TechSpot

Browser redirect virus; the bane of my existence!

By theslipperyelm
Sep 5, 2011
  1. Oops! I F'ed up and tried to follow the thread of another person helped through this forum... Uh oh! How naive I was! Afterward I bothered to read the posting instructions and saw the error of my ways :( Here I am trying to do things right this time. Below are my logs. Any assistance provided will be greatly appreciated! Thank you! -Jonathan

    *********************************** Malwarebytes Log: ******************************************

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7660

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/5/2011 3:40:45 PM
    mbam-log-2011-09-05 (15-40-45).txt

    Scan type: Quick scan
    Objects scanned: 393294
    Time elapsed: 4 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    ***************************************** GMER Log:*********************************************

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-05 15:50:55
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75B3A0 rev.01.03A01
    Running: jecxrsfy.exe; Driver: C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\fxtdypow.sys



    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE7210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE7224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE7250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE72A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE71FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE71D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE71E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE723A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE727C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE7266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE72D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE72BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE7290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    ********************************************DDS Log: ******************************************

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by JonathanAdmin at 15:56:04 on 2011-09-05
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2455 [GMT -7:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.att.net
    uSearch Bar =
    mStart Page = hxxp://www.att.net
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510023115.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222546461313
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: DhcpNameServer = 172.16.4.21 172.16.4.11
    TCP: Interfaces\{FFA1790A-E773-4985-A7C1-12DBE85DC4DA} : DhcpNameServer = 172.16.4.21 172.16.4.11
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\jonathanadmin\application data\mozilla\firefox\profiles\llw9dbx4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-28 387480]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-28 84200]
    R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-18 8960]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-8 47640]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-1-13 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-28 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-28 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-28 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-28 56064]
    R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-18 11264]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-28 153280]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-28 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-18 30192]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-28 52320]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-28 84488]
    S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-18 16640]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2011-09-05 22:33:51 -------- d-----w- c:\documents and settings\jonathanadmin\application data\Malwarebytes
    2011-09-05 22:33:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-05 22:33:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-05 22:33:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-05 22:33:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-02 18:08:14 -------- d-----w- c:\documents and settings\jonathanadmin\local settings\application data\Apple Computer
    2011-09-02 00:31:09 -------- d-sha-r- C:\cmdcons
    2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll
    2011-08-16 22:33:07 -------- d-----w- c:\program files\Citrix
    2011-08-11 03:52:21 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-11 03:51:22 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    .
    ==================== Find3M ====================
    .
    2011-09-02 18:14:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-06 23:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-07-06 23:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-07-06 23:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-07-06 23:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll
    2011-06-27 16:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-27 16:45:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
    .
    ============= FINISH: 15:56:29.98 ===============

    ***************************************** Attach Log: ***********************************************
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/27/2008 1:05:48 PM
    System Uptime: 9/4/2011 1:21:13 PM (26 hours ago)
    .
    Motherboard: Dell Inc. | | 0J584C
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 275.058 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 9/2/2011 10:41:01 AM - Removed Adobe Reader 9.4.5.
    RP2: 9/2/2011 10:41:26 AM - Installed Adobe Reader X (10.1.0).
    RP3: 9/2/2011 11:08:13 AM - Removed QuickTime
    RP4: 9/2/2011 11:09:34 AM - Removed Browser Address Error Redirector.
    RP5: 9/2/2011 11:13:09 AM - Removed Spelling Dictionaries Support For Adobe Reader 9.
    RP6: 9/4/2011 11:21:21 AM - System Checkpoint
    RP7: 9/5/2011 11:41:01 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat 7.0 Standard
    Adobe Acrobat 7.1.0 Standard
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.0)
    ATI Catalyst Control Center
    ATI Display Driver
    AVS4YOU Software Navigator 1.2
    Brother MFL-Pro Suite
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    CutePDF Writer 2.3
    Dell Driver Reset Tool
    Dell Support Center
    Diagnostics Utility
    Google Calendar Sync
    Google Desktop
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 26
    LogMeIn
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.1.1800
    McAfee Security Scan Plus
    McAfee SecurityCenter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 6.0.1 (x86 en-US)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB927977)
    ODF Add-in for Microsoft Office
    OGA Notifier 2.0.0048.0
    PaperPort Image Printer
    PowerDVD
    QuickBooks Pro 2006
    Realtek High Definition Audio Driver
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio Update Manager
    ScanSoft PaperPort 11
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    Sonic CinePlayer Decoder Pack
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/4/2011 10:14:25 AM, error: NETLOGON [3224] - Changing machine account password for account SCOTT$ failed with the following error: There are currently no logon servers available to service the logon request.
    9/2/2011 8:51:46 AM, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
    9/2/2011 8:51:46 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The operation completed successfully.
    9/2/2011 8:50:46 AM, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
    9/2/2011 8:50:46 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/2/2011 8:50:46 AM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/2/2011 8:27:08 AM, error: NETLOGON [5719] - No Domain Controller is available for domain RTSF due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    9/2/2011 10:16:47 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    9/1/2011 6:04:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    9/1/2011 6:04:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    9/1/2011 5:23:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    9/1/2011 5:21:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/1/2011 5:21:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    9/1/2011 5:21:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    9/1/2011 5:17:35 PM, error: ati2mtag [43036] -
    9/1/2011 4:56:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
    9/1/2011 4:56:15 PM, error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.
    9/1/2011 4:52:26 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    9/1/2011 4:41:58 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    9/1/2011 4:31:03 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    9/1/2011 4:15:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips iaStor intelppm
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please- NO double spacing!!!

