Inactive Browser redirect virus; the bane of my existence!

Status
Not open for further replies.
T

theslipperyelm

Posts: 7   +0
Oops! I F'ed up and tried to follow the thread of another person helped through this forum... Uh oh! How naive I was! Afterward I bothered to read the posting instructions and saw the error of my ways :( Here I am trying to do things right this time. Below are my logs. Any assistance provided will be greatly appreciated! Thank you! -Jonathan

*********************************** Malwarebytes Log: ******************************************

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7660

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/5/2011 3:40:45 PM
mbam-log-2011-09-05 (15-40-45).txt

Scan type: Quick scan
Objects scanned: 393294
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


***************************************** GMER Log:*********************************************

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-05 15:50:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75B3A0 rev.01.03A01
Running: jecxrsfy.exe; Driver: C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\fxtdypow.sys



---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE7210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE7224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE7250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE72A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE71FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE71D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE71E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE723A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE727C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE7266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE72D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE72BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE7290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

********************************************DDS Log: ******************************************

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by JonathanAdmin at 15:56:04 on 2011-09-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2455 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net
uSearch Bar =
mStart Page = hxxp://www.att.net
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510023115.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222546461313
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 172.16.4.21 172.16.4.11
TCP: Interfaces\{FFA1790A-E773-4985-A7C1-12DBE85DC4DA} : DhcpNameServer = 172.16.4.21 172.16.4.11
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jonathanadmin\application data\mozilla\firefox\profiles\llw9dbx4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-28 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-28 84200]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-18 8960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-8 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-1-13 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-28 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-28 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-28 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-28 56064]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-18 11264]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-28 153280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-28 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-18 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-28 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-28 84488]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-18 16640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-05 22:33:51 -------- d-----w- c:\documents and settings\jonathanadmin\application data\Malwarebytes
2011-09-05 22:33:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 22:33:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-05 22:33:06 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 22:33:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-02 18:08:14 -------- d-----w- c:\documents and settings\jonathanadmin\local settings\application data\Apple Computer
2011-09-02 00:31:09 -------- d-sha-r- C:\cmdcons
2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll
2011-08-16 22:33:07 -------- d-----w- c:\program files\Citrix
2011-08-11 03:52:21 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-11 03:51:22 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-09-02 18:14:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 23:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 23:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-06 23:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-06-27 16:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 16:45:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
.
============= FINISH: 15:56:29.98 ===============

***************************************** Attach Log: ***********************************************
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/27/2008 1:05:48 PM
System Uptime: 9/4/2011 1:21:13 PM (26 hours ago)
.
Motherboard: Dell Inc. | | 0J584C
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 275.058 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 9/2/2011 10:41:01 AM - Removed Adobe Reader 9.4.5.
RP2: 9/2/2011 10:41:26 AM - Installed Adobe Reader X (10.1.0).
RP3: 9/2/2011 11:08:13 AM - Removed QuickTime
RP4: 9/2/2011 11:09:34 AM - Removed Browser Address Error Redirector.
RP5: 9/2/2011 11:13:09 AM - Removed Spelling Dictionaries Support For Adobe Reader 9.
RP6: 9/4/2011 11:21:21 AM - System Checkpoint
RP7: 9/5/2011 11:41:01 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
ATI Catalyst Control Center
ATI Display Driver
AVS4YOU Software Navigator 1.2
Brother MFL-Pro Suite
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.3
Dell Driver Reset Tool
Dell Support Center
Diagnostics Utility
Google Calendar Sync
Google Desktop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 26
LogMeIn
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.1.1800
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 6.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
ODF Add-in for Microsoft Office
OGA Notifier 2.0.0048.0
PaperPort Image Printer
PowerDVD
QuickBooks Pro 2006
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
ScanSoft PaperPort 11
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Sonic CinePlayer Decoder Pack
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
9/4/2011 10:14:25 AM, error: NETLOGON [3224] - Changing machine account password for account SCOTT$ failed with the following error: There are currently no logon servers available to service the logon request.
9/2/2011 8:51:46 AM, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
9/2/2011 8:51:46 AM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The operation completed successfully.
9/2/2011 8:50:46 AM, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
9/2/2011 8:50:46 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/2/2011 8:50:46 AM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/2/2011 8:27:08 AM, error: NETLOGON [5719] - No Domain Controller is available for domain RTSF due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/2/2011 10:16:47 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
9/1/2011 6:04:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
9/1/2011 6:04:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
9/1/2011 5:23:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/1/2011 5:21:54 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/1/2011 5:21:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/1/2011 5:21:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
9/1/2011 5:17:35 PM, error: ati2mtag [43036] -
9/1/2011 4:56:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iaStor
9/1/2011 4:56:15 PM, error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.
9/1/2011 4:52:26 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
9/1/2011 4:41:58 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
9/1/2011 4:31:03 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
9/1/2011 4:15:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips iaStor intelppm
.
==== End Of File ===========================
 
Please- NO double spacing!!!

