TechSpot

Ping.exe & hidden downloader keep infecting computer

Inactive
By misterrmac
Dec 1, 2011
  1. I’m trying to clean the system of a family member. I have already spent a few hours removing a few different things from browser search redirects to XP Protection 2012. Each time I thought I had it all something else would get appear and be reported. I finally tracked things down to PING.EXE continuously running in the task manager. Killing the task does not help, it just starts again within a few minutes. From time to time I get AVG reports that it is accessing some random location trying to download a suspicious or infected file. An advanced Task Manager shows it pinging places all over the world. Since I have no idea what is attached to the PING I’m lost now and turn to here for help.
    Below are all the log files as requested.
    Note: MBAM crashed about 15 mins into its scan. I reran the scan. No Log file was generated on the first scan attempt.

    *************************************************************************************
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8285

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/1/2011 11:07:23 AM
    mbam-log-2011-12-01 (11-07-23).txt

    Scan type: Quick scan
    Objects scanned: 229211
    Time elapsed: 7 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Privacy Protection (Rogue.PrvacyProtect) -> Value: Privacy Protection -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tom-\Local Settings\Application Data\dwn.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Tom-\Local Settings\Application Data\dwn.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500\Dc1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    ***********************************************************
    ***********************************************************
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-01 11:16:13
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T0L0-1d WDC_WD3200JS-22PDB0 rev.21.00M21
    Running: g6kqunkk.exe; Driver: C:\DOCUME~1\Sherry\LOCALS~1\Temp\ugtdipow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
    *********************************************************
    *********************************************************
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Sherry at 11:19:54 on 2011-12-01
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2462 [GMT -5:00]
    .
    AV: AVG Anti-Virus *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
    C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\ping.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = <local>;*.local
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    uURLSearchHooks: H - No File
    uURLSearchHooks: H - No File
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: AhIeBho Class: {10384d0e-2bc1-48b6-844b-ad0e9e6d2511} - c:\program files\zoomtext 9.1\ahoi\ah_ie_bho.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: UrlHelper Class: {a40dc6c5-79d0-4ca8-a185-8ff989af1115} - c:\progra~1\wi371a~1\datamngr\IEBHO.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
    TB: {0457331D-8CA6-4F97-9C26-6A9EF2B2DBA8} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [ZoomText] "c:\program files\zoomtext 9.1\ZT.exe" /AUTOSTART
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    LSP: mswsock.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242326554015
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} -
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: sqlesw32 - sqlesw32.dll
    Notify: Sqlseses - sqlesw32.dll
    AppInit_DLLs: c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-3-6 52872]
    R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [2009-6-3 7296]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-14 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-14 29712]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-14 243152]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
    R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
    R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\verizon\iha_messagecenter\bin\Verizon_IHAMessageCenter.exe [2010-10-13 151552]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-20 24652]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2010-1-21 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-6-9 100456]
    S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
    S2 SqlCSS;SQL Server EXPRESS;c:\windows\system32\svchost.exe -k Sqlses [2002-8-29 14336]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 1025352]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-3 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [2009-9-10 196409]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
    .
    =============== Created Last 30 ================
    .
    2011-11-29 02:12:44 -------- d-----w- c:\program files\Innovative Solutions
    2011-11-29 01:42:45 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-11-29 00:54:21 -------- d-----w- c:\documents and settings\sherry\local settings\application data\PackageAware
    2011-11-29 00:15:39 540 ----a-w- C:\regkeys.reg
    2011-11-28 23:56:14 -------- d-----w- c:\documents and settings\sherry\local settings\application data\AVG Security Toolbar
    2011-11-22 12:24:32 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-11-22 12:24:32 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-11-22 12:24:32 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-11-22 12:24:29 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-11-15 17:18:45 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-11-15 17:18:45 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    .
    ==================== Find3M ====================
    .
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-17 01:28:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
    2011-09-05 17:05:00 47512 ----a-w- c:\windows\system32\AdobePDF.dll
    2011-09-05 17:04:58 22936 ----a-w- c:\windows\system32\AdobePDFUI.dll
    2010-01-24 01:03:07 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
    2009-05-26 22:12:00 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
    2008-06-01 16:56:15 602243712 ----a-w- c:\program files\sr-ccmt1.bin
    1999-06-25 14:55:30 149504 ----a-w- c:\program files\UNWISE.EXE
    .
    ============= FINISH: 11:20:49.23 ===============
    *************************************************************************
    *************************************************************************
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/14/2009 2:22:23 PM
    System Uptime: 12/1/2011 11:08:42 AM (0 hours ago)
    .
    Motherboard: ELITEGROUP | | MCP61P
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2611/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 99 GiB total, 24.529 GiB free.
    D: is FIXED (NTFS) - 99 GiB total, 64.806 GiB free.
    E: is FIXED (NTFS) - 99 GiB total, 84.025 GiB free.
    F: is CDROM ()
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_26011019&REV_A2\3&2411E6FE&0&09
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_10DE&DEV_03EB&SUBSYS_26011019&REV_A2\3&2411E6FE&0&09
    Service:
    .
    ==== System Restore Points ===================
    .
    RP905: 9/2/2011 5:03:12 PM - System Checkpoint
    RP906: 9/5/2011 5:43:27 PM - System Checkpoint
    RP907: 9/6/2011 6:06:33 PM - System Checkpoint
    RP908: 9/7/2011 6:31:24 PM - System Checkpoint
    RP909: 9/8/2011 3:00:15 AM - Software Distribution Service 3.0
    RP910: 9/9/2011 3:22:48 AM - System Checkpoint
    RP911: 9/10/2011 4:21:43 AM - System Checkpoint
    RP912: 9/11/2011 5:21:43 AM - System Checkpoint
    RP913: 9/12/2011 6:21:43 AM - System Checkpoint
    RP914: 9/13/2011 7:21:42 AM - System Checkpoint
    RP915: 9/13/2011 8:05:40 AM - Avg Update
    RP916: 9/13/2011 8:06:04 AM - Avg Update
    RP917: 9/14/2011 8:39:36 AM - System Checkpoint
    RP918: 9/15/2011 9:21:37 AM - System Checkpoint
    RP919: 9/16/2011 3:00:15 AM - Software Distribution Service 3.0
    RP920: 9/17/2011 3:24:00 AM - System Checkpoint
    RP921: 9/18/2011 4:24:00 AM - System Checkpoint
    RP922: 9/19/2011 5:24:00 AM - System Checkpoint
    RP923: 9/20/2011 6:24:00 AM - System Checkpoint
    RP924: 9/21/2011 7:24:00 AM - System Checkpoint
    RP925: 9/22/2011 8:24:57 AM - System Checkpoint
    RP926: 9/23/2011 10:33:44 AM - System Checkpoint
    RP927: 9/24/2011 11:24:55 AM - System Checkpoint
    RP928: 9/25/2011 11:43:35 AM - System Checkpoint
    RP929: 9/26/2011 11:59:47 AM - System Checkpoint
    RP930: 9/27/2011 12:48:27 PM - System Checkpoint
    RP931: 9/28/2011 3:00:17 AM - Software Distribution Service 3.0
