Inactive Ping.exe & hidden downloader keep infecting computer

M

misterrmac

Posts: 11   +0
I’m trying to clean the system of a family member. I have already spent a few hours removing a few different things from browser search redirects to XP Protection 2012. Each time I thought I had it all something else would get appear and be reported. I finally tracked things down to PING.EXE continuously running in the task manager. Killing the task does not help, it just starts again within a few minutes. From time to time I get AVG reports that it is accessing some random location trying to download a suspicious or infected file. An advanced Task Manager shows it pinging places all over the world. Since I have no idea what is attached to the PING I’m lost now and turn to here for help.
Below are all the log files as requested.
Note: MBAM crashed about 15 mins into its scan. I reran the scan. No Log file was generated on the first scan attempt.

*************************************************************************************
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8285

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/1/2011 11:07:23 AM
mbam-log-2011-12-01 (11-07-23).txt

Scan type: Quick scan
Objects scanned: 229211
Time elapsed: 7 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tom-\Local Settings\Application Data\dwn.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tom-\Local Settings\Application Data\dwn.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500\Dc1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
***********************************************************
***********************************************************
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-01 11:16:13
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-1d WDC_WD3200JS-22PDB0 rev.21.00M21
Running: g6kqunkk.exe; Driver: C:\DOCUME~1\Sherry\LOCALS~1\Temp\ugtdipow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
*********************************************************
*********************************************************
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Sherry at 11:19:54 on 2011-12-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2462 [GMT -5:00]
.
AV: AVG Anti-Virus *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AhIeBho Class: {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - c:\program files\zoomtext 9.1\ahoi\ah_ie_bho.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: UrlHelper Class: {a40dc6c5-79d0-4ca8-a185-8ff989af1115} - c:\progra~1\wi371a~1\datamngr\IEBHO.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {0457331D-8CA6-4F97-9C26-6A9EF2B2DBA8} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [ZoomText] "c:\program files\zoomtext 9.1\ZT.exe" /AUTOSTART
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242326554015
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: sqlesw32 - sqlesw32.dll
Notify: Sqlseses - sqlesw32.dll
AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-3-6 52872]
R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2009-6-3 7296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-14 29712]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-14 243152]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 151552]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-20 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-6-9 100456]
S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
S2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2002-8-29 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2009-9-10 196409]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2011-11-29 02:12:44 -------- d-----w- c:\program files\Innovative Solutions
2011-11-29 01:42:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-11-29 00:54:21 -------- d-----w- c:\documents and settings\sherry\local settings\application data\PackageAware
2011-11-29 00:15:39 540 ----a-w- C:\regkeys.reg
2011-11-28 23:56:14 -------- d-----w- c:\documents and settings\sherry\local settings\application data\AVG Security Toolbar
2011-11-22 12:24:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-22 12:24:32 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-22 12:24:32 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-22 12:24:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-11-15 17:18:45 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-11-15 17:18:45 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-17 01:28:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
2011-09-05 17:05:00 47512 ----a-w- c:\windows\system32\AdobePDF.dll
2011-09-05 17:04:58 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
2010-01-24 01:03:07 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
2009-05-26 22:12:00 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
2008-06-01 16:56:15 602243712 ----a-w- c:\program files\sr-ccmt1.bin
1999-06-25 14:55:30 149504 ----a-w- c:\program files\UNWISE.EXE
.
============= FINISH: 11:20:49.23 ===============
*************************************************************************
*************************************************************************
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/14/2009 2:22:23 PM
System Uptime: 12/1/2011 11:08:42 AM (0 hours ago)
.
Motherboard: ELITEGROUP | | MCP61P
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2611/201mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 99 GiB total, 24.529 GiB free.
D: is FIXED (NTFS) - 99 GiB total, 64.806 GiB free.
E: is FIXED (NTFS) - 99 GiB total, 84.025 GiB free.
F: is CDROM ()
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_26011019&REV_A2\3&2411E6FE&0&09
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_26011019&REV_A2\3&2411E6FE&0&09
Service:
.
==== System Restore Points ===================
.
RP905: 9/2/2011 5:03:12 PM - System Checkpoint
RP906: 9/5/2011 5:43:27 PM - System Checkpoint
RP907: 9/6/2011 6:06:33 PM - System Checkpoint
RP908: 9/7/2011 6:31:24 PM - System Checkpoint
RP909: 9/8/2011 3:00:15 AM - Software Distribution Service 3.0
RP910: 9/9/2011 3:22:48 AM - System Checkpoint
RP911: 9/10/2011 4:21:43 AM - System Checkpoint
RP912: 9/11/2011 5:21:43 AM - System Checkpoint
RP913: 9/12/2011 6:21:43 AM - System Checkpoint
RP914: 9/13/2011 7:21:42 AM - System Checkpoint
RP915: 9/13/2011 8:05:40 AM - Avg Update
RP916: 9/13/2011 8:06:04 AM - Avg Update
RP917: 9/14/2011 8:39:36 AM - System Checkpoint
RP918: 9/15/2011 9:21:37 AM - System Checkpoint
RP919: 9/16/2011 3:00:15 AM - Software Distribution Service 3.0
RP920: 9/17/2011 3:24:00 AM - System Checkpoint
RP921: 9/18/2011 4:24:00 AM - System Checkpoint
RP922: 9/19/2011 5:24:00 AM - System Checkpoint
RP923: 9/20/2011 6:24:00 AM - System Checkpoint
RP924: 9/21/2011 7:24:00 AM - System Checkpoint
RP925: 9/22/2011 8:24:57 AM - System Checkpoint
RP926: 9/23/2011 10:33:44 AM - System Checkpoint
RP927: 9/24/2011 11:24:55 AM - System Checkpoint
RP928: 9/25/2011 11:43:35 AM - System Checkpoint
RP929: 9/26/2011 11:59:47 AM - System Checkpoint
RP930: 9/27/2011 12:48:27 PM - System Checkpoint
RP931: 9/28/2011 3:00:17 AM - Software Distribution Service 3.0
RP932: 9/29/2011 3:23:40 AM - System Checkpoint
RP933: 9/30/2011 4:23:37 AM - System Checkpoint
RP934: 10/1/2011 5:23:35 AM - System Checkpoint
RP935: 10/2/2011 6:23:37 AM - System Checkpoint