I can help you< but we'll end up 30 pages down the lone with double spacing.

Please repost all of these logs as they are generated, without double spacing, the entire log from their heading at the top to the EOF at the end. There is information in the headers that I need If you can't get in to Edit your post, then use another reply, then I'll delete the Above.

When you repost Malwarebytes, please include the header at the top of the log- no editing within logs. You don't need to 'clean up' anything in the logs! I need to see the scan output exactly as it comes out!
==================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
tried to follow the thread of another person helped through this forum
Click to expand...
Just want to make sure you underStand that you should never follow help given to snother person> While we may run some of the same programs, what we do in handling the logs is specific for that person.
 
Cleaned up double spacing - Thanks for taking my case!

Bobbye,

I cleaned up all the double spacing (the unintended consequence of copying and pasting the logs too many times!) and fixed the error in the Malwarebytes log (not sure how that happened!). Thanks for taking my case. I look forward to hearing your advice on the next steps I should take. And yes, at this point I do understand that I should not try to follow the steps of someone else's solution since they're all unique. Thanks again!

-Jonathan
 
Windows Automaitc Update

Bobbye,

I wanted to let you know that Microsoft Update performed and automatic update download/restart on my computer last night. In your instructions you had indicated that no changes should be made to the computer during the malware removal process, but I did not take into account Microsoft Update. Do you want me to rerun MalwareBytes, GMER and DDS and repost the updated logs, or can you still work with what's already been posted? Let me know how you'd like me to proceed. Thanks!

-Jonathan
 
Thank you for redoing the logs. As we go along, you'll understand why we don't want extra spaces!

As long as the new update didn't cause any problem, That's okay Jonathan- I would like to make a suggestion though> if you have the updates set to download and install automatically< I suggest you change to "Download updates but let me decide when to install."

Many a user had gone with fully automatic maybe setting for 3 in the morning. They boot up the next day to find a problem with the system and not realizing there was an update last night, don't consider the possibility that 'bad' update could have caused it> You also get the opportunity to review the updates and decide if there is one or more that you don't want> Not all update are critical!

I'm running a day late because the entire network- cable, internet and phone of my ISP crashed yesterday and was down all day
=========================================
Questions:
1. Tell me about your use of this EMBOS> Segger Microcontroller Systems is a multinational company dealing in middleware for embedded devices and development tools. Segger's RTOS (embOS) is part of Oki Semiconductor's World's first complete ARM-based ZigBee Developer's Kit

2. There are also multiple entries for LogMeIn Are you logging in to your system remotely?
System Service name : [LMIGuardianSvc] LogMeIn Remote PC Control Service by LogMeIn, Inc.
This entry in Combofix indicates it is no longer being used:
S4 LMIRfsClientNP;LMIRfsClientNP; [x]LogMeIn Rfs Client Network Provider
And I note these backup files:
2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak

3. About Adobe: Please follow the removal instructions HERE for the following 2 versions:
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
-----------------------
Keep Adobe Reader X (10.1.0)<< this is the current correct update
====================================
4. Do you know what this file is: 2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll?
=============================================
No obvious cause of you 'bane of existence' yet< so I'd like you to run the following:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.

Please paste the Eset and Combofix logs in your next reply.
 
Sorry for the delay... big update!

Bobbye,

Since I was using LogMeIn when I ran the logs I posted last time I decided to re-run and repost them. Here they are:

*********************************** Malwarebytes Log: ******************************************

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7716

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/14/2011 10:57:25 AM
mbam-log-2011-09-14 (10-57-25).txt

Scan type: Quick scan
Objects scanned: 398937
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***************************************** GMER Log:*********************************************

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-09-14 11:03:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-75B3A0 rev.01.03A01
Running: jecxrsfy.exe; Driver: C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\fxtdypow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE7210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE7224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE7250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE72A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE71FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE71D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE71E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE723A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE727C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE7266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE72D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE72BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE7290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