    RP932: 9/29/2011 3:23:40 AM - System Checkpoint
    RP933: 9/30/2011 4:23:37 AM - System Checkpoint
    RP934: 10/1/2011 5:23:35 AM - System Checkpoint
    RP935: 10/2/2011 6:23:37 AM - System Checkpoint
    RP936: 10/3/2011 7:23:37 AM - System Checkpoint
    RP937: 10/4/2011 8:23:45 AM - System Checkpoint
    RP938: 10/5/2011 9:23:35 AM - System Checkpoint
    RP939: 10/6/2011 9:49:39 AM - System Checkpoint
    RP940: 10/8/2011 5:07:52 PM - System Checkpoint
    RP941: 10/9/2011 5:23:36 PM - System Checkpoint
    RP942: 10/10/2011 11:39:58 PM - System Checkpoint
    RP943: 10/11/2011 3:56:49 PM - Avg Update
    RP944: 10/13/2011 3:00:18 AM - Software Distribution Service 3.0
    RP945: 10/14/2011 3:29:08 AM - System Checkpoint
    RP946: 10/15/2011 3:53:28 AM - System Checkpoint
    RP947: 10/16/2011 4:33:37 AM - System Checkpoint
    RP948: 10/17/2011 4:33:51 AM - System Checkpoint
    RP949: 10/18/2011 5:33:28 AM - System Checkpoint
    RP950: 10/19/2011 1:41:42 PM - System Checkpoint
    RP951: 10/20/2011 2:11:29 PM - System Checkpoint
    RP952: 10/21/2011 2:34:33 PM - System Checkpoint
    RP953: 10/22/2011 3:07:05 PM - System Checkpoint
    RP954: 10/23/2011 3:34:32 PM - System Checkpoint
    RP955: 10/24/2011 9:02:59 AM - Avg Update
    RP956: 10/25/2011 10:44:20 AM - System Checkpoint
    RP957: 10/26/2011 11:52:39 AM - System Checkpoint
    RP958: 10/27/2011 12:09:27 PM - System Checkpoint
    RP959: 10/28/2011 2:46:33 PM - System Checkpoint
    RP960: 10/29/2011 4:12:00 PM - System Checkpoint
    RP961: 10/30/2011 8:41:49 PM - System Checkpoint
    RP962: 11/1/2011 10:01:45 AM - System Checkpoint
    RP963: 11/2/2011 12:49:47 PM - System Checkpoint
    RP964: 11/3/2011 1:12:23 PM - System Checkpoint
    RP965: 11/4/2011 1:31:20 PM - System Checkpoint
    RP966: 11/5/2011 3:42:33 PM - System Checkpoint
    RP967: 11/6/2011 7:06:52 PM - System Checkpoint
    RP968: 11/7/2011 9:35:10 PM - System Checkpoint
    RP969: 11/15/2011 12:44:04 PM - System Checkpoint
    RP970: 11/16/2011 3:00:18 AM - Software Distribution Service 3.0
    RP971: 11/17/2011 9:49:27 AM - System Checkpoint
    RP972: 11/18/2011 10:06:02 AM - System Checkpoint
    RP973: 11/19/2011 10:35:29 AM - System Checkpoint
    RP974: 11/20/2011 11:03:19 AM - System Checkpoint
    RP975: 11/21/2011 11:15:54 AM - System Checkpoint
    RP976: 11/22/2011 3:41:40 PM - System Checkpoint
    RP977: 11/23/2011 9:03:59 AM - Avg Update
    RP978: 11/24/2011 9:12:21 AM - System Checkpoint
    RP979: 11/25/2011 9:55:47 AM - System Checkpoint
    RP980: 11/26/2011 10:03:59 AM - System Checkpoint
    RP981: 11/27/2011 10:12:11 AM - System Checkpoint
    RP982: 11/27/2011 4:22:21 PM - Restore Operation
    RP983: 11/27/2011 4:27:49 PM - Restore Operation
    RP984: 11/28/2011 6:32:30 PM - System Checkpoint
    RP985: 11/28/2011 7:22:57 PM - Restore Operation
    RP986: 11/28/2011 7:34:15 PM - Removed Nuance PDF Reader.
    RP987: 11/28/2011 7:34:58 PM - Removed YouTube Downloader Toolbar v4.7.
    RP988: 11/28/2011 7:54:59 PM - Removed Java(TM) 6 Update 26
    RP989: 11/30/2011 11:29:51 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Acrobat 4.0
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe AIR
    Adobe Bridge 1.0
    Adobe Common File Installer
    Adobe Community Help
    Adobe Creative Suite 5.5 Master Collection
    Adobe Dreamweaver CS5.5
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 1.0
    Adobe Photoshop CS2
    Adobe Stock Photos 1.0
    Adobe Widget Browser
    Advanced Task Manager for Windows Vista & Windows XP
    Amazon Kindle For PC v1.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG 9.0
    AVS Screen Capture version 2.0.1
    AVS Update Manager 1.0
    AVS Video Converter 7
    AVS Video Editor 5
    AVS Video Recorder 2.4
    AVS4YOU Software Navigator 1.4
    Battlefield 2(TM)
    BitTorrent
    CCV Patch 501a
    Creative WebCam Center
    Creative WebCam Live! Ultra Driver (1.01.03.0127)
    Critical Update for Windows Media Player 11 (KB959772)
    Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
    Facebook Video Calling 1.0.0.8953
    GIMP 2.6.6
    Google Earth
    Google SketchUp Pro 7
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp officejet v series
    IHA_MessageCenter
    Intuit SiteBuilder
    IrfanView (remove only)
    iTunes
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office Live Add-in 1.3
    Microsoft Office XP Professional
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Microsoft_VC90_MFCLOC_x86
    mIRC
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    NVIDIA Control Panel 266.33
    NVIDIA Graphics Driver 266.33
    NVIDIA HD Audio Driver 1.1.13.1
    NVIDIA Install Application
    NVIDIA nView 135.50
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    NVIDIA PhysX System Software 9.10.0514
    OGA Notifier 2.0.0048.0
    PDF Settings CS5
    QuickTime
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SHOUTcast Source DSP 1.9.1 (remove only)
    Skype Click to Call
    Skype™ 5.5
    Spybot - Search & Destroy
    StreamTorrent 1.0
    Trojan Killer 2.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Ventrilo Client
    Verizon Help and Support Tool
    Viewpoint Media Player
    VLC media player 0.9.9
    Vz In Home Agent
    WD SmartWare
    WebFldrs XP
    Winamp (remove only)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows iLivid Toolbar
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Toolbar
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Wizard101
    ZoomText 9.1
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/1/2011 9:12:51 AM, error: Service Control Manager [7023] - The SQL Server EXPRESS service terminated with the following error: The specified module could not be found.
    12/1/2011 10:31:27 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.25.3 (The DHCP Server sent a DHCPNACK message).
    11/28/2011 9:14:58 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 9:11:07 PM, error: Service Control Manager [7034] - The Crypkey License service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 7:35:27 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
    11/28/2011 7:30:16 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 3 time(s).
    11/28/2011 7:28:31 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:13:25 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Ai2sXP AmdPPM AvgLdx86 AvgMfx86 Fips NetworkX
    11/28/2011 7:09:24 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/28/2011 7:08:44 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 6:56:06 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 6:51:06 PM, error: Service Control Manager [7034] - The IHA_MessageCenter service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 6:51:00 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 6:50:53 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).
    11/28/2011 6:02:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    11/28/2011 5:43:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    11/28/2011 5:40:58 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Ai2sXP AmdPPM AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss Tcpip
    11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
    11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    11/28/2011 5:40:58 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    11/28/2011 5:40:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    11/28/2011 5:40:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/27/2011 9:08:03 AM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    11/27/2011 5:08:56 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    11/27/2011 4:27:43 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IHA_MessageCenter service to connect.
    11/27/2011 4:27:43 PM, error: Service Control Manager [7000] - The IHA_MessageCenter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/26/2011 9:16:52 PM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 0050DA609EE2 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! Lots of rogue programs in cyberspace. Here are some descriptions of yours:
    1. Pretends to be a security update for Windows installed via Automatic Updates. It will then install itself as a single executable that has a random consisting of three characters
    2. Clicking on any executable loads the malware
    3. Display fake security alerts on the infected computer.
    4. May not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer
    5. Changes settings on your computer so that when you launch an executable, a file ending with .exe, it will instead launch the infection rather than the desired program.