RP936: 10/3/2011 7:23:37 AM - System Checkpoint
RP937: 10/4/2011 8:23:45 AM - System Checkpoint
RP938: 10/5/2011 9:23:35 AM - System Checkpoint
RP939: 10/6/2011 9:49:39 AM - System Checkpoint
RP940: 10/8/2011 5:07:52 PM - System Checkpoint
RP941: 10/9/2011 5:23:36 PM - System Checkpoint
RP942: 10/10/2011 11:39:58 PM - System Checkpoint
RP943: 10/11/2011 3:56:49 PM - Avg Update
RP944: 10/13/2011 3:00:18 AM - Software Distribution Service 3.0
RP945: 10/14/2011 3:29:08 AM - System Checkpoint
RP946: 10/15/2011 3:53:28 AM - System Checkpoint
RP947: 10/16/2011 4:33:37 AM - System Checkpoint
RP948: 10/17/2011 4:33:51 AM - System Checkpoint
RP949: 10/18/2011 5:33:28 AM - System Checkpoint
RP950: 10/19/2011 1:41:42 PM - System Checkpoint
RP951: 10/20/2011 2:11:29 PM - System Checkpoint
RP952: 10/21/2011 2:34:33 PM - System Checkpoint
RP953: 10/22/2011 3:07:05 PM - System Checkpoint
RP954: 10/23/2011 3:34:32 PM - System Checkpoint
RP955: 10/24/2011 9:02:59 AM - Avg Update
RP956: 10/25/2011 10:44:20 AM - System Checkpoint
RP957: 10/26/2011 11:52:39 AM - System Checkpoint
RP958: 10/27/2011 12:09:27 PM - System Checkpoint
RP959: 10/28/2011 2:46:33 PM - System Checkpoint
RP960: 10/29/2011 4:12:00 PM - System Checkpoint
RP961: 10/30/2011 8:41:49 PM - System Checkpoint
RP962: 11/1/2011 10:01:45 AM - System Checkpoint
RP963: 11/2/2011 12:49:47 PM - System Checkpoint
RP964: 11/3/2011 1:12:23 PM - System Checkpoint
RP965: 11/4/2011 1:31:20 PM - System Checkpoint
RP966: 11/5/2011 3:42:33 PM - System Checkpoint
RP967: 11/6/2011 7:06:52 PM - System Checkpoint
RP968: 11/7/2011 9:35:10 PM - System Checkpoint
RP969: 11/15/2011 12:44:04 PM - System Checkpoint
RP970: 11/16/2011 3:00:18 AM - Software Distribution Service 3.0
RP971: 11/17/2011 9:49:27 AM - System Checkpoint
RP972: 11/18/2011 10:06:02 AM - System Checkpoint
RP973: 11/19/2011 10:35:29 AM - System Checkpoint
RP974: 11/20/2011 11:03:19 AM - System Checkpoint
RP975: 11/21/2011 11:15:54 AM - System Checkpoint
RP976: 11/22/2011 3:41:40 PM - System Checkpoint
RP977: 11/23/2011 9:03:59 AM - Avg Update
RP978: 11/24/2011 9:12:21 AM - System Checkpoint
RP979: 11/25/2011 9:55:47 AM - System Checkpoint
RP980: 11/26/2011 10:03:59 AM - System Checkpoint
RP981: 11/27/2011 10:12:11 AM - System Checkpoint
RP982: 11/27/2011 4:22:21 PM - Restore Operation
RP983: 11/27/2011 4:27:49 PM - Restore Operation
RP984: 11/28/2011 6:32:30 PM - System Checkpoint
RP985: 11/28/2011 7:22:57 PM - Restore Operation
RP986: 11/28/2011 7:34:15 PM - Removed Nuance PDF Reader.
RP987: 11/28/2011 7:34:58 PM - Removed YouTube Downloader Toolbar v4.7.
RP988: 11/28/2011 7:54:59 PM - Removed Java(TM) 6 Update 26
RP989: 11/30/2011 11:29:51 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Acrobat 4.0
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Community Help
Adobe Creative Suite 5.5 Master Collection
Adobe Dreamweaver CS5.5
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Adobe Widget Browser
Advanced Task Manager for Windows Vista & Windows XP
Amazon Kindle For PC v1.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 9.0
AVS Screen Capture version 2.0.1
AVS Update Manager 1.0
AVS Video Converter 7
AVS Video Editor 5
AVS Video Recorder 2.4
AVS4YOU Software Navigator 1.4
Battlefield 2(TM)
BitTorrent
CCV Patch 501a
Creative WebCam Center
Creative WebCam Live! Ultra Driver (1.01.03.0127)
Critical Update for Windows Media Player 11 (KB959772)
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
Facebook Video Calling 1.0.0.8953
GIMP 2.6.6
Google Earth
Google SketchUp Pro 7
Google Update Helper
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp officejet v series
IHA_MessageCenter
Intuit SiteBuilder
IrfanView (remove only)
iTunes
Junk Mail filter update
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Live Add-in 1.3
Microsoft Office XP Professional
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
mIRC
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NVIDIA Control Panel 266.33
NVIDIA Graphics Driver 266.33
NVIDIA HD Audio Driver 1.1.13.1
NVIDIA Install Application
NVIDIA nView 135.50
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.10.0514
OGA Notifier 2.0.0048.0
PDF Settings CS5
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SHOUTcast Source DSP 1.9.1 (remove only)
Skype Click to Call
Skype™ 5.5
Spybot - Search & Destroy
StreamTorrent 1.0
Trojan Killer 2.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
Verizon Help and Support Tool
Viewpoint Media Player
VLC media player 0.9.9
Vz In Home Agent
WD SmartWare
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows iLivid Toolbar
Windows Imaging Component
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Toolbar
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Wizard101
ZoomText 9.1
.
==== Event Viewer Messages From Past Week ========
.
12/1/2011 9:12:51 AM, error: Service Control Manager [7023] - The SQL Server EXPRESS service terminated with the following error: The specified module could not be found.
12/1/2011 10:31:27 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.25.3 (The DHCP Server sent a DHCPNACK message).
11/28/2011 9:14:58 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 9:11:07 PM, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 7:35:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
11/28/2011 7:30:16 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
11/28/2011 7:28:31 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/28/2011 7:13:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Ai2sXP AmdPPM AvgLdx86 AvgMfx86 Fips NetworkX
11/28/2011 7:09:24 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/28/2011 7:08:44 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 6:56:06 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 6:51:06 PM, error: Service Control Manager [7034] - The IHA_MessageCenter service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 6:51:00 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 6:50:53 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
11/28/2011 6:02:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/28/2011 5:43:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/28/2011 5:40:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Ai2sXP AmdPPM AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss Tcpip
11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/28/2011 5:40:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/28/2011 5:40:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/27/2011 9:08:03 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/27/2011 5:08:56 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/27/2011 4:27:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IHA_MessageCenter service to connect.
11/27/2011 4:27:43 PM, error: Service Control Manager [7000] - The IHA_MessageCenter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/26/2011 9:16:52 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
Welcome to TechSpot! Lots of rogue programs in cyberspace. Here are some descriptions of yours:
  1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
  2. Clicking on any executable loads the malware
  3. Display fake security alerts on the infected computer.
  4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
  5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

