\~\startupfolder\D:^Documents and Settings^Terry Durham^Start Menu^Programs^Startup^FAXRX.lnk]
    path=d:\documents and settings\Terry Durham\Start Menu\Programs\Startup\FAXRX.lnk
    backup=d:\windows\pss\FAXRX.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    2004-12-14 09:12 483328 ----a-w- d:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
    2010-01-21 04:21 331776 ----a-w- d:\program files\ACT\Act for Windows\ActSage.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
    2010-01-21 04:12 28672 ----a-w- d:\program files\ACT\Act for Windows\Act.Outlook.Service.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2011-10-06 08:52 59240 ----a-w- d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-02 07:25 59240 ----a-w- d:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
    2009-01-19 15:37 1150976 ------r- d:\program files\Brother\Brmfcmon\BrMfcWnd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
    2009-01-09 22:53 114688 ------w- d:\program files\Brother\ControlCenter3\BrCtrCen.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- d:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    2003-03-12 08:03 114741 ----a-w- d:\windows\system32\dla\tfswctrl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
    2009-09-21 16:36 122368 ----a-w- d:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    2008-07-10 06:05 46368 ----a-w- d:\program files\ScanSoft\PaperPort\IndexSearch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-01-17 01:22 421736 ----a-w- d:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mssSort]
    2008-08-05 14:54 1647960 ----a-w- d:\program files\Maxtor\ManagerApp\msssort.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
    2008-08-05 14:54 169312 ----a-w- d:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-01-12 06:17 13666408 ----a-w- d:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-01-12 06:17 110696 ----a-w- d:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
    2008-07-10 06:07 29984 ----a-w- d:\program files\ScanSoft\PaperPort\pptd40nt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-10-24 21:28 421888 ----a-w- d:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2002-09-11 02:57 46592 ----a-r- d:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-25 16:03 210472 ----a-w- d:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
    2002-06-18 07:01 155648 ----a-w- d:\program files\VERITAS Software\Update Manager\sgtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 21:06 254696 ----a-w- d:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2009-09-21 16:36 39408 ----a-w- d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "d:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
    "d:\\Program Files\\Maxtor\\ManagerApp\\MaxUtilities.exe"=
    "d:\\Program Files\\Brother\\Brmfl08l\\FAXRX.exe"=
    "d:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "d:\\Program Files\\iTunes\\iTunes.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "54925:UDP"= 54925:UDP:BrotherNetwork Scanner
    "5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
    .
    R1 ehdrv;ehdrv;d:\windows\system32\drivers\ehdrv.sys [5/14/2009 2:47 PM 107256]
    R2 ekrn;ESET Service;d:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 2:47 PM 731840]
    R2 Maxtor Sync Services;Maxtor Service;d:\program files\Maxtor\Sync\SyncServices.exe [8/5/2008 6:54 AM 181600]
    R2 MSSQL$ACT7;SQL Server (ACT7);d:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
    S2 ACT! Scheduler;ACT! Scheduler;d:\program files\ACT\Act for Windows\Act.Scheduler.exe [1/20/2010 8:23 PM 81920]
    S2 nvTUNEP;nVidia WDM TVTuner;d:\windows\system32\drivers\NVTUNEP.SYS [7/24/2009 6:39 PM 15968]
    S2 nvtvSND;nVidia WDM TVAudio Crossbar;d:\windows\system32\drivers\NVTVSND.SYS [7/24/2009 6:39 PM 13776]
    S3 PLCND532;PLCND532 NDIS Protocol Driver;d:\windows\system32\drivers\PLCND532.sys [8/18/2008 1:35 PM 26656]
    S3 WinRM;Windows Remote Management (WS-Management);d:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-02-13 d:\windows\Tasks\AppleSoftwareUpdate.job
    - d:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    FF - ProfilePath - d:\documents and settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q=
    FF - user.js: browser.cache.disk_cache_ssl - true); user_pref(content.max.tokenizing.time, 2250000); user_pref(content.notify.backoffcount, 5); user_pref(content.notify.interval, 750000); user_pref(content.notify.ontimer, true); user_pref(content.switch.threshold, 750000); user_pref(network.http.max-connections, 48 user_pref(network.http.max-connections-per-server,
    16);
    user_pref(network.http.max-persistent-connections-per-proxy,
    16);
    user_pref(network.http.max-persistent-connections-per-server,
    8);
    FF - user.js: network.http.pipelining - true); user_pref(network.http.pipelining.maxrequests, 8); user_pref(network.http.proxy.pipelining, true); user_pref(nglayout.initialpaint.delay, 750
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    ShellIconOverlayIdentifiers-{b75ab0c8-03d5-4592-9821-a48d54d66b14} - MssShellExt.dll
    MSConfigStartUp-nwiz - nwiz.exe
    MSConfigStartUp-zzzHPSETUP - F:\Setup.exe
    AddRemove-NVIDIA Display Control Panel - d:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-02-21 20:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-02-21 20:48:46
    ComboFix-quarantined-files.txt 2012-02-22 04:48
    .
    Pre-Run: 26,866,565,120 bytes free
    Post-Run: 26,570,072,064 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - FF74FEABCE87E4A29FCC0AAE2D67DA54
     
  6. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hello spqr05

    Please download OTL to your desktop.

    • If you are using Firefox, make sure that your download settings are as follows:
      -Tools->Options->Main tab
      -Set to "Always ask me where to Save the files".​
    • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output
    • Check the boxes beside LOP Check and Purity Check.
    • In the window under Custom Scans/Fixes copy and paste the following

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lîk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results Install|LastSuccessTime /rs
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %temp%\smtmp\*.* /s >
    %systemroot%\*. /rp /s
    d:\windows\$968930Uinstall_KB968930$\* /s
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    consrv.dll
    winsrv.dll
    /md5stop
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL.
    Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
     
  7. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    OTL logfile created on: 2/22/2012 10:39:08 AM - Run 1
    OTL by OldTimer - Version 3.2.33.2 Folder = D:\Documents and Settings\Terry Durham\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.50 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 62.13% Memory free
    3.35 Gb Paging File | 2.94 Gb Available in Paging File | 87.54% Paging File free
    Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
    Drive C: | 407.16 Gb Total Space | 343.72 Gb Free Space | 84.42% Space Free | Partition Type: NTFS
    Drive D: | 58.59 Gb Total Space | 24.83 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
    Drive E: | 37.26 Gb Total Space | 11.50 Gb Free Space | 30.87% Space Free | Partition Type: NTFS
    Drive H: | 20.00 Gb Total Space | 5.16 Gb Free Space | 25.81% Space Free | Partition Type: NTFS