    I can help you< but we'll end up 30 pages down the lone with double spacing.

    Please repost all of these logs as they are generated, without double spacing, the entire log from their heading at the top to the EOF at the end. There is information in the headers that I need If you can't get in to Edit your post, then use another reply, then I'll delete the Above.

    When you repost Malwarebytes, please include the header at the top of the log- no editing within logs. You don't need to 'clean up' anything in the logs! I need to see the scan output exactly as it comes out!
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Just want to make sure you underStand that you should never follow help given to snother person> While we may run some of the same programs, what we do in handling the logs is specific for that person.
     
  3. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    Cleaned up double spacing - Thanks for taking my case!

    Bobbye,

    I cleaned up all the double spacing (the unintended consequence of copying and pasting the logs too many times!) and fixed the error in the Malwarebytes log (not sure how that happened!). Thanks for taking my case. I look forward to hearing your advice on the next steps I should take. And yes, at this point I do understand that I should not try to follow the steps of someone else's solution since they're all unique. Thanks again!

    -Jonathan
     
  4. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    Windows Automaitc Update

    Bobbye,

    I wanted to let you know that Microsoft Update performed and automatic update download/restart on my computer last night. In your instructions you had indicated that no changes should be made to the computer during the malware removal process, but I did not take into account Microsoft Update. Do you want me to rerun MalwareBytes, GMER and DDS and repost the updated logs, or can you still work with what's already been posted? Let me know how you'd like me to proceed. Thanks!

    -Jonathan
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for redoing the logs. As we go along, you'll understand why we don't want extra spaces!

    As long as the new update didn't cause any problem, That's okay Jonathan- I would like to make a suggestion though> if you have the updates set to download and install automatically< I suggest you change to "Download updates but let me decide when to install."

    Many a user had gone with fully automatic maybe setting for 3 in the morning. They boot up the next day to find a problem with the system and not realizing there was an update last night, don't consider the possibility that 'bad' update could have caused it> You also get the opportunity to review the updates and decide if there is one or more that you don't want> Not all update are critical!

    I'm running a day late because the entire network- cable, internet and phone of my ISP crashed yesterday and was down all day
    =========================================
    Questions:
    1. Tell me about your use of this EMBOS> Segger Microcontroller Systems is a multinational company dealing in middleware for embedded devices and development tools. Segger's RTOS (embOS) is part of Oki Semiconductor's World's first complete ARM-based ZigBee Developer's Kit

    2. There are also multiple entries for LogMeIn Are you logging in to your system remotely?
    System Service name : [LMIGuardianSvc] LogMeIn Remote PC Control Service by LogMeIn, Inc.
    This entry in Combofix indicates it is no longer being used:
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]LogMeIn Rfs Client Network Provider
    And I note these backup files:
    2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak


    3. About Adobe: Please follow the removal instructions HERE for the following 2 versions:
    Adobe Acrobat 7.0 Standard
    Adobe Acrobat 7.1.0 Standard
    -----------------------
    Keep Adobe Reader X (10.1.0)<< this is the current correct update
    ====================================
    4. Do you know what this file is: 2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll?
    =============================================
    No obvious cause of you 'bane of existence' yet< so I'd like you to run the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

    Please paste the Eset and Combofix logs in your next reply.
     