    To fix #5, you start here: Download a Registry file that will fix these changes.
    Please download FixNCR.reg and save it to a removable media such as a CD/DVD, external Drive, or USB flash drive.
    • Insert the removable device into the infected computer and open the folder the drive letter associated with it.(Usually C)
    • Double click the FixNCR.reg file
    • You should now be able to run the .exe files.
    -------------------------------------
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKill is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ================================
    Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    This should remove the major offender. Reboot the Computer into Normal Mode and run the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================
    Please leave the logs in your next reply. I will check them, then have you continue.
    ===========================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. misterrmac

    misterrmac TS Rookie Topic Starter

    After running Malwarebytes' Anti-Malware I rebooted. At teh user selection screen I clicked on the user and computer locked up when logging in. I waited about 20 minutes hoping it would eventually get past that but it did not so I shut it off and restarted again. I was able to login at that point.

    The link for the ESETOnlineScan does not work - or it does not go to the online scanner. I believe I found what the page should be but wanted to wait for your response before going any further in case what I found is not correct (I'm using IE).

    Below is the MBAM log
    **********************************************************
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8287

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/2/2011 8:59:21 AM
    mbam-log-2011-12-02 (08-59-21).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Objects scanned: 410359
    Time elapsed: 1 hour(s), 41 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP985\A0138567.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP987\A0138786.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{976bcca8-7e39-4119-b548-df25de6705e7}\RP989\A0139191.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The link for Eset works fine: This is what is embedded: http://go.eset.com/us/online-scanner
    Click on [​IMG] on the left, in Step 1. When you download it goes to http://go.eset.com/us/online-scanner#
    Please try it again.

    Mbam is clean. There are no new entries. The entries showing in System Volume are for restore points and are no longer active in the system. (You are not suppose to use System Restore while cleaning) I will have you remove the old restore point and set a new, clean one when we have finished
  5. misterrmac

    misterrmac TS Rookie Topic Starter

    Not that it matters but your first post's embeded link is showing up for me as http://eset.com/onlinescan - but no problem, it's a trivial matter :)

    I used the latest link and was able to get to the ESET download page but it would not work from the browser on the infected machine. A new window would open, I'd check the agree box and start it and only got a blank window (I waited 5 minutes and nothing.) I eneded up downloading it on another computer and transfered it with a clean USB thumb drive. That worked fine.

    While running ESET I kept getting notices from AVG about removing found threates which I canceled...then AVG would want to reboot the computer. I finally turned off the AVG resident shield which seemed to stop that but I don't know if it did anything. About 5 times during the scan I received a system crash message, that PING.EXE had stopped working. I canceled (clicked do not send) out of that.

    ESET Log
    ****************************************************
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 a variant of Java/TrojanDownloader.OpenStream.NCC trojan
    C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf JS/Exploit.Pdfka.PGF.Gen trojan
    C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\they mostly come when it is.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan
    C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe Win32/Toolbar.Zugo application
    C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe a variant of Win32/1AntiVirus application
    C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe probably a variant of MSIL/Agent.NGQ trojan
    C:\WINDOWS\system32\drivers\afd.sys a variant of Win32/Rootkit.Kryptik.FJ trojan
    D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma Win32/Adware.180Solutions application
    D:\Back Up\Program Files\achrtree2.exe multiple threats
    D:\Back Up\Program Files\Install_AIM.exe Win32/Adware.WBug.A application
    Operating memory multiple threats
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Maybe it's a browser thing- I'm using Firefox and the clicks give the two links I left.