********************************************DDS Log: ******************************************

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by JonathanAdmin at 11:09:27 on 2011-09-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2529 [GMT -7:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Realtek\Diagnostics Utility\8169Diag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net
uSearch Bar =
mStart Page = hxxp://www.att.net
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110510023115.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [8169Diag] c:\program files\realtek\diagnostics utility\8169Diag.exe /hw
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-ba7e-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222546461313
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jonathanadmin\application data\mozilla\firefox\profiles\llw9dbx4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-2-28 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-2-28 84200]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [2008-9-18 8960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-12-8 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-9-17 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-3-8 47640]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2011-1-13 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-2-28 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-2-28 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-2-28 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-2-28 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-2-28 56064]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2008-9-18 11264]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-2-28 153280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-2-28 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-9-18 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-2-28 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-2-28 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-2-28 84488]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2008-9-18 16640]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2011-09-14 17:16:46 -------- d-----w- c:\documents and settings\jonathanadmin\application data\EMCO
2011-09-14 17:16:23 -------- d-----w- c:\program files\EMCO
2011-09-05 22:33:51 -------- d-----w- c:\documents and settings\jonathanadmin\application data\Malwarebytes
2011-09-05 22:33:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-05 22:33:06 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 22:33:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-03 10:17:37 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-02 18:08:14 -------- d-----w- c:\documents and settings\jonathanadmin\local settings\application data\Apple Computer
2011-09-02 00:31:09 -------- d-sha-r- C:\cmdcons
2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll
2011-08-16 22:33:07 -------- d-----w- c:\program files\Citrix
.
==================== Find3M ====================
.
2011-09-03 10:17:37 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-02 18:14:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:32:48 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 23:32:36 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 23:32:28 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-07-06 23:32:28 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-06-27 16:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 16:45:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-16 19:19:43 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2011-06-16 19:19:42 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak
.
============= FINISH: 11:09:40.03 ===============

***************************************** Attach Log: ***********************************************

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/27/2008 1:05:48 PM
System Uptime: 9/14/2011 10:23:48 AM (1 hours ago)
.
Motherboard: Dell Inc. | | 0J584C
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 298 GiB total, 275.977 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 9/14/2011 10:16:23 AM - Installed EMCO MoveOnBoot 2.2
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.0)
ATI Catalyst Control Center
ATI Display Driver
AVS4YOU Software Navigator 1.2
Brother MFL-Pro Suite
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
CutePDF Writer 2.3
Dell Driver Reset Tool
Dell Support Center
Diagnostics Utility
EMCO MoveOnBoot 2.2
Google Calendar Sync
Google Desktop
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java Auto Updater
Java(TM) 6 Update 26
LogMeIn
MagicDisc 2.7.106
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox 6.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
ODF Add-in for Microsoft Office
OGA Notifier 2.0.0048.0
PaperPort Image Printer
PowerDVD
QuickBooks Pro 2006
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
ScanSoft PaperPort 11
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)
Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)
Sonic CinePlayer Decoder Pack
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
9/9/2011 2:08:22 PM, error: Service Control Manager [7000] - The SupportSoft Sprocket Service (dellsupportcenter) service failed to start due to the following error: The system cannot find the file specified.
9/9/2011 2:05:45 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/9/2011 2:05:34 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
9/9/2011 1:59:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
9/9/2011 1:55:10 PM, error: ati2mtag [108] - The driver ati2dvag for the display device \Device\Video0 got stuck in an infinite loop. This usually indicates a problem with the device itself or with the device driver programming the hardware incorrectly. Please check with your hardware device vendor for any driver updates.
9/7/2011 3:17:47 AM, error: ati2mtag [43036] -
9/14/2011 9:51:19 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
9/14/2011 8:56:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/14/2011 8:14:40 AM, error: System Error [1003] - Error code 1000008e, parameter1 e0000001, parameter2 ba488925, parameter3 adf8f820, parameter4 00000000.
9/14/2011 8:13:06 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8056d729, parameter3 b936bae0, parameter4 00000000.
9/14/2011 11:06:19 AM, error: NETLOGON [5719] - No Domain Controller is available for domain RTSF due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
9/12/2011 5:32:06 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ASPEN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{FFA1790A-E773-4985-A7C. The master browser is stopping or an election is being forced.
.
==== End Of File ===========================

I will provide the best answers I can to your other questions along with the other logs you requested in my next post.
 
Sorry for the delay... big update! (part two)

Bobbye,

Here are the new logs you asked for:

**************************************** ESET Log: ***********************************************

C:\Documents and Settings\JonathanAdmin\Local Settings\temp\ICReinstall\cnet_MoveOnBootSetup_exe.exe a variant of Win32/InstallCore.C application
C:\System Volume Information\_restore{45B5E8B9-949A-471E-999D-F381DA56A2D3}\RP1\A0000027.exe a variant of Win32/InstallCore.C application