  6. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    Sorry for the delay... big update!

    Bobbye,

    Since I was using LogMeIn when I ran the logs I posted last time I decided to re-run and repost them. Here they are:

    *********************************** Malwarebytes Log: ******************************************

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7716

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/14/2011 10:57:25 AM
    mbam-log-2011-09-14 (10-57-25).txt

    Scan type: Quick scan
    Objects scanned: 398937
    Time elapsed: 5 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ***************************************** GMER Log:*********************************************

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-09-14 11:03:11
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75B3A0 rev.01.03A01
    Running: jecxrsfy.exe; Driver: C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\fxtdypow.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE7210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE7224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE7250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE72A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE71FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE71D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE71E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE723A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE727C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE7266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE72D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE72BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE7290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    ********************************************DDS Log: ******************************************

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by JonathanAdmin at 11:09:27 on 2011-09-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2529 [GMT -7:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
    C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
    C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.att.net
    uSearch Bar =
    mStart Page = hxxp://www.att.net
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510023115.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
    mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
    mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
    mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
    mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222546461313
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: LMIinit - LMIinit.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\jonathanadmin\application data\mozilla\firefox\profiles\llw9dbx4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-28 387480]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-28 84200]
    R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-18 8960]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-8 47640]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-1-13 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-28 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-28 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-28 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-28 56064]
    R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-18 11264]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-28 153280]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-28 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-18 30192]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-28 52320]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-28 84488]
    S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-18 16640]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]
    .
    =============== Created Last 30 ================
    .
    2011-09-14 17:16:46 -------- d-----w- c:\documents and settings\jonathanadmin\application data\EMCO
    2011-09-14 17:16:23 -------- d-----w- c:\program files\EMCO
    2011-09-05 22:33:51 -------- d-----w- c:\documents and settings\jonathanadmin\application data\Malwarebytes
    2011-09-05 22:33:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-09-05 22:33:06 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-05 22:33:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-09-02 18:08:14 -------- d-----w- c:\documents and settings\jonathanadmin\local settings\application data\Apple Computer
    2011-09-02 00:31:09 -------- d-sha-r- C:\cmdcons
    2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll
    2011-08-16 22:33:07 -------- d-----w- c:\program files\Citrix
    .
    ==================== Find3M ====================
    .
    2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-02 18:14:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-06 23:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-07-06 23:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
    2011-07-06 23:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-07-06 23:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll
    2011-06-27 16:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-27 16:45:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
    2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
    .
    ============= FINISH: 11:09:40.03 ===============