    Suggest you uninstall LimeWire. Please run the following:
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
    =====================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php 
      C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 
      C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf 
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma 
      C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe 
      C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe 
      C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe 
      C:\WINDOWS\system32\drivers\afd.sys 
      D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma 
      D:\Back Up\Program Files\achrtree2.exe multiple threats
      D:\Back Up\Program Files\Install_AIM.exe Win32/Adware.WBug.A application
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    -------------------------------------------------
    Did you write this into the log?
    What have you done of the instructions I left? Complete them first please, then go on to the following.
    ======
    AVG will have to be uninstalled temporarily to run Combofix
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  7. misterrmac

    misterrmac TS Rookie Topic Starter

    it appears I can't just uninstall Limewire. The Program files/Limewire Directory exists but there is no uninstall in there and Add and Remove Programs has no entry for it. If that is normal, I can just delete it, if not I can Google for some uninstaller or removal instructions (unless you have something).

    CKScanner.exe ran fine (Log attached below) but OTMovit by Old Timer generated an error. I clicked OK but OTMoveit stopped and now there is no taskbar or desktop icons (explorer.exe has been shut down). So I'm posting this from another computer.

    I was able to get a screen shot of the error and save it by loading mspaint through the taskmanager (image below). The CKScanner log I got by loading notepad through the taskmanager.

    I've stopped there until I get a reply for what to do next.

    Edit: Image of OTM error has been deleted by Bobbye

    ***********************************************
    CKScanner - Additional Security Risks - These are not necessarily bad
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetailcrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31c0-11cf-bf68-0830a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetailcrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2551_3\rashaderstmbasedetaildirtcrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetailcrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrack.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncracklightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetail.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatest.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestlightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailalphatestshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmap.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetaillightmapshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackparallaxdetailshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackndetailncrackshadow.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackpointlight.cfx
    c:\documents and settings\tom-\my documents\battlefield 2\mods\bf2\cache\{d7b71ee2-31e0-11cf-bf68-0930a1c2cb35}_2965_3\rashaderstmbasedetaildirtcrackshadow.cfx
    c:\keygen_photoshop_cs2\keygen photoshop cs2\adobe_photoshop_and_imageready_cs2_v9.0_keygen-paradox.nfo
    c:\keygen_photoshop_cs2\keygen photoshop cs2\leeme.txt
    c:\program files\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
    c:\program files\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
    c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
    scanner sequence 3.ZZ.11.QJAPPF
    ----- EOF -----
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Remove the pirated programs to continue support: We do not support piracy.

  9. misterrmac

    misterrmac TS Rookie Topic Starter

    I'm still stuck with OTM up. I did not reboot, just started explorer.exe through the taskmanager to regain a desktop.
    All noted files have been removed.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The OTM problem was my fault- sorry. I forgot to remove the malware name from that file. I'm not sure if anything got removed, so let's run it again- with corrected entry

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CZMVAH0N\C0[1].php 
      C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KTKNOXGP\new[1].mp3 
      C:\Documents and Settings\Sherry\Local Settings\Temp\plugtmp\plugin-fqdtdujofodt.pdf 
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\barracuda [club mix].mp3 
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\Down In The Tube Stationb.wma 
      C:\Documents and Settings\Tom-\My Documents\LimeWire\Saved\itll be dark soon.wma 
      C:\Documents and Settings\Tom-\My Documents\starwars\indyesigns-us-dtx.exe 
      C:\Program Files\GridinSoft Trojan Killer\trojankiller.exe 
      C:\RECYCLER\S-1-5-21-1292428093-1078145449-725345543-1003\Dc1064.exe 
      C:\WINDOWS\system32\drivers\afd.sys 
      D:\Back Up\Documents and Settings\Tom\Shared\04 Track 4.wma 
      D:\Back Up\Program Files\achrtree2.exe 
      D:\Back Up\Program Files\Install_AIM.exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    There is a great deal of malware on the system. And if you're going to go back and pirate programs with cracks and keygens, it will be right back. And if you use file sharing programs, same thing. So we would be wasting our time.
    =====================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
  11. misterrmac

    misterrmac TS Rookie Topic Starter

    So, Next stumbling block. Combofix went through it's motions and finally said it needed to reboot (for me not to reboot the system - it would do it). I clicked OK and left it to do it's thing. That was an hour ago. It's still sitting on a wallpaper only screen.
    I'm guessing I will need to manually restart but I'm waiting on your direction.


    On another note.....
    I agree 110% with that and I'll be sure to inform (ream) my brother-in-law about not using that stuff.
     