    Computer Name: SPQR | User Name: Terry Durham | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - D:\Documents and Settings\Terry Durham\Desktop\OTL.exe (OldTimer Tools)
    PRC - D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
    PRC - D:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
    PRC - D:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
    PRC - D:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
    PRC - D:\WINDOWS\explorer.exe (Microsoft Corporation)
    PRC - D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


    ========== Modules (No Company Name) ==========

    MOD - D:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll ()
    MOD - D:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
    MOD - D:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll ()
    MOD - D:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.Xml.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll ()
    MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abef85f2fb8ba830eda73e2d12e8d41e\System.ServiceProcess.ni.dll ()
    MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll ()
    MOD - D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
    MOD - D:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
    MOD - D:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.136.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract\1.0.0.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\3.1.26.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.1.31.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll ()
    MOD - D:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\System.Data.SQLite.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.145.4__540d4816ead86321\Intuit.Spc.Esd.Core.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\2.1.72.22__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll ()
    MOD - D:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Portability.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandling\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandling.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Api.Net\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Api.Net.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Core\2.0.445.0__540d4816ead86321\Intuit.Spc.Esd.Core.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.BusinessLogic\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.BusinessLogic.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.DataAccess\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.DataAccess.dll ()
    MOD - D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.Client.Common\3.0.335.0__540d4816ead86321\Intuit.Spc.Esd.Client.Common.dll ()
    MOD - D:\Program Files\Brother\BrUtilities\BrLogAPI.dll ()
    MOD - D:\WINDOWS\system32\BrMuSNMP.dll ()


    ========== Win32 Services (SafeList) ==========

    SRV - (wuauserv) -- File not found
    SRV - (IntuitUpdateService) -- D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc.)
    SRV - (ACT! Scheduler) -- D:\Program Files\ACT\Act for Windows\Act.Scheduler.exe (Sage Software, Inc.)
    SRV - (EhttpSrv) -- D:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe (ESET)
    SRV - (ekrn) -- D:\Program Files\ESET\ESET Smart Security\ekrn.exe (ESET)
    SRV - (Maxtor Sync Services) -- D:\Program Files\Maxtor\Sync\SyncServices.exe (Seagate Technology LLC)
    SRV - (PSI_SVC_2) -- D:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


    ========== Driver Services (SafeList) ==========

    DRV - (epfwtdi) -- D:\WINDOWS\system32\drivers\epfwtdi.sys (ESET)
    DRV - (Epfwndis) -- D:\WINDOWS\system32\drivers\epfwndis.sys (ESET)
    DRV - (epfw) -- D:\WINDOWS\system32\drivers\epfw.sys (ESET)
    DRV - (ehdrv) -- D:\WINDOWS\system32\drivers\ehdrv.sys (ESET)
    DRV - (eamon) -- D:\WINDOWS\system32\drivers\eamon.sys (ESET)
    DRV - (PLCND532) -- D:\WINDOWS\system32\drivers\PLCND532.sys (Intellon, Inc.)
    DRV - (pfc) -- D:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
    DRV - (ALCXWDM) Service for Avance AC97 Audio (WDM) -- D:\WINDOWS\system32\drivers\ALCXWDM.SYS (Avance Logic, Inc.)
    DRV - (nvcap) nVidia WDM Video Capture (universal) -- D:\WINDOWS\system32\drivers\NVCAP.SYS (NVIDIA Corporation)
    DRV - (nvTUNEP) -- D:\WINDOWS\system32\drivers\NVTUNEP.SYS (NVIDIA Corporation)
    DRV - (nvtvSND) -- D:\WINDOWS\system32\drivers\NVTVSND.SYS (NVIDIA Corporation)
    DRV - (NVXBAR) -- D:\WINDOWS\system32\drivers\NVXBAR.SYS (NVIDIA Corporation)
    DRV - (viaagp1) -- D:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
    DRV - (DumaNT) -- D:\WINDOWS\system32\drivers\dumant.sys (NVIDIA Corporation)
    DRV - (winachsf) -- D:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems)
    DRV - (basic2) -- D:\WINDOWS\system32\drivers\basic2.sys (Conexant Systems)
    DRV - (V124) -- D:\WINDOWS\system32\drivers\v124nt.sys (Conexant Systems)
    DRV - (Rksample) -- D:\WINDOWS\system32\drivers\rksample.sys (Conexant Systems)
    DRV - (Cnxtdiag) -- D:\WINDOWS\system32\drivers\cnxtdiag.sys (Conexant Systems)
    DRV - (K56) -- D:\WINDOWS\system32\drivers\k56nt.sys (Conexant)
    DRV - (Fsks) -- D:\WINDOWS\system32\drivers\fsksnt.sys (Conexant)
    DRV - (SoftFax) -- D:\WINDOWS\system32\drivers\faxnt.sys (Conexant)
    DRV - (Tones) -- D:\WINDOWS\system32\drivers\tonesnt.sys (Conexant)
    DRV - (Fallback) -- D:\WINDOWS\system32\drivers\fallback.sys (Conexant)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

    ========== FireFox ==========

    FF - prefs.js..browser.search.defaultenginename: "Search Results"
    FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
    FF - prefs.js..browser.search.order.1: "Search Results"
    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.search.useDBForOrder: true
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
    FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
    FF - prefs.js..network.proxy.http: "localhost"
    FF - prefs.js..network.proxy.http_port: 7070


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: D:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: D:\Documents and Settings\All Users\Application Data\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/07/27 17:04:06 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2012/02/06 12:09:37 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2012/02/03 12:13:28 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: D:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2009/12/08 13:55:28 | 000,000,000 | ---D | M]

    [2012/02/03 12:27:29 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Extensions
    [2012/01/09 16:41:11 | 000,000,000 | ---D | M] (No name found) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions
    [2010/07/18 03:55:11 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2011/06/03 22:00:50 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    [2009/03/31 14:47:08 | 000,005,516 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\searchplugins\copernic-home.xml
    [2011/11/30 15:58:38 | 000,002,515 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Mozilla\Firefox\Profiles\zq98iub3.default\searchplugins\Search_Results.xml
    [2012/02/06 12:09:37 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
    [2012/01/29 07:55:53 | 000,134,104 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\browsercomps.dll
    [2012/02/03 12:13:14 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2012/01/29 05:36:35 | 000,002,252 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/11/30 15:58:38 | 000,002,515 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
    [2012/01/29 05:36:35 | 000,002,040 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2012/02/21 20:43:21 | 000,000,027 | ---- | M]) - D:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (AcroIEToolbarHelper Class) - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [egui] D:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
    O4 - HKLM..\Run: [HP OfficeJet Series 700] "D:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 700\Install" File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Convert link target to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert link target to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selected links to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert selection to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O8 - Extra context menu item: Convert to existing PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - D:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab (System Requirements Lab Class)
    O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248491122484 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1260480585390 (MUWebControl Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/support/ieatgpc.cab (GpcContainer Class)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D1DA6AE-0BCC-4990-812F-26950057E35E}: DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (D:\WINDOWS\system32\userinit.exe) - D:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: D:\Documents and Settings\Terry Durham\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O24 - Desktop BackupWallPaper: D:\Documents and Settings\Terry Durham\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - D:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2004/06/03 14:29:32 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: wuauserv - File not found