    ***************************************** Attach Log: ***********************************************

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/27/2008 1:05:48 PM
    System Uptime: 9/14/2011 10:23:48 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0J584C
    Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 275.977 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 9/14/2011 10:16:23 AM - Installed EMCO MoveOnBoot 2.2
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.1.0)
    ATI Catalyst Control Center
    ATI Display Driver
    AVS4YOU Software Navigator 1.2
    Brother MFL-Pro Suite
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    CutePDF Writer 2.3
    Dell Driver Reset Tool
    Dell Support Center
    Diagnostics Utility
    EMCO MoveOnBoot 2.2
    Google Calendar Sync
    Google Desktop
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Java Auto Updater
    Java(TM) 6 Update 26
    LogMeIn
    MagicDisc 2.7.106
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee Security Scan Plus
    McAfee SecurityCenter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office File Validation Add-In
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox 6.0.2 (x86 en-US)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB927977)
    ODF Add-in for Microsoft Office
    OGA Notifier 2.0.0048.0
    PaperPort Image Printer
    PowerDVD
    QuickBooks Pro 2006
    Realtek High Definition Audio Driver
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio Update Manager
    ScanSoft PaperPort 11
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
    Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
    Sonic CinePlayer Decoder Pack
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    XML Paper Specification Shared Components Pack 1.0
    .
    ==== Event Viewer Messages From Past Week ========
    .
    9/9/2011 2:08:22 PM, error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.
    9/9/2011 2:05:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/9/2011 2:05:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    9/9/2011 1:59:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    9/9/2011 1:55:10 PM, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
    9/7/2011 3:17:47 AM, error: ati2mtag [43036] -
    9/14/2011 9:51:19 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/14/2011 8:56:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    9/14/2011 8:14:40 AM, error: System Error [1003] - Error code 1000008e, parameter1 e0000001, parameter2 ba488925, parameter3 adf8f820, parameter4 00000000.
    9/14/2011 8:13:06 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8056d729, parameter3 b936bae0, parameter4 00000000.
    9/14/2011 11:06:19 AM, error: NETLOGON [5719] - No Domain Controller is available for domain RTSF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    9/12/2011 5:32:06 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ASPEN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FFA1790A-E773-4985-A7C. The master browser is stopping or an election is being forced.
    .
    ==== End Of File ===========================

    I will provide the best answers I can to your other questions along with the other logs you requested in my next post.
     
  7. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    Sorry for the delay... big update! (part two)

    Bobbye,

    Here are the new logs you asked for:

    **************************************** ESET Log: ***********************************************

    C:\Documents and Settings\JonathanAdmin\Local Settings\temp\ICReinstall\cnet_MoveOnBootSetup_exe.exe a variant of Win32/InstallCore.C application
    C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP1\A0000027.exe a variant of Win32/InstallCore.C application

    **************************************** ComboFix Log: ***********************************************
    ComboFix 11-09-14.02 - JonathanAdmin 09/14/2011 14:49:45.3.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2359 [GMT -7:00]
    Running from: c:\documents and settings\JonathanAdmin\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\info\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\info\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\jonathan\Start Menu\Programs\Startup\Internet Explorer.lnk
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
    c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\QuickBooks_Password_Tool_2.0.exe.7a611cc6.ini
    c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\qbw32.exe.16bd612f.ini
    c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
    c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
    c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
    c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
    c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
    c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-09-14 21:59 . 2011-09-14 21:59 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
    2011-09-14 19:27 . 2011-09-14 19:27 -------- d-----w- c:\program files\ESET
    2011-09-14 19:22 . 2011-09-14 19:22 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Temp
    2011-09-14 19:07 . 2011-09-14 19:08 -------- d-----w- c:\windows\system32\Adobe
    2011-09-14 19:07 . 2011-09-14 19:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-14 19:03 . 2011-09-14 19:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-09-14 17:16 . 2011-09-14 17:16 -------- d-----w- c:\documents and settings\JonathanAdmin\Application Data\EMCO
    2011-09-14 17:16 . 2011-09-14 17:16 -------- d-----w- c:\program files\EMCO
    2011-09-05 22:33 . 2011-09-05 22:33 -------- d-----w- c:\documents and settings\JonathanAdmin\Application Data\Malwarebytes
    2011-09-05 22:33 . 2011-09-05 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-09-05 22:33 . 2011-09-14 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-09-05 22:33 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
    2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
    2011-09-02 18:08 . 2011-09-02 18:08 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Apple Computer
    2011-08-29 02:17 . 2011-08-29 02:17 62976 --sha-r- c:\windows\system32\countryt.dll
    2011-08-16 22:33 . 2011-08-16 22:33 -------- d-----w- c:\program files\Citrix
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-03 10:17 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-07-15 13:29 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02 . 2008-04-25 16:16 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
    2011-07-06 23:32 . 2011-03-09 01:40 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2011-07-06 23:32 . 2011-03-09 01:40 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2011-07-06 23:32 . 2011-03-09 01:40 29568 ----a-w- c:\windows\system32\LMIport.dll
    2011-07-06 23:32 . 2011-03-09 01:40 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2011-06-27 16:45 . 2011-06-27 16:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-27 16:45 . 2010-05-05 16:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-24 14:10 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-09-06 19:06 . 2011-05-09 19:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-07-20 16:00 . 2009-12-03 18:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2011-04-14 21:01 . 2011-02-28 16:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-20 30192]
    "EMBOS"="c:\windows\system32\countryt.dll" [2011-08-29 62976]
    "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
    "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
    "8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [N/A]
    Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2011-07-06 23:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/28/2011 9:12 AM 84200]
    R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [9/18/2008 5:42 PM 8960]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/13/2011 9:49 AM 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/28/2011 9:12 AM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/28/2011 9:12 AM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/28/2011 9:12 AM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/28/2011 9:12 AM 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/28/2011 9:12 AM 56064]
    R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [9/18/2008 5:42 PM 11264]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/28/2011 9:12 AM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/28/2011 9:12 AM 88736]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/18/2008 5:45 PM 30192]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/28/2011 9:12 AM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/28/2011 9:12 AM 84488]
    S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [9/18/2008 5:42 PM 16640]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-01 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
    .
    2011-09-14 c:\windows\Tasks\User_Feed_Synchronization-{2FB0818D-1972-421E-B54F-7E7E2F696A91}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    mStart Page = hxxp://www.att.net
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 172.16.4.21 172.16.4.11
    FF - ProfilePath - c:\documents and settings\JonathanAdmin\Application Data\Mozilla\Firefox\Profiles\llw9dbx4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
    HKLM-Run-Acrobat Assistant 7.0 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-09-14 14:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1104)
    c:\windows\system32\LMIinit.dll
    .
    - - - - - - - > 'explorer.exe'(3884)
    c:\windows\system32\WININET.dll
    c:\program files\McAfee\SiteAdvisor\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\RTHDCPL.EXE
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Brother\ControlCenter3\brccMCtl.exe
    c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
    c:\program files\ATI Technologies\ATI.ACE\cli.exe
    .
    **************************************************************************
    .
    Completion time: 2011-09-14 15:06:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-09-14 22:06
    .
    Pre-Run: 295,152,488,448 bytes free
    Post-Run: 295,376,633,856 bytes free
    .
    - - End Of File - - 536482E474CB52B216D26D977AA4FE33