  12. misterrmac

    misterrmac TS Rookie Topic Starter

    After re-reading your instructions I decided it was safe to just restart the stuck computer.
    ComboFix started up once it got back to the desktop and ran all the way through, rebooted and finished. The log probably does not reflect it but the first time CF ran before the stuck reboot it mentioned having found a rootkit.
    ******************************************************************
    ComboFix 11-12-06.01 - Sherry 12/08/2011 12:27:43.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2482 [GMT -5:00]
    Running from: c:\documents and settings\Sherry\Desktop\ComboFix.exe
    AV: AVG Anti-Virus *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\Sherry\ntuser.tmp
    c:\documents and settings\Tom-\WINDOWS
    C:\DSC00001.JPG
    c:\program files\INSTALL.LOG
    c:\windows\$NtUninstallKB37587$
    c:\windows\$NtUninstallKB37587$\1511311559\@
    c:\windows\$NtUninstallKB37587$\1511311559\bckfg.tmp
    c:\windows\$NtUninstallKB37587$\1511311559\cfg.ini
    c:\windows\$NtUninstallKB37587$\1511311559\Desktop.ini
    c:\windows\$NtUninstallKB37587$\1511311559\keywords
    c:\windows\$NtUninstallKB37587$\1511311559\kwrd.dll
    c:\windows\$NtUninstallKB37587$\1511311559\L\jrumdcef
    c:\windows\$NtUninstallKB37587$\1511311559\lsflt7.ver
    c:\windows\$NtUninstallKB37587$\1511311559\U\00000001.@
    c:\windows\$NtUninstallKB37587$\1511311559\U\00000002.@
    c:\windows\$NtUninstallKB37587$\1511311559\U\00000004.@
    c:\windows\$NtUninstallKB37587$\1511311559\U\80000000.@
    c:\windows\$NtUninstallKB37587$\1511311559\U\80000004.@
    c:\windows\$NtUninstallKB37587$\1511311559\U\80000032.@
    c:\windows\$NtUninstallKB37587$\2676414972
    c:\windows\CSC\d6
    .
    Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
    Restored copy from - The cat found it :)
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-08 to 2011-12-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-06 15:13 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-12-06 15:13 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
    2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
    2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
    2011-12-01 16:25 . 2011-12-01 16:25 -------- d-----w- c:\documents and settings\Sherry\Application Data\AVG9
    2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
    2011-11-29 01:42 . 2011-12-05 18:59 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-11-29 01:26 . 2011-11-29 01:29 -------- d-----w- c:\documents and settings\TomS
    2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
    2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
    2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
    2011-11-28 23:56 . 2011-11-28 23:56 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\AVG Security Toolbar
    2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-11-15 17:18 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-11-15 17:18 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-17 01:28 . 2011-05-22 14:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-13 12:05 . 2009-05-14 20:55 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
    2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
    2008-06-01 16:56 . 2011-08-05 00:56 602243712 ----a-w- c:\program files\sr-ccmt1.bin
    1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
    .
    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2011-07-26 14:15 2532680 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
    .
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-07-26 2532680]
    .
    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-10-24 2078048]
    "ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-06-22 12:33 12536 ------w- c:\windows\system32\avgrsstx.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SeaPort"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "50001:UDP"= 50001:UDP:IHA_MessageCenter
    .
    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/6/2010 11:11 AM 52872]
    R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 3:55 PM 216400]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2009 3:55 PM 243152]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 7:33 AM 921952]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 7:33 AM 308136]
    R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/20/2009 6:44 PM 24652]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
    S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [10/26/2010 8:18 AM 1025352]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
    S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Sqlses REG_MULTI_SZ SqlCSS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-TOM-Tom-.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-06 12:46]
    .
    2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    2011-12-05 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-06 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-08 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
    .
    2011-12-08 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.25.25 205.171.2.65
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    Notify-AtiExtEvent - (no file)
    Notify-sqlesw32 - sqlesw32.dll
    Notify-Sqlseses - sqlesw32.dll
    AddRemove-{9CA018F2-1E0D-4041-9258-6EFBFEF671BF} - c:\progra~1\INSTAL~1\{9CA01~1\setup.exe
    AddRemove-{A9E27FF5-6294-46A8-B8FD-77B1DECA3021} - c:\program files\InstallShield Installation Information\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-08 12:45
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2244)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\crypserv.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-08 12:49:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-08 17:49
    .
    Pre-Run: 28,736,172,032 bytes free
    Post-Run: 31,802,871,808 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    .
    - - End Of File - - 0BF73F43C03ABC527198E4BB2AA7392D
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It appears that you missed my original instructions to uninstall AVG before running Combofix, then Install one of the temporary AV noted.

    Follow this please:

    1. Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    2. Please go back to my Reply #6 and follow the directions beginning:
    "AVG will have to be uninstalled temporarily to run Combofix
    Download AppRemover and save to the desktop."

    3. Then select one of the suggested AV programs in the AppRemover instructions.
    Note: although you will still need to disable the AV while you run Combofix, you will enable it again right after the scan so the system will be protected.

    4. Download a new copy of Combofix, run a new scan.
    ========================================
    5. Uninstall all of the following> use Add/Remove Programs. Then use Windows Explorer to access My Computer> Local Drive(C)> Programs> Do a right click> Delete on each of the program folders for the programs you uninstalled:
    Reboot the computer when you have finished the uninstalls and deleted the program folders.
    ===================================
    I do not see Java installed or running on the system. It appears that the JQS> Java Quick Start Service may still on the system, but the program is not. Is that intentional?
    ===============================

    The bottom line here is that there is a lot of malware already on the system. Directions need to be followed so the scans are as accurate as possible. If security programs are running while Combofix and/or the Eset scan are running, they could affect the scan.

    As for the file sharing programs- as I mentioned previously, cleaning up front while more malware uses file sharing programs to get in the backdoor is a waste of time.
  14. misterrmac

    misterrmac TS Rookie Topic Starter

    I'm sorry. I was following instructions as they were given. I was stopping and not trying to find workarounds when I had an issue because I know it is important to follow the instructions. I guess I didn't read close enough to realize I needed to go back to prior posts.

    -----
    I did not realize that was what was impled back in poast #8 - to remove them - until this last post. (NOTE: I also removed Photoshop because it was in the list of cracked programs earlier)

    In case this comes across the wrong way, I don't mean to sound disrespectful... I fully realize there is a lot of malware on this computer and I truly apreciate all the help I am getting. Please understand, unless I have a problem where I can not continue, I am following your instructions in the order received, to the letter, not assuming or jumping to conclusions and doing anything outside what I am being instructed to do, as the instructions come, and was not jumping backwards to past instructions unless instructed to do so.

    At this point I have re-read through all the posts and attempted to make sure everyting has been completed and in the order last given My apologies if I missed or misinterpreted something this time through.

    -----
    No. There is actually a file with this name. There is also a second file with the ending .cos2. These files are gone now...LimeWire does not show up as an installed program so I have manually removed it by deleting the following folders:

    C:\Program Files\LimeWire
    C:\Documents and Settings\Tom-\My Documents\LimeWire
    C:\Documents and Settings\Tom-\ApplicationData\LimeWire

    -----
    I probably removed Java while I was first trying to clean this system (before I came here for assistance). When Java updates it does not uninstall and usually ends up with a bunch of entries. When I find that I feel better removing all of them and reinstalling a fresh copy of it.


    ComboFix uninstalled
    AVG uninstalled
    Avira Installed
    *********AVIRA LOG************


    Avira Free Antivirus
    Report file date: Monday, December 12, 2011 09:57

    Scanning for 3559135 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - Free Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows XP
    Windows version : (Service Pack 3) [5.1.2600]
    Boot mode : Normally booted
    Username : Sherry
    Computer name : TOM