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/02/22 10:37:18 | 000,583,680 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\Terry Durham\Desktop\OTL.exe
    [2012/02/21 20:34:58 | 000,000,000 | RHSD | C] -- D:\cmdcons
    [2012/02/21 20:33:04 | 000,518,144 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe
    [2012/02/21 20:33:04 | 000,406,528 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe
    [2012/02/21 20:33:04 | 000,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe
    [2012/02/21 20:33:04 | 000,060,416 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe
    [2012/02/21 20:32:56 | 000,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
    [2012/02/21 20:32:50 | 000,000,000 | ---D | C] -- D:\Qoobox
    [2012/02/21 20:30:01 | 004,414,945 | R--- | C] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\ComboFix.exe
    [2012/02/20 18:17:50 | 004,729,344 | ---- | C] (AVAST Software) -- D:\Documents and Settings\Terry Durham\Desktop\aswMBR.exe
    [2012/02/17 10:40:30 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe
    [2012/02/17 10:39:08 | 000,607,260 | R--- | C] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\dds.com
    [2012/02/03 14:26:09 | 000,000,000 | ---D | C] -- D:\WINDOWS\System32\winrm
    [2012/02/03 14:26:02 | 000,000,000 | -H-D | C] -- D:\WINDOWS\$968930Uinstall_KB968930$
    [2012/02/03 12:13:46 | 000,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Sun
    [2012/02/03 12:13:44 | 000,000,000 | ---D | C] -- D:\Program Files\Common Files\Java
    [2012/02/03 12:13:28 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\deployJava1.dll
    [2012/02/03 12:13:28 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaws.exe
    [2012/02/03 12:13:28 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaw.exe
    [2012/02/03 12:13:28 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javacpl.cpl
    [2012/02/03 12:13:27 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\java.exe
    [2012/02/03 12:13:07 | 000,000,000 | ---D | C] -- D:\Program Files\Java
    [2012/02/03 12:12:37 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Terry Durham\Application Data\Sun
    [2012/02/03 12:11:02 | 000,910,112 | ---- | C] (Sun Microsystems, Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\jxpiinstall.exe
    [2012/02/03 11:59:31 | 000,000,000 | ---D | C] -- C:\My Documents\My Albums
    [2012/02/03 11:59:24 | 000,000,000 | ---D | C] -- D:\Documents and Settings\Terry Durham\Application Data\ArcSoft
    [2010/03/02 15:54:02 | 021,046,160 | ---- | C] (Sage Software ) -- D:\Documents and Settings\Terry Durham\Application Data\ACT1200HotFix_SS.exe
    [6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
    [1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/02/22 10:37:36 | 000,583,680 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\Terry Durham\Desktop\OTL.exe
    [2012/02/21 20:43:21 | 000,000,027 | ---- | M] () -- D:\WINDOWS\System32\drivers\etc\hosts
    [2012/02/21 20:35:05 | 000,000,327 | RHS- | M] () -- D:\boot.ini
    [2012/02/21 20:30:50 | 004,414,945 | R--- | M] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\ComboFix.exe
    [2012/02/21 20:24:17 | 000,013,768 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
    [2012/02/21 20:22:53 | 000,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
    [2012/02/21 20:22:48 | 1610,141,696 | -HS- | M] () -- D:\hiberfil.sys
    [2012/02/20 18:44:46 | 000,000,512 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\MBR.dat
    [2012/02/20 18:18:27 | 004,729,344 | ---- | M] (AVAST Software) -- D:\Documents and Settings\Terry Durham\Desktop\aswMBR.exe
    [2012/02/17 10:41:13 | 000,302,592 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
    [2012/02/17 10:40:30 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\HijackThis.exe
    [2012/02/17 10:39:08 | 000,607,260 | R--- | M] (Swearware) -- D:\Documents and Settings\Terry Durham\Desktop\dds.com
    [2012/02/17 10:30:39 | 016,809,984 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\PandaActiveScanCleaner.msi
    [2012/02/16 12:11:01 | 000,000,664 | ---- | M] () -- D:\WINDOWS\System32\d3d9caps.dat
    [2012/02/16 08:58:31 | 000,000,952 | -HS- | M] () -- D:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
    [2012/02/16 08:36:22 | 000,261,626 | ---- | M] () -- C:\My Documents\MedSolutions Precertification for Joann Durham CT NECK Procedure 02062012.pdf
    [2012/02/13 08:54:01 | 000,000,284 | ---- | M] () -- D:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2012/02/08 08:45:35 | 000,000,139 | ---- | M] () -- D:\WINDOWS\msicpl.ini
    [2012/02/06 18:35:11 | 000,147,222 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Partners Capital and Worldwide Loan Acquisitions Blanket Confidentiality Agreement 02062012.pdf
    [2012/02/06 17:32:23 | 000,098,542 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Referral and Fee Sharing Agreement 02062012.pdf
    [2012/02/06 17:16:38 | 000,239,076 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Confi, Non-Circ and Fee Agreement 02062012.pdf
    [2012/02/06 12:09:38 | 000,000,724 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2012/02/03 14:27:54 | 000,001,355 | ---- | M] () -- D:\WINDOWS\imsins.BAK
    [2012/02/03 13:20:54 | 000,000,784 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/03 12:13:13 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaws.exe
    [2012/02/03 12:13:13 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javaw.exe
    [2012/02/03 12:13:13 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\javacpl.cpl
    [2012/02/03 12:13:12 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\java.exe
    [2012/02/03 12:13:11 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- D:\WINDOWS\System32\deployJava1.dll
    [2012/02/03 12:12:00 | 000,910,112 | ---- | M] (Sun Microsystems, Inc.) -- D:\Documents and Settings\Terry Durham\Desktop\jxpiinstall.exe
    [2012/02/02 19:12:02 | 000,105,355 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Joann Durham Executed Docs 02022012.pdf
    [2012/02/02 19:03:19 | 000,104,475 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Docs Joann Durham.pdf
    [2012/02/02 10:55:00 | 000,000,792 | ---- | M] () -- D:\Documents and Settings\Terry Durham\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
    [2012/01/30 13:31:12 | 000,099,280 | ---- | M] () -- C:\My Documents\FedEx.pdf
    [6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
    [1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/02/21 20:35:05 | 000,000,210 | ---- | C] () -- D:\Boot.bak
    [2012/02/21 20:35:03 | 000,260,272 | RHS- | C] () -- D:\cmldr
    [2012/02/21 20:33:04 | 000,256,000 | ---- | C] () -- D:\WINDOWS\PEV.exe
    [2012/02/21 20:33:04 | 000,208,896 | ---- | C] () -- D:\WINDOWS\MBR.exe
    [2012/02/21 20:33:04 | 000,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe
    [2012/02/21 20:33:04 | 000,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe
    [2012/02/21 20:33:04 | 000,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe
    [2012/02/21 20:22:48 | 1610,141,696 | -HS- | C] () -- D:\hiberfil.sys
    [2012/02/20 18:44:46 | 000,000,512 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\MBR.dat
    [2012/02/19 12:23:27 | 000,000,730 | ---- | C] () -- D:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox (2).lnk
    [2012/02/17 10:41:12 | 000,302,592 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
    [2012/02/16 08:36:22 | 000,261,626 | ---- | C] () -- C:\My Documents\MedSolutions Precertification for Joann Durham CT NECK Procedure 02062012.pdf
    [2012/02/09 10:18:20 | 016,809,984 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\PandaActiveScanCleaner.msi
    [2012/02/06 18:35:10 | 000,147,222 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Partners Capital and Worldwide Loan Acquisitions Blanket Confidentiality Agreement 02062012.pdf
    [2012/02/06 17:32:23 | 000,098,542 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Referral and Fee Sharing Agreement 02062012.pdf
    [2012/02/06 17:12:25 | 000,239,076 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Confi, Non-Circ and Fee Agreement 02062012.pdf
    [2012/02/03 14:25:36 | 000,225,262 | ---- | C] () -- D:\WINDOWS\System32\dllcache\msimain.sdb
    [2012/02/03 13:20:54 | 000,000,784 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2012/02/02 19:12:01 | 000,105,355 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Joann Durham Executed Docs 02022012.pdf
    [2012/02/02 19:00:03 | 000,104,475 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\Executed Docs Joann Durham.pdf
    [2012/01/30 13:31:12 | 000,099,280 | ---- | C] () -- C:\My Documents\FedEx.pdf
    [2012/01/29 17:49:41 | 005,017,504 | ---- | C] () -- D:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat~
    [2010/12/13 12:17:16 | 000,000,552 | ---- | C] () -- D:\WINDOWS\System32\d3d8caps.dat
    [2010/05/10 17:44:23 | 000,000,153 | ---- | C] () -- D:\WINDOWS\brpcfx.ini
    [2010/05/10 17:44:22 | 000,000,948 | ---- | C] () -- D:\WINDOWS\Brpfx04a.ini
    [2010/05/10 17:44:07 | 000,000,419 | ---- | C] () -- D:\WINDOWS\BRWMARK.INI
    [2010/05/10 17:43:34 | 000,000,050 | ---- | C] () -- D:\WINDOWS\System32\bridf08c.dat
    [2010/05/10 17:42:53 | 000,000,150 | ---- | C] () -- D:\WINDOWS\Brfaxrx.ini
    [2010/05/10 17:42:50 | 000,000,000 | ---- | C] () -- D:\WINDOWS\brdfxspd.dat
    [2010/05/10 17:42:45 | 000,106,496 | ---- | C] () -- D:\WINDOWS\System32\BrMuSNMP.dll
    [2010/05/10 17:37:17 | 000,031,767 | ---- | C] () -- D:\WINDOWS\maxlink.ini
    [2010/03/04 08:31:19 | 000,000,664 | ---- | C] () -- D:\WINDOWS\System32\d3d9caps.dat
    [2010/03/02 16:08:01 | 000,000,088 | RHS- | C] () -- D:\Documents and Settings\All Users\Application Data\993D0F60B6.sys
    [2010/03/02 16:08:00 | 000,000,952 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys

    ========== LOP Check ==========

    [2010/03/02 16:08:30 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ACT
    [2011/12/01 02:47:25 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\boost_interprocess
    [2009/07/24 19:15:28 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ESET
    [2009/07/27 16:54:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Maxtor
    [2009/07/27 08:53:58 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sage Software SB, Inc
    [2010/03/03 15:03:09 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Sage Software, Inc
    [2010/05/25 16:37:55 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\ScanSoft
    [2011/11/30 15:56:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\WinZip
    [2010/05/11 09:15:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\Zeon
    [2010/03/31 08:33:05 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2009/09/23 10:21:45 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
    [2009/07/28 07:35:51 | 000,000,000 | ---D | M] -- D:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    [2010/03/29 13:54:47 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ACT
    [2009/07/24 19:16:15 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ESET
    [2010/03/02 16:07:52 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\IsolatedStorage
    [2009/07/24 19:10:04 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Leadertech
    [2009/07/27 16:53:29 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Maxtor Quick Start
    [2010/05/10 18:53:17 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\PC-FAX TX
    [2010/05/11 09:14:56 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\ScanSoft
    [2011/12/01 10:58:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\searchquband
    [2009/07/24 18:54:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\VERITAS
    [2010/03/02 15:34:02 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Windows Desktop Search
    [2010/03/03 14:29:20 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Windows Search
    [2010/05/11 09:15:07 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\Zeon

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/07/24 11:14:04 | 000,000,210 | ---- | M] () -- D:\Boot.bak
    [2012/02/21 20:35:05 | 000,000,327 | RHS- | M] () -- D:\boot.ini
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- D:\cmldr
    [2012/02/21 20:48:47 | 000,013,987 | ---- | M] () -- D:\ComboFix.txt
    [2012/02/21 20:22:48 | 1610,141,696 | -HS- | M] () -- D:\hiberfil.sys
    [2010/03/29 21:25:35 | 000,000,109 | ---- | M] () -- D:\mbam-error.txt
    [2004/08/04 04:00:00 | 000,047,564 | RHS- | M] () -- D:\NTDETECT.COM
    [2009/07/26 20:10:54 | 000,250,048 | RHS- | M] () -- D:\ntldr
    [2012/02/21 20:22:46 | 2145,386,496 | -HS- | M] () -- D:\pagefile.sys
    [2012/02/03 13:29:21 | 000,070,776 | ---- | M] () -- D:\TDSSKiller.2.7.9.0_03.02.2012_13.21.19_log.txt