To fix #5, you start here: Download a Registry file that will fix these changes.
Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
  • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
  • Double click the FixNCR.reg file
  • You should now be able to run the .exe files.
-------------------------------------
To end the processes that belong to the rogue program:
Please click on RKill
  • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
  • Double click on the iExplore.exe icon
  • Please be patient- it may take a bit.
  • The black Window will close when through and you can continue.
Note: If you get a message that RKill is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKill as the malware programs will start again.
================================
Update and rescan with Malwarebytes:
  • Select Perform Full Scan on the Scanner tab
  • Click on the Scan button.
  • When scan has finished, you will see this image:
    scan-finished.jpg
  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
==============================
This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================
Please leave the logs in your next reply. I will check them, then have you continue.
===========================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
After running Malwarebytes' Anti-Malware I rebooted. At teh user selection screen I clicked on the user and computer locked up when logging in. I waited about 20 minutes hoping it would eventually get past that but it did not so I shut it off and restarted again. I was able to login at that point.

The link for the ESETOnlineScan does not work - or it does not go to the online scanner. I believe I found what the page should be but wanted to wait for your response before going any further in case what I found is not correct (I'm using IE).

Below is the MBAM log
**********************************************************
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8287

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/2/2011 8:59:21 AM
mbam-log-2011-12-02 (08-59-21).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 410359
Time elapsed: 1 hour(s), 41 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP985\A0138567.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP987\A0138786.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP989\A0139191.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
 
The link for Eset works fine: This is what is embedded: http://go.eset.com/us/online-scanner
Click on
online_scanner_button.jpg
on the left, in Step 1. When you download it goes to http://go.eset.com/us/online-scanner#
Please try it again.

Mbam is clean. There are no new entries. The entries showing in System Volume are for restore points and are no longer active in the system. (You are not suppose to use System Restore while cleaning) I will have you remove the old restore point and set a new, clean one when we have finished
 
Not that it matters but your first post's embeded link is showing up for me as http://eset.com/onlinescan - but no problem, it's a trivial matter :)

I used the latest link and was able to get to the ESET download page but it would not work from the browser on the infected machine. A new window would open, I'd check the agree box and start it and only got a blank window (I waited 5 minutes and nothing.) I eneded up downloading it on another computer and transfered it with a clean USB thumb drive. That worked fine.

While running ESET I kept getting notices from AVG about removing found threates which I canceled...then AVG would want to reboot the computer. I finally turned off the AVG resident shield which seemed to stop that but I don't know if it did anything. About 5 times during the scan I received a system crash message, that PING.EXE had stopped working. I canceled (clicked do not send) out of that.