    Version information:
    BUILD.DAT : 12.0.0.849 41825 Bytes 9/23/2011 20:19:00
    AVSCAN.EXE : 12.1.0.17 490448 Bytes 9/23/2011 23:04:46
    AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 18:34:56
    LUKE.DLL : 12.1.0.17 68304 Bytes 9/23/2011 17:55:16
    AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/12/2011 14:56:53
    AVREG.DLL : 12.1.0.27 227536 Bytes 12/12/2011 14:56:52
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:18:34
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 16:07:39
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 22:08:51
    VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 17:00:55
    VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 17:18:22
    VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 19:12:53
    VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 14:26:09
    VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 14:55:56
    VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 14:56:11
    VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 14:56:12
    VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 14:56:12
    VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 14:56:12
    VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 14:56:12
    VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 14:56:14
    VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 14:56:15
    VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 14:56:16
    VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 14:56:17
    VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 14:56:20
    VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 14:56:21
    VBASE019.VDF : 7.11.19.37 2048 Bytes 12/9/2011 14:56:21
    VBASE020.VDF : 7.11.19.38 2048 Bytes 12/9/2011 14:56:21
    VBASE021.VDF : 7.11.19.39 2048 Bytes 12/9/2011 14:56:21
    VBASE022.VDF : 7.11.19.40 2048 Bytes 12/9/2011 14:56:22
    VBASE023.VDF : 7.11.19.41 2048 Bytes 12/9/2011 14:56:22
    VBASE024.VDF : 7.11.19.42 2048 Bytes 12/9/2011 14:56:22
    VBASE025.VDF : 7.11.19.43 2048 Bytes 12/9/2011 14:56:22
    VBASE026.VDF : 7.11.19.44 2048 Bytes 12/9/2011 14:56:22
    VBASE027.VDF : 7.11.19.45 2048 Bytes 12/9/2011 14:56:23
    VBASE028.VDF : 7.11.19.46 2048 Bytes 12/9/2011 14:56:23
    VBASE029.VDF : 7.11.19.47 2048 Bytes 12/9/2011 14:56:23
    VBASE030.VDF : 7.11.19.48 2048 Bytes 12/9/2011 14:56:23
    VBASE031.VDF : 7.11.19.67 115712 Bytes 12/12/2011 14:56:25
    Engineversion : 8.2.6.134
    AEVDF.DLL : 8.1.2.2 106868 Bytes 12/12/2011 14:56:50
    AESCRIPT.DLL : 8.1.3.90 491899 Bytes 12/12/2011 14:56:49
    AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 04:46:02
    AESBX.DLL : 8.2.4.5 434549 Bytes 12/12/2011 14:56:51
    AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 04:16:06
    AEPACK.DLL : 8.2.14.5 741751 Bytes 12/12/2011 14:56:48
    AEOFFICE.DLL : 8.1.2.21 201084 Bytes 12/12/2011 14:56:45
    AEHEUR.DLL : 8.1.3.6 3895670 Bytes 12/12/2011 14:56:43
    AEHELP.DLL : 8.1.18.0 254327 Bytes 12/12/2011 14:56:31
    AEGEN.DLL : 8.1.5.17 405877 Bytes 12/12/2011 14:56:31
    AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 04:46:01
    AECORE.DLL : 8.1.24.0 196983 Bytes 12/12/2011 14:56:29
    AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 04:46:01
    AVWINLL.DLL : 12.1.0.17 27344 Bytes 9/23/2011 17:13:18
    AVPREF.DLL : 12.1.0.17 51920 Bytes 9/23/2011 16:53:57
    AVREP.DLL : 12.1.0.17 179408 Bytes 9/23/2011 16:55:01
    AVARKT.DLL : 12.1.0.17 223184 Bytes 9/23/2011 16:25:26
    AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 9/23/2011 16:34:37
    SQLITE3.DLL : 3.7.0.0 398288 Bytes 9/16/2011 07:05:58
    AVSMTP.DLL : 12.1.0.17 62928 Bytes 9/23/2011 17:03:47
    NETNT.DLL : 12.1.0.17 17104 Bytes 9/23/2011 17:58:06
    RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 9/23/2011 18:37:25
    RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 18:37:24

    Configuration settings for the scan:
    Jobname.............................: Short system scan after installation
    Configuration file..................: c:\program files\avira\antivir desktop\setupprf.dat
    Logging.............................: default
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: extended

    Start of the scan: Monday, December 12, 2011 09:57

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!

    Start scanning boot sectors:

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avshadow.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'NirCmd.3XE' - '1' Module(s) have been scanned
    Scan process 'cmd.3XE' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avconfig.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'rundll32.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'WDSmartWareBackgroundService.exe' - '1' Module(s) have been scanned
    Scan process 'WDDMService.exe' - '1' Module(s) have been scanned
    Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'McciCMService.exe' - '1' Module(s) have been scanned
    Scan process 'Verizon_IHAMessageCenter.exe' - '1' Module(s) have been scanned
    Scan process 'crypserv.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    Starting to scan executable files (registry).
    The registry was scanned ( '3117' files ).



    End of the scan: Monday, December 12, 2011 09:58
    Used time: 00:32 Minute(s)

    The scan has been done completely.

    0 Scanned directories
    3156 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 Files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    3156 Files not concerned
    15 Archives were scanned
    0 Warnings
    0 Notes
    ***************************************


    Disabled Aviras Realtime Protection
    Downloaded new copy of Combofix
    Ran ComboFix

    ************************
    ComboFix 11-12-12.02 - Sherry 12/12/2011 10:11:25.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2472 [GMT -5:00]
    Running from: c:\documents and settings\Sherry\Desktop\avam\ComboFix.exe
    AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Tom-\Application Data\71CE.F94
    c:\documents and settings\Tom-\My Documents\~WRL1496.tmp
    c:\documents and settings\Tom-\My Documents\~WRL1528.tmp
    c:\documents and settings\Tom-\My Documents\~WRL3166.tmp
    c:\documents and settings\Tom-\My Documents\~WRL3944.tmp
    c:\documents and settings\Tom-\My Documents\~WRL4047.tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-12 to 2011-12-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
    2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
    2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
    2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
    2011-11-29 01:42 . 2011-12-05 18:59 -------- d-----w- c:\program files\GridinSoft Trojan Killer
    2011-11-29 01:26 . 2011-12-12 13:52 -------- d-----w- c:\documents and settings\TomS
    2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
    2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
    2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
    2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    2011-11-15 17:18 . 2008-04-13 19:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
    2011-11-15 17:18 . 2008-04-13 19:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-17 01:28 . 2011-05-22 14:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
    2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
    2008-06-01 16:56 . 2011-08-05 00:56 602243712 ----a-w- c:\program files\sr-ccmt1.bin
    1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBIAEMAWQA0AC0ATQBFADYARQBGAC0AQgBTAEwAUwBSAC0AWgBZAFAASAAwAC0AUAA4AFEATgBSAA&inst=NwA2AC0ANQAwADkANQA0ADQAOAAxADYALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQANAAtAFgATwAzADYAKwAxAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQAtAEQARABUACsAMwA3ADUAMgA3AC0ARABEADkAMAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAAOQAwAE0AMQAyAEMAKwAxAC0AVQA5ADUAKwAxAC0AVABCACsAMQAtAEYAVQBJACsAMgA&prod=92&ver=9.0.894" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SeaPort"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "50001:UDP"= 50001:UDP:IHA_MessageCenter
    .
    R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 9:54 AM 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 9:55 AM 86224]
    R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/20/2009 6:44 PM 24652]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
    R4 AvgRkx86;avgrkx86.sys;c:\windows\system32\Drivers\avgrkx86.sys --> c:\windows\system32\Drivers\avgrkx86.sys [?]
    R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
    S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 12:37 PM 517096]
    S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ANTIVIRSCHEDULERSERVICE
    *NewlyCreated* - ANTIVIRSERVICE
    *NewlyCreated* - AVGNTFLT
    *NewlyCreated* - AVIPBB
    *NewlyCreated* - AVKMGR
    *Deregistered* - AvgLdx86
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Sqlses REG_MULTI_SZ SqlCSS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-06 c:\windows\Tasks\AdobeAAMUpdater-1.0-TOM-Tom-.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-08-06 12:46]
    .
    2011-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    2011-12-08 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-12 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-12 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
    .
    2011-12-12 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 205.171.2.65 205.171.3.65
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-12 10:16
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-12-12 10:18:31
    ComboFix-quarantined-files.txt 2011-12-12 15:18
    ComboFix2.txt 2011-12-08 17:49
    .
    Pre-Run: 38,065,717,248 bytes free
    Post-Run: 38,300,315,648 bytes free
    .
    - - End Of File - - 14D4BDEED6FD7C9207987919444BE8E8
    *****************************
    Re-enabled Aviras Realtime Protection
    Uninstalled the following programs