    < %systemroot%\Fonts\*.com >
    [2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- D:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/07/24 18:25:01 | 000,000,067 | -HS- | M] () -- D:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008/07/06 04:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
    [2008/07/06 02:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2009/07/24 11:14:03 | 000,094,208 | ---- | M] () -- D:\WINDOWS\System32\config\default.sav
    [2009/07/24 11:14:03 | 000,659,456 | ---- | M] () -- D:\WINDOWS\System32\config\software.sav
    [2009/07/24 11:14:03 | 000,880,640 | ---- | M] () -- D:\WINDOWS\System32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lîk /x >
    [2009/07/26 20:19:45 | 000,000,272 | -HS- | M] () -- D:\Documents and Settings\All Users\Start Menu\desktop.ini
    [2009/07/27 20:32:56 | 000,000,802 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\GetDataBack for NTFS.lnk
    [2009/12/10 13:29:58 | 000,001,566 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Microsoft Update.lnk
    [2011/04/27 09:04:45 | 000,002,433 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\New Office Document.lnk
    [2010/03/03 12:37:17 | 000,002,515 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Open Office Document.lnk
    [2009/07/26 20:19:45 | 000,001,563 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
    [2009/07/24 18:25:35 | 000,000,398 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
    [2009/07/24 19:05:05 | 000,001,507 | ---- | M] () -- D:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

    < %USERPROFILE%\Deskuop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results Install|LastSuccessTime /rs >

    < %USERPROFILE%\..|smtmp;true;true;true /FP >

    < %temp%\smtmp\*.* /s > >

    < %systemroot%\*. /rp /s >

    < d:\windows\$968930Uinstall_KB968930$\* /s >
    [2007/06/30 10:48:44 | 000,003,504 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_arithmetic_operators.help.txt
    [2007/06/30 10:48:44 | 000,015,137 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_assignment_operators.help.txt
    [2007/06/30 10:48:44 | 000,003,907 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_automatic_variables.help.txt
    [2007/06/30 10:48:44 | 000,004,561 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_break.help.txt
    [2007/06/30 10:48:44 | 000,002,615 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_command_syntax.help.txt
    [2007/06/30 10:48:44 | 000,002,302 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_commonparameters.help.txt
    [2007/06/30 10:48:44 | 000,009,818 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_comparison_operators.help.txt
    [2007/06/30 10:48:44 | 000,001,003 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_continue.help.txt
    [2007/06/30 10:48:44 | 000,001,819 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_core_commands.help.txt
    [2007/06/30 10:48:45 | 000,005,121 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_for.help.txt
    [2007/06/30 10:48:45 | 000,009,652 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_foreach.help.txt
    [2007/06/30 10:48:45 | 000,005,102 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_history.help.txt
    [2007/06/30 10:48:45 | 000,003,367 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_if.help.txt
    [2007/06/30 10:48:45 | 000,002,896 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_line_editing.help.txt
    [2007/06/30 10:48:45 | 000,003,594 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_parsing.help.txt
    [2007/06/30 10:48:45 | 000,005,369 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_path_syntax.help.txt
    [2007/06/30 10:48:45 | 000,005,045 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_pssnapins.help.txt
    [2007/06/30 10:48:45 | 000,003,040 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_quoting_rules.help.txt
    [2007/06/30 10:48:45 | 000,001,782 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_redirection.help.txt
    [2007/06/30 10:48:45 | 000,002,177 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_ref.help.txt
    [2007/06/30 10:48:45 | 000,002,062 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_reserved_words.help.txt
    [2007/06/30 10:48:46 | 000,011,909 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_signing.help.txt
    [2007/06/30 10:48:46 | 000,005,415 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_special_characters.help.txt
    [2007/06/30 10:48:46 | 000,006,210 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_switch.help.txt
    [2007/06/30 10:48:46 | 000,002,711 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\about_while.help.txt
    [2007/06/30 10:48:46 | 000,022,120 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\certificate.format.ps1xml
    [2007/06/30 10:48:46 | 000,001,801 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\default.help.txt
    [2007/06/30 10:48:47 | 000,060,703 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\dotnettypes.format.ps1xml
    [2007/06/30 10:48:47 | 000,019,730 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\filesystem.format.ps1xml
    [2007/06/30 10:48:59 | 000,250,197 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\help.format.ps1xml
    [2010/03/02 15:34:18 | 000,139,264 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.management.dll
    [2007/06/30 10:49:02 | 000,886,281 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.management.dll-help.xml
    [2010/03/02 15:34:18 | 000,294,912 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.utility.dll
    [2007/06/30 10:49:06 | 000,808,787 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.commands.utility.dll-help.xml
    [2010/03/02 15:34:18 | 000,200,704 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.consolehost.dll
    [2007/06/30 10:49:07 | 000,014,558 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.consolehost.dll-help.xml
    [2010/03/02 15:34:18 | 000,065,536 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.security.dll
    [2007/06/30 10:49:08 | 000,120,106 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\microsoft.powershell.security.dll-help.xml
    [2007/10/30 01:15:42 | 000,330,240 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\powershell.exe
    [2007/06/30 10:49:09 | 000,009,216 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\powershell.exe.mui
    [2007/06/30 10:49:09 | 000,065,283 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\powershellcore.format.ps1xml
    [2007/07/01 00:19:10 | 000,013,394 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\powershelltrace.format.ps1xml
    [2007/06/30 10:49:09 | 000,010,475 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\profile.ps1
    [2009/10/09 14:57:44 | 000,020,480 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
    [2009/10/09 14:56:30 | 000,009,216 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
    [2007/06/30 10:49:11 | 000,004,608 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\pwrshmsg.dll
    [2007/10/31 20:48:43 | 000,020,992 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\pwrshsip.dll
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00088
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00095
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00096
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00097
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00098
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00099
    [2012/02/03 14:26:04 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00100
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00101
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00102
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00103
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00104
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00105
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00106
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00107
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00108
    [2012/02/03 14:26:05 | 000,008,192 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\reg00109
    [2007/06/30 10:49:13 | 000,013,540 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\registry.format.ps1xml
    [2010/03/02 15:34:18 | 001,564,672 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\system.management.automation.dll
    [2007/06/30 10:49:17 | 000,265,939 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\system.management.automation.dll-help.xml
    [2007/06/30 10:49:18 | 000,129,836 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\types.ps1xml
    [2009/06/17 18:59:52 | 000,221,488 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.exe
    [2012/02/03 14:26:39 | 000,081,650 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.inf
    [2012/02/03 14:26:05 | 000,017,082 | ---- | M] () -- d:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.txt
    [2009/06/17 18:59:52 | 000,379,184 | ---- | M] (Microsoft Corporation) -- d:\windows\$968930Uinstall_KB968930$\spuninst\updspapi.dll