ESET Log
****************************************************
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 a variant of Java/TrojanDownloader.OpenStream.NCC trojan
C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf JS/Exploit.Pdfka.PGF.Gen trojan
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\they mostly come when it is.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe Win32/Toolbar.Zugo application
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application
C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe probably a variant of MSIL/Agent.NGQ trojan
C:\WINDOWS\system32\drivers\afd.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma Win32/Adware.180Solutions application
D:\Back Up\Program Files\achrtree2.exe multiple threats
D:\Back Up\Program Files\Install_AIM.exe Win32/Adware.WBug.A application
Operating memory multiple threats
 
Maybe it's a browser thing- I'm using Firefox and the clicks give the two links I left.

Suggest you uninstall LimeWire. Please run the following:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
=====================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 
C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf 
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma 
C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe 
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe 
C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe 
C:\WINDOWS\system32\drivers\afd.sys 
D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma 
D:\Back Up\Program Files\achrtree2.exe multiple threats
D:\Back Up\Program Files\Install_AIM.exe Win32/Adware.WBug.A application
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
-------------------------------------------------
Did you write this into the log?
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\they mostly come when it is.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
Click to expand...

What have you done of the instructions I left? Complete them first please, then go on to the following.
======
AVG will have to be uninstalled temporarily to run Combofix
Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
 
it appears I can't just uninstall Limewire. The Program files/Limewire Directory exists but there is no uninstall in there and Add and Remove Programs has no entry for it. If that is normal, I can just delete it, if not I can Google for some uninstaller or removal instructions (unless you have something).

CKScanner.exe ran fine (Log attached below) but OTMovit by Old Timer generated an error. I clicked OK but OTMoveit stopped and now there is no taskbar or desktop icons (explorer.exe has been shut down). So I'm posting this from another computer.

I was able to get a screen shot of the error and save it by loading mspaint through the taskmanager (image below). The CKScanner log I got by loading notepad through the taskmanager.

I've stopped there until I get a reply for what to do next.

Edit: Image of OTM error has been deleted by Bobbye

***********************************************
CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackpointlight.cfx
c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackshadow.cfx
c:\keygen_photoshop_cs2\keygen photoshop cs2\adobe_photoshop_and_imageready_cs2_v9.0_keygen-paradox.nfo
c:\keygen_photoshop_cs2\keygen photoshop cs2\leeme.txt
c:\program files\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
scanner sequence 3.ZZ.11.QJAPPF
----- EOF -----
 
Remove the pirated programs to continue support: We do not support piracy.

c:\keygen_photoshop_cs2\keygen photoshop cs2\adobe_photoshop_and_imageready_cs2_v9.0_keygen-paradox.nfo
c:\keygen_photoshop_cs2\keygen photoshop cs2\leeme.txt
c:\program files\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\ther moundosystem$undoabledocumentchangecracker.class
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
Click to expand...
 
I'm still stuck with OTM up. I did not reboot, just started explorer.exe through the taskmanager to regain a desktop.
All noted files have been removed.
 
The OTM problem was my fault- sorry. I forgot to remove the malware name from that file. I'm not sure if anything got removed, so let's run it again- with corrected entry

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 
C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf 
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb.wma 
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma 
C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe 
C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe 
C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe 
C:\WINDOWS\system32\drivers\afd.sys 
D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma 
D:\Back Up\Program Files\achrtree2.exe 
D:\Back Up\Program Files\Install_AIM.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
There is a great deal of malware on the system. And if you're going to go back and pirate programs with cracks and keygens, it will be right back. And if you use file sharing programs, same thing. So we would be wasting our time.
=====================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
 
So, Next stumbling block. Combofix went through it's motions and finally said it needed to reboot (for me not to reboot the system - it would do it). I clicked OK and left it to do it's thing. That was an hour ago. It's still sitting on a wallpaper only screen.
I'm guessing I will need to manually restart but I'm waiting on your direction.


On another note.....
=====================================
There is a great deal of malware on the system. And if you're going to go back and pirate programs with cracks and keygens, it will be right back. And if you use file sharing programs, same thing. So we would be wasting our time.
=====================================
Click to expand...
I agree 110% with that and I'll be sure to inform (ream) my brother-in-law about not using that stuff.
 