    ********************************************************************************************************

    A note about ESET: The first couple of times I tried to run it, it would not run. It kept asking me something about Proxy settings. So I ran it in Safe Mode and it worked. Then I reran it in regular mode and it worked. The results of both the Safe Mode and regular mode log was the same.

    A note about Acrobat Reader: It was really hard to remove Acrobat 7.0. I got stuck on a couple of files in the Programs Folder related to Active X that simply would not delete. I finally downloaded a program from Cnet called MoveOnBoot which was able to delete the files after a restart. This program has since shown up on the ESET scan. Afterward, I had a really hard time getting Reader X to work. When I tried to open it, it kept saying it was missing an MSI file and couldn't finish it's install (which I thought it already was installed). I ended up reinstalling Reader 9.0, updating it and then reinstalling ReaderX. I noticed afterward that all the Reader 9.0 files are still in the program folder. I don't know if this is a problem or not but I wanted to make you aware of it.

    OK, on to your questions:

    1) I have no idea what EMBOS is. The computer in question is my work computer which is on a small network and accesses the internet through a server. There may be things related to how the network was setup or how if functions that I have no clue about. Also, he computer has close to a dozen profiles on if due to having numerous users over the year. Sorry I can't be of more help on this one. I think I would have to talk to our IT consultant ($$$) to possibly get an answer.

    2) Yes I was using LogMeIn to access my work computer over the weekend and run those logs necessary to get assistance from this forum. I use the free version of LogMeIn sporadically to work from home.

    3) I already told you about my trials with Adobe above.

    4) I've absolutely no idea what this file is: 2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll

    Once again, I apologize for not getting back to you sooner. It was my birthday last weekend so I was pretty distracted for a few days, but now I'm back and ready to tackle this problem. I appreciate the help you've given me thus far and look forward to your next response.