    < MD5 for: EXPLORER.EXE >
    [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\ERDNT\cache\explorer.exe
    [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\explorer.exe
    [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- D:\WINDOWS\ServicePackFiles\i386\explorer.exe
    [2004/08/04 04:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- D:\WINDOWS\$NtServicePackUninstall$\explorer.exe

    < MD5 for: EXPLORER.EXE-082F38A9.PF >
    [2012/02/21 20:48:57 | 000,084,916 | ---- | M] () MD5=82329DB1D23D5985225018F1DFAC840B -- D:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf

    < MD5 for: EXPLORER.SCF >
    [2004/08/04 04:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- D:\WINDOWS\explorer.scf

    < MD5 for: IEXPLORE.CHM >
    [2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- D:\WINDOWS\Help\iexplore.chm
    [2004/08/04 04:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- D:\WINDOWS\ie7\iexplore.chm
    [2006/09/01 07:43:50 | 000,503,758 | ---- | M] () MD5=652E46500C149D1DC948BF9CEA8C4933 -- D:\WINDOWS\ie8\iexplore.chm

    < MD5 for: IEXPLORE.EXE >
    [2009/06/28 23:25:31 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=02E2754D3E566C11A4934825920C47DD -- D:\WINDOWS\$hf_mig$\KB972260-IE7\SP3QFE\iexplore.exe
    [2009/04/24 21:27:50 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=092A7F2B49A19ECCE5369D3CB2276148 -- D:\WINDOWS\ie7updates\KB972260-IE7\iexplore.exe
    [2009/08/26 21:18:42 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=332EC7562F3AA7364F2D4231C56DA986 -- D:\WINDOWS\$hf_mig$\KB974455-IE7\SP3QFE\iexplore.exe
    [2009/06/29 00:35:10 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=3CFC56F73D494FC1AA2B6E981DF15ACD -- D:\WINDOWS\ie7updates\KB974455-IE7\iexplore.exe
    [2009/10/27 22:54:16 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=4F9B04D546C23A295F3F0AE015BE51DB -- D:\WINDOWS\ie8\iexplore.exe
    [2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- D:\WINDOWS\ie7\iexplore.exe
    [2008/04/13 16:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- D:\WINDOWS\ServicePackFiles\i386\iexplore.exe
    [2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- D:\Program Files\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe
    [2009/10/27 22:54:21 | 000,634,632 | ---- | M] (Microsoft Corporation) MD5=80675329E0FD54F016C4F8A83C616349 -- D:\WINDOWS\$hf_mig$\KB976325-IE7\SP3QFE\iexplore.exe
    [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\Program Files\Internet Explorer\iexplore.exe
    [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\WINDOWS\ERDNT\cache\iexplore.exe
    [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- D:\WINDOWS\system32\dllcache\iexplore.exe
    [2009/04/24 21:27:39 | 000,636,088 | ---- | M] (Microsoft Corporation) MD5=C0503FD8D163652735C1EE900672A75C -- D:\WINDOWS\$hf_mig$\KB969897-IE7\SP3QFE\iexplore.exe
    [2007/08/13 17:43:56 | 000,622,080 | ---- | M] (Microsoft Corporation) MD5=DE49B348A18369B4626FBA1D49B07FB4 -- D:\WINDOWS\ie7updates\KB969897-IE7\iexplore.exe
    [2004/08/04 04:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- D:\WINDOWS\$NtServicePackUninstall$\iexplore.exe
    [2009/08/26 21:18:44 | 000,634,648 | ---- | M] (Microsoft Corporation) MD5=F232BA9F39BC0F722672C7E79E68EBEA -- D:\WINDOWS\ie7updates\KB976325-IE7\iexplore.exe

    < MD5 for: IEXPLORE.EXE.MUI >
    [2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- D:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
    [2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- D:\Program Files\Internet Explorer\iexplore.exe.mui
    [2007/08/13 17:43:36 | 000,573,440 | ---- | M] (Microsoft Corporation) MD5=B58D8A1C7EE0E922EC7D2616DA136FC3 -- D:\WINDOWS\ie8\iexplore.exe.mui

    < MD5 for: IEXPLORE.EXE-0A31FE70.PF >
    [2012/02/21 20:32:46 | 000,013,700 | ---- | M] () MD5=F0399FDBCBC8EA09515C8F42D95618C2 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-0A31FE70.pf

    < MD5 for: IEXPLORE.EXE-12915967.PF >
    [2012/02/21 20:32:43 | 000,012,098 | ---- | M] () MD5=C25D41BB7DE54303549D591749A6B8A3 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-12915967.pf

    < MD5 for: IEXPLORE.EXE-12BBAE74.PF >
    [2012/02/21 20:32:43 | 000,010,994 | ---- | M] () MD5=31AA6B64D421F22AE7147463652EA4F8 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-12BBAE74.pf

    < MD5 for: IEXPLORE.EXE-27122324.PF >
    [2012/02/21 20:51:03 | 000,083,874 | ---- | M] () MD5=B092C0CC4D69195389794029B8BB3B33 -- D:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

    < MD5 for: IEXPLORE.HLP >
    [2004/08/04 04:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- D:\WINDOWS\Help\iexplore.hlp

    < MD5 for: WINLOGON.EXE >
    [2004/08/04 04:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- D:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    [2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- D:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    [2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\ERDNT\cache\winlogon.exe
    [2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    [2008/04/13 16:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- D:\WINDOWS\system32\winlogon.exe

    < MD5 for: WINLOGON.EXE-32C57D49.PF >
    [2012/02/19 12:59:32 | 000,036,132 | ---- | M] () MD5=187307C87A66F838353A6138D09CA253 -- D:\WINDOWS\Prefetch\WINLOGON.EXE-32C57D49.pf