After re-reading your instructions I decided it was safe to just restart the stuck computer.
ComboFix started up once it got back to the desktop and ran all the way through, rebooted and finished. The log probably does not reflect it but the first time CF ran before the stuck reboot it mentioned having found a rootkit.
******************************************************************
ComboFix 11-12-06.01 - Sherry 12/08/2011 12:27:43.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2482 [GMT -5:00]
Running from: c:\documents and settings\Sherry\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Sherry\ntuser.tmp
c:\documents and settings\Tom-\WINDOWS
C:\DSC00001.JPG
c:\program files\INSTALL.LOG
c:\windows\$NtUninstallKB37587$
c:\windows\$NtUninstallKB37587$\1511311559\@
c:\windows\$NtUninstallKB37587$\1511311559\bckfg.tmp
c:\windows\$NtUninstallKB37587$\1511311559\cfg.ini
c:\windows\$NtUninstallKB37587$\1511311559\Desktop.ini
c:\windows\$NtUninstallKB37587$\1511311559\keywords
c:\windows\$NtUninstallKB37587$\1511311559\kwrd.dll
c:\windows\$NtUninstallKB37587$\1511311559\L\jrumdcef
c:\windows\$NtUninstallKB37587$\1511311559\lsflt7.ver
c:\windows\$NtUninstallKB37587$\1511311559\U\00000001.@
c:\windows\$NtUninstallKB37587$\1511311559\U\00000002.@
c:\windows\$NtUninstallKB37587$\1511311559\U\00000004.@
c:\windows\$NtUninstallKB37587$\1511311559\U\80000000.@
c:\windows\$NtUninstallKB37587$\1511311559\U\80000004.@
c:\windows\$NtUninstallKB37587$\1511311559\U\80000032.@
c:\windows\$NtUninstallKB37587$\2676414972
c:\windows\CSC\d6
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
.
.
2011-12-06 15:13 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-06 15:13 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
2011-12-01 16:25 . 2011-12-01 16:25 -------- d-----w- c:\documents and settings\Sherry\Application Data\AVG9
2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
2011-11-29 01:42 . 2011-12-05 18:59 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-11-29 01:26 . 2011-11-29 01:29 -------- d-----w- c:\documents and settings\TomS
2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
2011-11-28 23:56 . 2011-11-28 23:56 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\AVG Security Toolbar
2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-11-15 17:18 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-11-15 17:18 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-17 01:28 . 2011-05-22 14:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-13 12:05 . 2009-05-14 20:55 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
2008-06-01 16:56 . 2011-08-05 00:56 602243712 ----a-w- c:\program files\sr-ccmt1.bin
1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]
"ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 12:33 12536 ------w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"PnkBstrA"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50001:UDP"= 50001:UDP:IHA_MessageCenter
.
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/6/2010 11:11 AM 52872]
R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 3:55 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 3:55 PM 243152]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 7:33 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 7:33 AM 308136]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/20/2009 6:44 PM 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [10/26/2010 8:18 AM 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-TOM-Tom-.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-06 12:46]
.
2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-12-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2011-12-08 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.25.25 205.171.2.65
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Notify-AtiExtEvent - (no file)
Notify-sqlesw32 - sqlesw32.dll
Notify-Sqlseses - sqlesw32.dll
AddRemove-{9CA018F2-1E0D-4041-9258-6EFBFEF671BF} - c:\progra~1\INSTAL~1\{9CA01~1\setup.exe
AddRemove-{A9E27FF5-6294-46A8-B8FD-77B1DECA3021} - c:\program files\InstallShield Installation Information\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-08 12:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2244)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\crypserv.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-08 12:49:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-08 17:49
.
Pre-Run: 28,736,172,032 bytes free
Post-Run: 31,802,871,808 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 0BF73F43C03ABC527198E4BB2AA7392D
 
It appears that you missed my original instructions to uninstall AVG before running Combofix, then Install one of the temporary AV noted.

Follow this please:

1. Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

2. Please go back to my Reply #6 and follow the directions beginning:
"AVG will have to be uninstalled temporarily to run Combofix
Download AppRemover and save to the desktop."

3. Then select one of the suggested AV programs in the AppRemover instructions.
Note: although you will still need to disable the AV while you run Combofix, you will enable it again right after the scan so the system will be protected.

4. Download a new copy of Combofix, run a new scan.
========================================
5. Uninstall all of the following> use Add/Remove Programs. Then use Windows Explorer to access My Computer> Local Drive(C)> Programs> Do a right click> Delete on each of the program folders for the programs you uninstalled:
BitTorrent
HijackThis 2.0.2 (outdated)
StreamTorrent 1.0
Trojan Killer 2.1
Viewpoint Media Player
Click to expand...
Reboot the computer when you have finished the uninstalls and deleted the program folders.
===================================
I do not see Java installed or running on the system. It appears that the JQS> Java Quick Start Service may still on the system, but the program is not. Is that intentional?
===============================

The bottom line here is that there is a lot of malware already on the system. Directions need to be followed so the scans are as accurate as possible. If security programs are running while Combofix and/or the Eset scan are running, they could affect the scan.

As for the file sharing programs- as I mentioned previously, cleaning up front while more malware uses file sharing programs to get in the backdoor is a waste of time.
 
It appears that you missed my original instructions to uninstall AVG before running Combofix, then Install one of the temporary AV noted.
Click to expand...
The bottom line here is that there is a lot of malware already on the system. Directions need to be followed so the scans are as accurate as possible. If security programs are running while Combofix and/or the Eset scan are running, they could affect the scan.
Click to expand...
I'm sorry. I was following instructions as they were given. I was stopping and not trying to find workarounds when I had an issue because I know it is important to follow the instructions. I guess I didn't read close enough to realize I needed to go back to prior posts.

-----
As for the file sharing programs- as I mentioned previously, cleaning up front while more malware uses file sharing programs to get in the backdoor is a waste of time.
Click to expand...
I did not realize that was what was impled back in poast #8 - to remove them - until this last post. (NOTE: I also removed Photoshop because it was in the list of cracked programs earlier)

In case this comes across the wrong way, I don't mean to sound disrespectful... I fully realize there is a lot of malware on this computer and I truly apreciate all the help I am getting. Please understand, unless I have a problem where I can not continue, I am following your instructions in the order received, to the letter, not assuming or jumping to conclusions and doing anything outside what I am being instructed to do, as the instructions come, and was not jumping backwards to past instructions unless instructed to do so.