    BitTorrent
    HijackThis 2.0.2 (outdated)
    StreamTorrent 1.0
    Trojan Killer 2.1
    Viewpoint Media Player

    Rebooted
    Removed all related folders for the above programs

    I removed programs as I believe was implied should be done in post #8
    -Photoshop CS2
    -Adobe Createive Suite 5.5 Master Collection. This removed multiple 5.5 programs from this package that were in the "cracked" list.
    -Gimp (should not have been an issue as it is publicdomain and free but it did show up in the "cracked" list)
    Rebooted
    Removed any remaining related folders
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, you're on the way to having a clean system!

    About Java: Until recently, updating Java did not overwrite the previous version. Thank goodness someone got enough sense to write it in the update to overwrite. Everyone has the Java Updater running, but the nonsense was that it would update but leave the old versions. Sometimes they accumulate and they were all vulnerabilities. I don't permit any auto-update except the antivirus- but you should be okay now just updating, although I reommend doing a manual update instead of auto.
    ==============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\sr-ccmt1.bin
    FileLook::
    C:\regkeys.reg
    Folder::
    c:\program files\GridinSoft Trojan Killer
    ClearJavaCache::
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    "c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=-
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===================
    All sites for the company that makes Trojan Killer, GridinSoft LLC are rated very poorly by the WOT Site AAdvisor. They use a Red, Amber and Green coded rating, The sites- and the program fail (Red) in Vendor Reliability, Privacy and Child Safety and Caution (Amber) in Trustworthiness. It's a $40 program also available on Torrent sites with licenses and keygens,
    ===================================
    There is an infected file in the Recycler. The Recycler folder is a hidden folder where the files you delete are stored, until you empty the Recycle Bin on NTFS partition.

    The Recycler folder contains a Recycle Bin for each user that logs on to the computer, sorted by their security identifier (SID). This is the file:
    c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500\Dc1.exe

    The SID is 1-5-21-1292428093-1078145449-725345543-500

    Open Windows Explorer> right click on Start> Explore>
    To Show Hidden Folders/Files
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck Hide extensions of known file types.
    • Uncheck Hide protected operating system files (Recommended).
    • Click Yes when prompted.
    • Click Apply> OK
    Empty the Recycle Bin before you attempt to delete the file. The Recycler folder cannot be cleared if there are any files in the bin.

    You should now see the Recycler right below the Program files.
    Double click on the Recycler> the SID will show on the right screen.
    Highlight the SID> Delete

    If this doesn't work and you get an error message, let me know and we'll try doing it from a Command Prompt. The file appears to be an executable document.

    Reset Hidden/System Files & Folders
    ================================================
    Let me know ow the system is doing after you run the script.
  16. misterrmac

    misterrmac TS Rookie Topic Starter

    I disabled Avira and ran ComboFix. It prompted me to update which I did.
    Below is the log

    The receycler I am showing is
    c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-1005
    not
    c:\RECYCLER\s-1-5-21-1292428093-1078145449-725345543-500

    I still tried emptying and deleting but I get an error that it can't be deleted.