    -Jonathan
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, you will need the IT for the office to handle this>

    1. There is work related software> you don't know what it is.
    2. You are not aware of the network settings.
    3. Access is through the work network and server.
    4. The system has been/is being used by multiple users with probable specific entries for each of their profiles< with no known cleaning in between.
    5. Regarding these entries: :
    1). mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
    And this from the registry "EMBOS"="c:\windows\system32\countryt.dll" [2011-08-29 62976]
    The only description of this I could find was:
    And I could not find any appropriate information for countryt.dll and nothing for xtpafprh
    and this:
    2). 2011-09-14 17:16:46 -------- d-----w- c:\documents and settings\jonathanadmin\application data\EMCO
    2011-09-14 17:16:23 -------- d-----w- c:\program files\EMCO
    Clearly they are work related. But whether the entries are correct as they show or whether they can be infected with malware is something I cannot determine.
    ==================================================
    The proxy is from McAfee
    ====================
    Adobe Reader:
    1. Update first
    2. Then remove old version in Add/Remove Programs
    3. You don't remove the Program folder because you did the update
    4. Active X objects are found in the addons. Open Manage Addons through Tools in IE: look in both 1. addons currently on system and 2> addons previously on system. If Adobe Reader outdated entries are seen> highlight and delete.
    I'm not sure what you did to this- usually it's a simple update, then uninstall. The got the MSI Error which os the installer error most likely because you were in Safe Mode ad it doesn't work in Safe Mode>
    =================================================
    You were asked not to make changes unless instructed:
     
  9. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    The end is here...

    Bobbye,

    Thanks for all your help thus far. I will see if I can get an IT consultant to come and help me remove this virus. Otherwise, I'll just have to learn to live with it.

    regarding your comments in the last post:

    1) I disabled McAfee real time scanning and firewall when ever I was running anti-malware programs to try and keep it from interfering with things

    2) I updated Adobe Reader to version X. The folder for version 9.0 is still in the Program Folders area, but Version 9.0 is not listed in Add Remove Programs, so I cannot remove it that way.

    3) I removed all the outdated Adobe Active X related files using MoveOnBoot which I downloaded from Cnet.com. I only did this because I was trying to follow the instructions you gave me on how to remove Adobe 7.0 and those instructions were telling me to delete files that Windows would not let me delete in any other way I knew how.

    4) Here is the Log from OTMoveIt3:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Documents and Settings\JonathanAdmin\Local Settings\temp\ICReinstall\cnet_MoveOnBootSetup_exe.exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: chelsea
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 56468 bytes

    User: info
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: jonathan
    ->Temp folder emptied: 7725300 bytes
    ->Temporary Internet Files folder emptied: 27877728 bytes
    ->Java cache emptied: 101434 bytes
    ->FireFox cache emptied: 38138968 bytes
    ->Flash cache emptied: 3163 bytes

    User: JonathanAdmin
    ->Temp folder emptied: 840219 bytes
    ->Temporary Internet Files folder emptied: 6891696 bytes
    ->Java cache emptied: 278836 bytes
    ->FireFox cache emptied: 54847243 bytes
    ->Flash cache emptied: 1390 bytes

    User: Karen
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: karenadmin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: lanny
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Lannyadmin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: orlanda
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Rebuilding Together
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Ryan
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Scott
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: ScottAdmin
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Tita
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Valerie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: vol1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 9850 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 4061464 bytes

    Total Files Cleaned = 134.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09162011_091305

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    Thanks again for all your help. Even if we weren't ultimately successful at least I know I did all I could to try and remove this virus before telling my boss we need to shell out some coin to squash it for good. Take care and happy trails.

    -Jonathan
     
  10. theslipperyelm

    theslipperyelm TS Rookie Topic Starter

    5) Oh yeah, and about the MSI error. I was not working in Safe Mode, so I don't think that was the problem. I went into safe mode to try and get ESET to work. Once it did, I got out of Safe Mode and continued doing everything in regular mode. I think the MSI error had something to do with me deleting something while following the manual uninstall instructions for Acrobat 7.0.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Let's try one more thing> If you still have Combofix on the system, create a System Restore point then go ahead and run the script below as directed. If you have already uninstalled Combofix downliad again and run it. Create a new System Restore point, then run the following sceipt:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\countryt.dll
    Folder::
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
    c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Temp
    DDS::
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
    mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "EMBOS"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===================================
    Post the new log for me. Let me know if redirect has been resolved.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...