At this point I have re-read through all the posts and attempted to make sure everyting has been completed and in the order last given My apologies if I missed or misinterpreted something this time through.

-----
Did you write this into the log?
C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\they mostly come when it is.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
Click to expand...
Click to expand...
No. There is actually a file with this name. There is also a second file with the ending .cos2. These files are gone now...LimeWire does not show up as an installed program so I have manually removed it by deleting the following folders:

C:\Program Files\LimeWire
C:\Documents and Settings\Tom-\My Documents\LimeWire
C:\Documents and Settings\Tom-\ApplicationData\LimeWire

-----
I do not see Java installed or running on the system. It appears that the JQS> Java Quick Start Service may still on the system, but the program is not. Is that intentional?
Click to expand...
I probably removed Java while I was first trying to clean this system (before I came here for assistance). When Java updates it does not uninstall and usually ends up with a bunch of entries. When I find that I feel better removing all of them and reinstalling a fresh copy of it.


ComboFix uninstalled
AVG uninstalled
Avira Installed
*********AVIRA LOG************


Avira Free Antivirus
Report file date: Monday, December 12, 2011 09:57

Scanning for 3559135 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Sherry
Computer name : TOM

Version information:
BUILD.DAT : 12.0.0.849 41825 Bytes 9/23/2011 20:19:00
AVSCAN.EXE : 12.1.0.17 490448 Bytes 9/23/2011 23:04:46
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 18:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 9/23/2011 17:55:16
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/12/2011 14:56:53
AVREG.DLL : 12.1.0.27 227536 Bytes 12/12/2011 14:56:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 22:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 17:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 17:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 19:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 14:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 14:55:56
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 14:56:11
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 14:56:12
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 14:56:12
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 14:56:12
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 14:56:12
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 14:56:14
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 14:56:15
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 14:56:16
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 14:56:17
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 14:56:20
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 14:56:21
VBASE019.VDF : 7.11.19.37 2048 Bytes 12/9/2011 14:56:21
VBASE020.VDF : 7.11.19.38 2048 Bytes 12/9/2011 14:56:21
VBASE021.VDF : 7.11.19.39 2048 Bytes 12/9/2011 14:56:21
VBASE022.VDF : 7.11.19.40 2048 Bytes 12/9/2011 14:56:22
VBASE023.VDF : 7.11.19.41 2048 Bytes 12/9/2011 14:56:22
VBASE024.VDF : 7.11.19.42 2048 Bytes 12/9/2011 14:56:22
VBASE025.VDF : 7.11.19.43 2048 Bytes 12/9/2011 14:56:22
VBASE026.VDF : 7.11.19.44 2048 Bytes 12/9/2011 14:56:22
VBASE027.VDF : 7.11.19.45 2048 Bytes 12/9/2011 14:56:23
VBASE028.VDF : 7.11.19.46 2048 Bytes 12/9/2011 14:56:23
VBASE029.VDF : 7.11.19.47 2048 Bytes 12/9/2011 14:56:23
VBASE030.VDF : 7.11.19.48 2048 Bytes 12/9/2011 14:56:23
VBASE031.VDF : 7.11.19.67 115712 Bytes 12/12/2011 14:56:25
Engineversion : 8.2.6.134
AEVDF.DLL : 8.1.2.2 106868 Bytes 12/12/2011 14:56:50
AESCRIPT.DLL : 8.1.3.90 491899 Bytes 12/12/2011 14:56:49
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 04:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/12/2011 14:56:51
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 04:16:06
AEPACK.DLL : 8.2.14.5 741751 Bytes 12/12/2011 14:56:48
AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/12/2011 14:56:45
AEHEUR.DLL : 8.1.3.6 3895670 Bytes 12/12/2011 14:56:43
AEHELP.DLL : 8.1.18.0 254327 Bytes 12/12/2011 14:56:31
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/12/2011 14:56:31
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 04:46:01
AECORE.DLL : 8.1.24.0 196983 Bytes 12/12/2011 14:56:29
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 04:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 9/23/2011 17:13:18
AVPREF.DLL : 12.1.0.17 51920 Bytes 9/23/2011 16:53:57
AVREP.DLL : 12.1.0.17 179408 Bytes 9/23/2011 16:55:01
AVARKT.DLL : 12.1.0.17 223184 Bytes 9/23/2011 16:25:26
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 9/23/2011 16:34:37
SQLITE3.DLL : 3.7.0.0 398288 Bytes 9/16/2011 07:05:58
AVSMTP.DLL : 12.1.0.17 62928 Bytes 9/23/2011 17:03:47
NETNT.DLL : 12.1.0.17 17104 Bytes 9/23/2011 17:58:06
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 9/23/2011 18:37:25
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 18:37:24

Configuration settings for the scan:
Jobname.............................: Short system scan after installation
Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Monday, December 12, 2011 09:57

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'NirCmd.3XE' - '1' Module(s) have been scanned
Scan process 'cmd.3XE' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avconfig.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WDSmartWareBackgroundService.exe' - '1' Module(s) have been scanned
Scan process 'WDDMService.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'McciCMService.exe' - '1' Module(s) have been scanned
Scan process 'Verizon_IHAMessageCenter.exe' - '1' Module(s) have been scanned
Scan process 'crypserv.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '3117' files ).



End of the scan: Monday, December 12, 2011 09:58
Used time: 00:32 Minute(s)

The scan has been done completely.