    < MD5 for: WINSRV.DLL >
    [2008/04/13 16:12:09 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=1618F36D4F7F6CCCEB3EE44BA95BE85C -- D:\WINDOWS\$NtUninstallKB2121546$\winsrv.dll
    [2008/04/13 16:12:09 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=1618F36D4F7F6CCCEB3EE44BA95BE85C -- D:\WINDOWS\ServicePackFiles\i386\winsrv.dll
    [2011/06/20 09:43:21 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=3C733ABE4F13206414F670F86C5F79D8 -- D:\WINDOWS\$hf_mig$\KB2567680\SP3QFE\winsrv.dll
    [2010/06/18 09:45:17 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=42B5427FAC23BF6F1F31E466B7FEB084 -- D:\WINDOWS\$NtUninstallKB2507938$\winsrv.dll
    [2004/08/04 04:00:00 | 000,290,816 | ---- | M] (Microsoft Corporation) MD5=442D0EAD5534E4ADCF6D4469043C82C0 -- D:\WINDOWS\$NtServicePackUninstall$\winsrv.dll
    [2010/06/18 09:43:57 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=6DC05976FB5B8E1358EAC8BEDFD1FA47 -- D:\WINDOWS\$hf_mig$\KB2121546\SP3QFE\winsrv.dll
    [2011/11/25 13:57:19 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=8C7DCA4B158BF16894120786A7A5F366 -- D:\WINDOWS\system32\dllcache\winsrv.dll
    [2011/11/25 13:57:19 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=8C7DCA4B158BF16894120786A7A5F366 -- D:\WINDOWS\system32\winsrv.dll
    [2011/06/20 09:44:52 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=95CF3446911A6E25EE4086DF8A45B2AA -- D:\WINDOWS\$NtUninstallKB2646524$\winsrv.dll
    [2011/11/25 13:56:26 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=B23423313519C522E0E73BA170D3CE71 -- D:\WINDOWS\$hf_mig$\KB2646524\SP3QFE\winsrv.dll
    [2011/04/26 03:07:50 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=EC0A223C4854E98A3AFB2C31B7B420A0 -- D:\WINDOWS\$NtUninstallKB2567680$\winsrv.dll
    [2011/04/26 03:02:48 | 000,293,376 | ---- | M] (Microsoft Corporation) MD5=F52D3C601CF618479F9AD43B07599BED -- D:\WINDOWS\$hf_mig$\KB2507938\SP3QFE\winsrv.dll

    ========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
    [D:\WINDOWS\assembly\GAC_32\Act.UI.Dashboard.Designer\12.1.181.0__ebf6b2ff4d0a08aa] -> D:\WINDOWS\WinSxS\x86_Act.UI.Dashboard.Designer_ebf6b2ff4d0a08aa_12.1.181.0_x-ww_66c55b20 -> Junction
    [D:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a] -> D:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790 -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a] -> D:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.22__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.72.22_x-ww_a742e49 -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.0.335.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.0.335.0_x-ww_29a6be0d -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\3.1.31.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_3.1.31.0_x-ww_8b778a47 -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.22__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.22_x-ww_c5eae641 -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.0.335.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.0.335.0_x-ww_e51d7605 -> Junction
    [D:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\3.1.31.0__540d4816ead86321] -> D:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_3.1.31.0_x-ww_46ee423f -> Junction

    < End of report >
     
  8. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    OTL Extras logfile created on: 2/22/2012 10:39:08 AM - Run 1
    OTL by OldTimer - Version 3.2.33.2 Folder = D:\Documents and Settings\Terry Durham\Desktop
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.50 Gb Total Physical Memory | 0.93 Gb Available Physical Memory | 62.13% Memory free
    3.35 Gb Paging File | 2.94 Gb Available in Paging File | 87.54% Paging File free
    Paging file location(s): D:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
    Drive C: | 407.16 Gb Total Space | 343.72 Gb Free Space | 84.42% Space Free | Partition Type: NTFS
    Drive D: | 58.59 Gb Total Space | 24.83 Gb Free Space | 42.38% Space Free | Partition Type: NTFS
    Drive E: | 37.26 Gb Total Space | 11.50 Gb Free Space | 30.87% Space Free | Partition Type: NTFS
    Drive H: | 20.00 Gb Total Space | 5.16 Gb Free Space | 25.81% Space Free | Partition Type: NTFS

    Computer Name: SPQR | User Name: Terry Durham | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

    [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "UpdatesDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "1900:UDP" = 1900:UDP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Disabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002
    "54925:UDP" = 54925:UDP:*:Enabled:BrotherNetwork Scanner
    "5985:TCP" = 5985:TCP:*:Disabled:Windows Remote Management