    Note: I don't know if it makes a difference but there is a second user account on this computer. Usually all the user recyclers show up when you set to see hidden files but perhaps that is the from the other user?
    ==========
    ComboFix 11-12-16.01 - Sherry 12/16/2011 13:44:15.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2443 [GMT -5:00]
    Running from: c:\documents and settings\Sherry\Desktop\avam\ComboFix.exe
    Command switches used :: c:\documents and settings\Sherry\Desktop\avam\CFScript.txt
    AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    FILE ::
    "c:\program files\sr-ccmt1.bin"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\sr-ccmt1.bin
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-16 to 2011-12-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-12 14:55 . 2011-12-12 14:55 -------- d-----w- c:\documents and settings\Sherry\Application Data\Avira
    2011-12-12 14:54 . 2011-09-18 13:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-12-12 14:54 . 2011-09-16 04:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
    2011-12-12 14:54 . 2011-09-16 04:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-12-12 14:54 . 2011-12-12 14:54 -------- d-----w- c:\program files\Avira
    2011-12-12 14:54 . 2011-12-12 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-12-06 15:13 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
    2011-12-06 15:13 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-12-05 21:24 . 2011-12-05 21:24 -------- d-----w- c:\windows\system32\config\systemprofile\Tracing
    2011-12-05 18:59 . 2011-12-05 18:59 -------- d-----w- C:\_OTM
    2011-12-02 15:21 . 2011-12-02 15:21 -------- d-----w- c:\program files\ESET
    2011-11-29 02:12 . 2011-11-29 02:12 -------- d-----w- c:\program files\Innovative Solutions
    2011-11-29 01:03 . 2011-11-29 01:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2011-11-29 01:01 . 2011-11-29 01:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
    2011-11-29 00:54 . 2011-11-29 00:54 -------- d-----w- c:\documents and settings\Sherry\Local Settings\Application Data\PackageAware
    2011-11-29 00:15 . 2011-11-29 00:15 540 ----a-w- C:\regkeys.reg
    2011-11-27 23:31 . 2011-11-27 23:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-11-25 13:58 . 2011-11-25 13:58 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-11-22 12:24 . 2008-04-13 19:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
    2011-11-22 12:24 . 2008-04-13 19:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
    2011-11-22 12:24 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
    2011-11-22 12:24 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-10 14:22 . 2009-05-14 18:18 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-01-24 01:03 . 2010-01-24 01:03 8327264 ----a-w- c:\program files\Firefox Setup 3.6.exe
    2009-05-26 22:12 . 2009-05-26 22:11 4045736 ----a-w- c:\program files\ventrilo-3.0.5-Windows-9x.exe
    1999-06-25 14:55 . 2011-08-07 18:20 149504 ----a-w- c:\program files\UNWISE.EXE
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- C:\regkeys.reg ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 540
    Created time: 2011-11-29 00:15
    Modified time: 2011-11-29 00:15
    MD5: D917EB3E8817C0B49B04BD8D3AC18097
    SHA1: 2134C11B2E0540603CB960A80A59E3CF3B684EDB
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-12_15.16.49 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-11-19 23:14 . 2011-12-13 17:24 56088 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    + 2009-05-14 14:11 . 2011-12-12 16:57 3505896 c:\windows\system32\FNTCACHE.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoomText"="c:\program files\ZoomText 9.1\ZT.exe" [2007-12-23 1891655]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-12-19 13880424]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-09-23 258512]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBBAC0ATgBIAEMAWQA0AC0ATQBFADYARQBGAC0AQgBTAEwAUwBSAC0AWgBZAFAASAAwAC0AUAA4AFEATgBSAA&inst=NwA2AC0ANQAwADkANQA0ADQAOAAxADYALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQANAAtAFgATwAzADYAKwAxAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQAtAEQARABUACsAMwA3ADUAMgA3AC0ARABEADkAMAArADEALQBTAFQAOQAwAEEAUABQACsAMQAtAFAAOQAwAE0AMQAyAEMAKwAxAC0AVQA5ADUAKwAxAC0AVABCACsAMQAtAEYAVQBJACsAMgA&prod=92&ver=9.0.894" [?]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "SeaPort"=2 (0x2)
    "PnkBstrA"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Windows iLivid Toolbar\\Datamngr\\ToolBar\\dtUser.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Tom-\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "50001:UDP"= 50001:UDP:IHA_MessageCenter
    .
    R1 Ai2sXP;Ai2sXP;c:\windows\system32\drivers\Ai2sXP.sys [6/3/2009 1:33 PM 7296]
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 9:54 AM 36000]
    R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 9:55 AM 86224]
    R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/13/2010 5:06 PM 286736]
    R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [1/21/2010 4:24 PM 110592]
    R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 8:58 AM 20480]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [6/9/2011 6:13 PM 100456]
    S2 gupdate1c9e47bb46ad882;Google Update Service (gupdate1c9e47bb46ad882);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S2 SqlCSS;SQL Server EXPRESS;c:\windows\System32\svchost.exe -k Sqlses [8/29/2002 7:00 AM 14336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 1:47 PM 133104]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\drivers\V0060Vid.sys [9/10/2009 11:31 AM 196409]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Sqlses REG_MULTI_SZ SqlCSS
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    2011-12-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003Core.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-16 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1292428093-1078145449-725345543-1003UA.job
    - c:\documents and settings\Tom-\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2011-08-28 18:34]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 18:47]
    .
    2011-12-16 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
    .
    2011-12-16 c:\windows\Tasks\User_Feed_Synchronization-{90B8EE39-E3EA-4B52-BCE6-5D698D1160A8}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 205.171.2.65 205.171.3.65
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-16 13:52
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3696)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\crypserv.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Avira\AntiVir Desktop\update.exe
    c:\program files\Avira\AntiVir Desktop\updrgui.exe
    c:\program files\Avira\AntiVir Desktop\avnotify.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-16 13:57:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-16 18:57
    ComboFix2.txt 2011-12-12 15:18
    ComboFix3.txt 2011-12-08 17:49
    .
    Pre-Run: 47,190,085,632 bytes free
    Post-Run: 47,156,678,656 bytes free
    .
    - - End Of File - - F6E48A02908B6D7A2E4296617A1B3682
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I did a copy and paste of the file in the Recycler:
    -----------------------
    From bleeping computer:
    Filename: dc1.exe
    Command: C:\recycler\dc1.exe
    Description:
    Added by the W32/SillyFD-C worm that spreads to removeable storage devices.
    File Location: C:\recycler\dc1.exe

    See if you can locate an entry with the dc1.exe entry.
    Also, you can try deleting the entire Recycler folder. Windows should create a new one when you reboot.
  18. misterrmac

    misterrmac TS Rookie Topic Starter

    Just Deleting of the recycler isn't possible. It is locked from deletion by the system (probably explorer.exe) and the Shell doesn't see C:\RECYCLER.

    I did get it finally. That CID was from the hidden Administrator account. I booted into SafeMode to check it and when I viewed the RECYCLER folder that CID showed up. I then was able to delete it from within another account I then emptied the trash to totally remove it.

    Finally I did a search of the computer for dc1.exe. No hits.

    Is there something I should run to verify that dc1.exe is gone? If not, I'm guessing the system is finally clean?
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    ---------------------------
    Good for you! You are a smart person!

    I think you're almost there, but there is one folder I'd like you to check:

    2011-11-29 00:15 540 ----a-w- C:\regkeys.reg

    I opened the folder for a look but still don't know what it is. Try a right click> Properties and see if you can get anything on it.
  20. misterrmac

    misterrmac TS Rookie Topic Starter

    540 bytes
    registry file
    Created on November 28th 2011
    No onther info....

    It is a text file - registry file.
    I don't like the looks of it due to the LOAD and RUN lines. I'm guessing that something I ran may have dropped it there as a backup from an automated fix attempt and assume it needs to (should) be deleted?

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    "DebugOptions"="2048"
    "Documents"=""
    "DosPrint"="no"
    "load"=""
    "NetMessage"="no"
    "NullPort"="None"
    "Programs"="com exe bat pif cmd"
    "Run"=""
    
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.

    We will finish on Monday.

    Have a Happy and Peaceful Holiday![​IMG]


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.