0 Scanned directories
3156 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
3156 Files not concerned
15 Archives were scanned
0 Warnings
0 Notes
***************************************


Disabled Aviras Realtime Protection
Downloaded new copy of Combofix
Ran ComboFix

************************
ComboFix 11-12-12.02 - Sherry 12/12/2011 10:11:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2472 [GMT -5:00]
Running from: c:\documents and settings\Sherry\Desktop\avam\ComboFix.exe
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Tom-\Application Data\71CE.F94
c:\documents and settings\Tom-\My Documents\~WRL1496.tmp
c:\documents and settings\Tom-\My Documents\~WRL1528.tmp
c:\documents and settings\Tom-\My Documents\~WRL3166.tmp
c:\documents and settings\Tom-\My Documents\~WRL3944.tmp
c:\documents and settings\Tom-\My Documents\~WRL4047.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
.
.
2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
2011-11-29 01:42 . 2011-12-05 18:59 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-11-29 01:26 . 2011-12-12 13:52 -------- d-----w- c:\documents and settings\TomS
2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-11-15 17:18 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-11-15 17:18 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-17 01:28 . 2011-05-22 14:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
2008-06-01 16:56 . 2011-08-05 00:56 602243712 ----a-w- c:\program files\sr-ccmt1.bin
1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBIAEMAWQA0AC0ATQBFADYARQBGAC0AQgBTAEwAUwBSAC0AWgBZAFAASAAwAC0AUAA4AFEATgBSAA&inst=NwA2AC0ANQAwADkANQA0ADQAOAAxADYALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQANAAtAFgATwAzADYAKwAxAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQAtAEQARABUACsAMwA3ADUAMgA3AC0ARABEADkAMAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAAOQAwAE0AMQAyAEMAKwAxAC0AVQA5ADUAKwAxAC0AVABCACsAMQAtAEYAVQBJACsAMgA&prod=92&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"PnkBstrA"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50001:UDP"= 50001:UDP:IHA_MessageCenter
.
R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 9:54 AM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 9:55 AM 86224]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/20/2009 6:44 PM 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
R4 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys --> c:\windows\system32\Drivers\avgrkx86.sys [?]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
*NewlyCreated* - AVKMGR
*Deregistered* - AvgLdx86
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-TOM-Tom-.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-06 12:46]
.
2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-12-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 205.171.2.65 205.171.3.65
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-12 10:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-12 10:18:31
ComboFix-quarantined-files.txt 2011-12-12 15:18
ComboFix2.txt 2011-12-08 17:49
.
Pre-Run: 38,065,717,248 bytes free
Post-Run: 38,300,315,648 bytes free
.
- - End Of File - - 14D4BDEED6FD7C9207987919444BE8E8
*****************************
Re-enabled Aviras Realtime Protection
Uninstalled the following programs

BitTorrent
HijackThis 2.0.2 (outdated)
StreamTorrent 1.0
Trojan Killer 2.1
Viewpoint Media Player

Rebooted
Removed all related folders for the above programs

I removed programs as I believe was implied should be done in post #8
-Photoshop CS2
-Adobe Createive Suite 5.5 Master Collection. This removed multiple 5.5 programs from this package that were in the "cracked" list.
-Gimp (should not have been an issue as it is publicdomain and free but it did show up in the "cracked" list)
Rebooted
Removed any remaining related folders
 
Okay, you're on the way to having a clean system!

About Java: Until recently, updating Java did not overwrite the previous version. Thank goodness someone got enough sense to write it in the update to overwrite. Everyone has the Java Updater running, but the nonsense was that it would update but leave the old versions. Sometimes they accumulate and they were all vulnerabilities. I don't permit any auto-update except the antivirus- but you should be okay now just updating, although I reommend doing a manual update instead of auto.
==============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\program files\sr-ccmt1.bin
FileLook::
C:\regkeys.reg
Folder::
c:\program files\GridinSoft Trojan Killer
ClearJavaCache::
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=-

Reboot::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
===================
All sites for the company that makes Trojan Killer, GridinSoft LLC are rated very poorly by the WOT Site AAdvisor. They use a Red, Amber and Green coded rating, The sites- and the program fail (Red) in Vendor Reliability, Privacy and Child Safety and Caution (Amber) in Trustworthiness. It's a $40 program also available on Torrent sites with licenses and keygens,
===================================
There is an infected file in the Recycler. The Recycler folder is a hidden folder where the files you delete are stored, until you empty the Recycle Bin on NTFS partition.

The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID). This is the file:
c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500\Dc1.exe

The SID is 1-5-21-1292428093-1078145449-725345543-500

Open Windows Explorer> right click on Start> Explore>
To Show Hidden Folders/Files
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck Hide extensions of known file types.
  • Uncheck Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click Apply> OK
Empty the Recycle Bin before you attempt to delete the file. The Recycler folder cannot be cleared if there are any files in the bin.

You should now see the Recycler right below the Program files.
Double click on the Recycler> the SID will show on the right screen.
Highlight the SID> Delete

If this doesn't work and you get an error message, let me know and we'll try doing it from a Command Prompt. The file appears to be an executable document.

Reset Hidden/System Files & Folders
================================================
Let me know ow the system is doing after you run the script.
 
I disabled Avira and ran ComboFix. It prompted me to update which I did.
Below is the log

The receycler I am showing is
c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-1005
not
c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500

I still tried emptying and deleting but I get an error that it can't be deleted.