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "D:\Program Files\ACT\Act for Windows\ActSage.exe" = D:\Program Files\ACT\Act for Windows\ActSage.exe:*:Enabled:ACT! 9.x/2007 -- (Sage Software, Inc.)
    "D:\Program Files\Maxtor\ManagerApp\MaxUtilities.exe" = D:\Program Files\Maxtor\ManagerApp\MaxUtilities.exe:*:Enabled:Maxtor Manager -- (Seagate Technology LLC)
    "D:\Program Files\Brother\Brmfl08l\FAXRX.exe" = D:\Program Files\Brother\Brmfl08l\FAXRX.exe:*:Enabled:FAXRX.EXE -- (Brother Industries Ltd.)
    "D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = D:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
    "D:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = D:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}" = ScanSoft PaperPort 11
    "{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
    "{07295ABF-1245-415A-BE06-863271753443}" = ShowBiz
    "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = VERITAS RecordNow DX Update Manager
    "{0A02D347-5E53-48A5-BC49-1469393103FA}" = Brother MFL-Pro Suite MFC-495CW
    "{0EECD415-3431-4AAE-B13C-0D23C6AA7990}" = UpgradeTool
    "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = VERITAS DLA
    "{1240EECF-D5E1-4C1A-8337-B236E950D983}" = TurboTax 2010 wcasbpm
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216030FF}" = Java(TM) 6 Update 30
    "{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
    "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ACT7)
    "{2BC2781A-F7F6-452E-95EB-018A522F1B2C}" = PaperPort Image Printer
    "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
    "{36302351-EAA2-012B-AD1E-000000000000}" = TurboTax 2009 wcasbpm
    "{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
    "{3818E081-EAA2-012B-AD94-000000000000}" = TurboTax 2009 WinBizFedFormset
    "{3830D551-EAA2-012B-AD9A-000000000000}" = TurboTax 2009 WinBizReleaseEngine
    "{383CBC31-EAA2-012B-AD9D-000000000000}" = TurboTax 2009 WinBizTaxSupport
    "{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
    "{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
    "{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
    "{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{3C5A81D1-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
    "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
    "{560EFF7F-252D-4841-89CD-4EEB76D5FC1F}" = Maxtor Central Axis Manager
    "{56582EEA-3AEF-4D84-8B9D-C87A3CD9250F}" = GetDataBack for NTFS
    "{5866F83F-5347-4324-A15E-070502A65866}" = TurboTax 2010 WinBizReleaseEngine
    "{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
    "{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
    "{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
    "{6334BBB0-8A2E-4679-B845-9CE27E72DBDA}" = TurboTax 2010 WinBizTaxSupport
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
    "{71CBF9BB-7E07-4A9D-BF30-84C11810B242}" = ESET Smart Security
    "{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
    "{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
    "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
    "{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
    "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
    "{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    "{87FF0E39-8490-4EB4-A557-FF12F712EF7E}" = TurboTax 2010 wcaiper
    "{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
    "{8855FF30-19CE-4CB1-A654-87B38369CCE1}" = VERITAS RecordNow DX
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" =
    "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
    "{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}" = MobileMe Control Panel
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
    "{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
    "{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
    "{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
    "{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
    "{B023185F-F1EF-4F97-B0BD-AE6D802226D1}" = NVIDIA WDM Drivers
    "{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
    "{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
    "{B4FEA924-630D-11D4-B78E-005004566E4D}" = ViewSonic Monitor Drivers
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C1939820-A945-11D4-86F6-0001031E5712}" = MSI MSIDVD
    "{C3ADD937-FD5F-4CC6-AE15-AEDEE2A20165}" = TurboTax 2010 wrapper
    "{C7010632-E5EE-4263-B80E-BC9D45439EB0}" = TurboTax 2010 winiper
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{E6C0F926-446B-4450-8D15-4405A9431EB7}" = TurboTax 2010 WinBizFedFormset
    "{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
    "{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
    "{F2AF3E5D-9697-485C-A5AC-E2B9468C446A}" = Safari
    "{F59205C8-E5FB-43F5-AAB2-16C1760D4F59}" = FaceFilter Studio Brother Edition
    "{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "ActiveTouchMeetingClient" = WebEx
    "Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.0 Professional
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "FaxTalk Communicator 4.5" = FaxTalk Communicator 4.5
    "HP PrecisionScan LTX" = HP PrecisionScan LTX
    "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
    "ie7" = Windows Internet Explorer 7
    "ie8" = Windows Internet Explorer 8
    "InstallShield_{0EECD415-3431-4AAE-B13C-0D23C6AA7990}" = UpgradeTool
    "InstallShield_{560EFF7F-252D-4841-89CD-4EEB76D5FC1F}" = Maxtor Central Axis Manager
    "InstallShield_{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
    "jZip" = jZip
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Microsoft SQL Server 2005" = Microsoft SQL Server 2005
    "Mozilla Firefox 10.0 (x86 en-US)" = Mozilla Firefox 10.0 (x86 en-US)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
    "NVIDIA Drivers" = NVIDIA Drivers
    "NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
    "NVIDIAStereo" = NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
    "SystemRequirementsLab" = System Requirements Lab
    "TurboTax 2008" = TurboTax 2008
    "TurboTax 2009" = TurboTax 2009
    "TurboTax 2010" = TurboTax 2010
    "TurboTax Business 2009" = TurboTax Business 2009
    "TurboTax Business 2010" = TurboTax Business 2010
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
     
  9. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hello spqr05

    Please run an OTL Fix


    1. Please reopen [​IMG].
    2. Copy and Paste the following code into the [​IMG] textbox. Do not include the word "Code"
      Code:
      :Services
      
      :OTL
      FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=0&systemid=102&sr=0&q="
      FF - prefs.js..network.proxy.http: "localhost"
      FF - prefs.js..network.proxy.http_port: 7070
      O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/downlo...1F/wmvadvd.cab (Reg Error: Key error.)
      [6 D:\WINDOWS\*.tmp files -> D:\WINDOWS\*.tmp -> ]
      [1 D:\WINDOWS\System32\*.tmp files -> D:\WINDOWS\System32\*.tmp -> ]
      [2012/02/17 10:41:12 | 000,302,592 | ---- | C] () -- D:\Documents and Settings\Terry Durham\Desktop\ilyflpzo.exe
      [2011/12/01 10:58:19 | 000,000,000 | ---D | M] -- D:\Documents and Settings\Terry Durham\Application Data\searchquband
      
      :Commands
      [purity]
      [emptytemp]
      [EMPTYFLASH]
      [Reboot]
    3. Push [​IMG]
    4. OTL may ask to reboot the machine. Please do so if asked.
    5. Click [​IMG].
    6. A report will open. Copy and Paste that report in your next reply.
    7. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

    How is the machine behaving now? Are there still issues?
     
  10. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    The computer loads after the restart but will not go to the login screen of windows. IT will not move past this point I've tried several times since last night but nothing will move forward past "windows is starting up".
     
  11. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hello spqr05

    Boot the machine into Safe Mode.
    Click on Start then Run.
    Type chkdsk /r and press Enter.
    Reply Y when asked if you want this to be done at next boot.

    Reboot normally.

    Chkdsk should run. Let it complete. May take awhile depending on the size of your hard drive.

    See if that fixes the problem.
     
  12. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    same issue, I cannot get it past the windows starting up area. I cannot get to the login area.
     
  13. Sunyata

    Sunyata Malware Specialist

    Joined:
    Feb 19, 2012
    Messages:
    97
    Hello spqr05

    Start your computer by using the Last Known Good Configuration...

    • Restart your computer.
    • As the computer begins to come back up, tap the F8 key about every second.
    • When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration, then press ENTER.
    • If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.


    If the machine comes up in normal mode...
    Download RogueKiller to your desktop

    1. Quit all running programs
    2. For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    3. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
    4. Press the Scan button
    5. When the scan completes, press the Report button and the log should appear.
    6. The RKreport.txt log should also be generated onto the desktop.
    Please post the contents of the log in your next Reply

    Next, Please re-run OTL.

    • If you are using Firefox, make sure that your download settings are as follows:
      -Tools->Options->Main tab
      -Set to "Always ask me where to Save the files".​
    • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output
    • Check the boxes beside LOP Check and Purity Check.
    • In the window under Custom Scans/Fixes copy and paste the following

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lîk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %PROGRAMFILES%\Internet Explorer\*.dat
    %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Deskuop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results Install|LastSuccessTime /rs
    %USERPROFILE%\..|smtmp;true;true;true /FP
    %temp%\smtmp\*.* /s >
    /md5start
    iexplore.*
    explorer.*
    winlogon.*
    dll
    zx.dll
    hlp.dat
    /md5stop
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open OTL.txt . This is saved in the same location as OTL.
    Please copy (Edit->Select All, Edit->Copy) the contents and post it with your next reply.

     
  14. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    I will do this tomorrow, I'm sorry for not having done so already but I've been traveling this week for work and return today. I will post the results tomorrow but as of now I couldn't even login to safe mode.
     
  15. spqr05

    spqr05 Thread Starter

    Joined:
    Dec 25, 2011
    Messages:
    130
    It appears the computer will not even load to the last working configuration either. It just sits at the windows is starting up... again.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1041824