Note: I don't know if it makes a difference but there is a second user account on this computer. Usually all the user recyclers show up when you set to see hidden files but perhaps that is the from the other user?
==========
ComboFix 11-12-16.01 - Sherry 12/16/2011 13:44:15.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2443 [GMT -5:00]
Running from: c:\documents and settings\Sherry\Desktop\avam\ComboFix.exe
Command switches used :: c:\documents and settings\Sherry\Desktop\avam\CFScript.txt
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
FILE ::
"c:\program files\sr-ccmt1.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\sr-ccmt1.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
.
.
2011-12-12 14:55 . 2011-12-12 14:55 -------- d-----w- c:\documents and settings\Sherry\Application Data\Avira
2011-12-12 14:54 . 2011-09-18 13:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-12 14:54 . 2011-09-16 04:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-12 14:54 . 2011-09-16 04:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-12-12 14:54 . 2011-12-12 14:54 -------- d-----w- c:\program files\Avira
2011-12-12 14:54 . 2011-12-12 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-12-06 15:13 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2011-12-06 15:13 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- C:\regkeys.reg ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 540
Created time: 2011-11-29 00:15
Modified time: 2011-11-29 00:15
MD5: D917EB3E8817C0B49B04BD8D3AC18097
SHA1: 2134C11B2E0540603CB960A80A59E3CF3B684EDB
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-12_15.16.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-19 23:14 . 2011-12-13 17:24 56088 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2009-05-14 14:11 . 2011-12-12 16:57 3505896 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBIAEMAWQA0AC0ATQBFADYARQBGAC0AQgBTAEwAUwBSAC0AWgBZAFAASAAwAC0AUAA4AFEATgBSAA&inst=NwA2AC0ANQAwADkANQA0ADQAOAAxADYALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQANAAtAFgATwAzADYAKwAxAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQAtAEQARABUACsAMwA3ADUAMgA3AC0ARABEADkAMAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAAOQAwAE0AMQAyAEMAKwAxAC0AVQA5ADUAKwAxAC0AVABCACsAMQAtAEYAVQBJACsAMgA&prod=92&ver=9.0.894" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SeaPort"=2 (0x2)
"PnkBstrA"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"50001:UDP"= 50001:UDP:IHA_MessageCenter
.
R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 9:54 AM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 9:55 AM 86224]
R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Sqlses REG_MULTI_SZ SqlCSS
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
2011-12-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
- c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
.
2011-12-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
2011-12-16 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/?ref=hp
uInternet Settings,ProxyOverride = <local>;*.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 205.171.2.65 205.171.3.65
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-16 13:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3696)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\crypserv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Avira\AntiVir Desktop\update.exe
c:\program files\Avira\AntiVir Desktop\updrgui.exe
c:\program files\Avira\AntiVir Desktop\avnotify.exe
.
**************************************************************************
.
Completion time: 2011-12-16 13:57:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-16 18:57
ComboFix2.txt 2011-12-12 15:18
ComboFix3.txt 2011-12-08 17:49
.
Pre-Run: 47,190,085,632 bytes free
Post-Run: 47,156,678,656 bytes free
.
- - End Of File - - F6E48A02908B6D7A2E4296617A1B3682
 
I did a copy and paste of the file in the Recycler:
Files Infected:
c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500\Dc1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Click to expand...
-----------------------
From bleeping computer:
Filename: dc1.exe
Command: C:\recycler\dc1.exe
Description:
Added by the W32/SillyFD-C worm that spreads to removeable storage devices.
File Location: C:\recycler\dc1.exe

See if you can locate an entry with the dc1.exe entry.
Also, you can try deleting the entire Recycler folder. Windows should create a new one when you reboot.
 
Just Deleting of the recycler isn't possible. It is locked from deletion by the system (probably explorer.exe) and the Shell doesn't see C:\RECYCLER.

I did get it finally. That CID was from the hidden Administrator account. I booted into SafeMode to check it and when I viewed the RECYCLER folder that CID showed up. I then was able to delete it from within another account I then emptied the trash to totally remove it.

Finally I did a search of the computer for dc1.exe. No hits.

Is there something I should run to verify that dc1.exe is gone? If not, I'm guessing the system is finally clean?
 
Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
---------------------------
Good for you! You are a smart person!

I think you're almost there, but there is one folder I'd like you to check:

2011-11-29 00:15 540 ----a-w- C:\regkeys.reg

I opened the folder for a look but still don't know what it is. Try a right click> Properties and see if you can get anything on it.
 
2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
Click to expand...
540 bytes
registry file
Created on November 28th 2011
No onther info....

It is a text file - registry file.
I don't like the looks of it due to the LOAD and RUN lines. I'm guessing that something I ran may have dropped it there as a backup from an automated fix attempt and assume it needs to (should) be deleted?

Code: 
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"DebugOptions"="2048"
"Documents"=""
"DosPrint"="no"
"load"=""
"NetMessage"="no"
"NullPort"="None"
"Programs"="com exe bat pif cmd"
"Run"=""
 
Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.

We will finish on Monday.

Have a Happy and Peaceful Holiday!
peace_dove_bigger_normal.jpg
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
401
trparky
T
A
Windows 10 Enterprise and Education editions will soon enter end of life status
Replies
12
Views
251
Lounds
L

Latest posts

Back