**************************************** ComboFix Log: ***********************************************
ComboFix 11-09-14.02 - JonathanAdmin 09/14/2011 14:49:45.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2359 [GMT -7:00]
Running from: c:\documents and settings\JonathanAdmin\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\chelsea\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\info\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\info\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\jonathan\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\jonathan\Start Menu\Programs\Startup\Internet Explorer.lnk
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Karen\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\karenadmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\lanny\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Lannyadmin\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\orlanda\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Rebuilding Together\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Ryan\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\QuickBooks_Password_Tool_2.0.exe.7a611cc6.ini
c:\documents and settings\Scott\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\qbw32.exe.16bd612f.ini
c:\documents and settings\ScottAdmin\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\Tita\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini.inuse
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\info.exe.c95fa770.ini
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\LnkFileRename.exe.db6f4065.ini
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Valerie\Local Settings\Application Data\ApplicationHistory\SL34.tmp.57a113aa.ini
c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini
c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\EULA.exe.e24c9112.ini
c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\EULALauncher.exe.3f62b452.ini
c:\documents and settings\vol1\Local Settings\Application Data\ApplicationHistory\UninstallTB.exe.8dfaf78b.ini
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 21:59 . 2011-09-14 21:59 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
2011-09-14 19:27 . 2011-09-14 19:27 -------- d-----w- c:\program files\ESET
2011-09-14 19:22 . 2011-09-14 19:22 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Temp
2011-09-14 19:07 . 2011-09-14 19:08 -------- d-----w- c:\windows\system32\Adobe
2011-09-14 19:07 . 2011-09-14 19:07 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-14 19:03 . 2011-09-14 19:03 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-09-14 17:16 . 2011-09-14 17:16 -------- d-----w- c:\documents and settings\JonathanAdmin\Application Data\EMCO
2011-09-14 17:16 . 2011-09-14 17:16 -------- d-----w- c:\program files\EMCO
2011-09-05 22:33 . 2011-09-05 22:33 -------- d-----w- c:\documents and settings\JonathanAdmin\Application Data\Malwarebytes
2011-09-05 22:33 . 2011-09-05 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-05 22:33 . 2011-09-14 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-05 22:33 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-02 18:08 . 2011-09-02 18:08 -------- d-----w- c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Apple Computer
2011-08-29 02:17 . 2011-08-29 02:17 62976 --sha-r- c:\windows\system32\countryt.dll
2011-08-16 22:33 . 2011-08-16 22:33 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2008-04-25 16:16 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-25 16:16 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:32 . 2011-03-09 01:40 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2011-07-06 23:32 . 2011-03-09 01:40 53632 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2011-07-06 23:32 . 2011-03-09 01:40 29568 ----a-w- c:\windows\system32\LMIport.dll
2011-07-06 23:32 . 2011-03-09 01:40 87424 ----a-w- c:\windows\system32\LMIinit.dll
2011-06-27 16:45 . 2011-06-27 16:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-06-27 16:45 . 2010-05-05 16:10 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-24 14:10 . 2008-04-25 21:26 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2008-04-25 16:16 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2008-04-25 16:16 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2008-04-25 16:16 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-25 16:16 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-06 19:06 . 2011-05-09 19:47 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-07-20 16:00 . 2009-12-03 18:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2011-04-14 21:01 . 2011-02-28 16:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-31 16860672]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-09-17 63048]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-20 30192]
"EMBOS"="c:\windows\system32\countryt.dll" [2011-08-29 62976]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-11-08 65536]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-05 630784]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"8169Diag"="c:\program files\Realtek\Diagnostics Utility\8169Diag.exe" [2008-02-26 909312]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-BA7E-000000000002}\SC_Acrobat.exe [N/A]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2011-4-8 542264]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 23:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2/28/2011 9:12 AM 84200]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [9/18/2008 5:42 PM 8960]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/8/2010 2:11 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/17/2010 4:40 PM 12856]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [1/13/2011 9:49 AM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [2/28/2011 9:12 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2/28/2011 9:12 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [2/28/2011 9:12 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2/28/2011 9:12 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2/28/2011 9:12 AM 56064]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [9/18/2008 5:42 PM 11264]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2/28/2011 9:12 AM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2/28/2011 9:12 AM 88736]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/18/2008 5:45 PM 30192]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2/28/2011 9:12 AM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2/28/2011 9:12 AM 84488]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [9/18/2008 5:42 PM 16640]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-01 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2011-06-21 18:08]
.
2011-09-14 c:\windows\Tasks\User_Feed_Synchronization-{2FB0818D-1972-421E-B54F-7E7E2F696A91}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
mStart Page = hxxp://www.att.net
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 172.16.4.21 172.16.4.11
FF - ProfilePath - c:\documents and settings\JonathanAdmin\Application Data\Mozilla\Firefox\Profiles\llw9dbx4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-QuickTime Task - c:\program files\QuickTime\QTTask.exe
HKLM-Run-Acrobat Assistant 7.0 - c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 14:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\LMIinit.dll
.
- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\RTHDCPL.EXE
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\windows\system32\rundll32.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-09-14 15:06:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 22:06
.
Pre-Run: 295,152,488,448 bytes free
Post-Run: 295,376,633,856 bytes free
.
- - End Of File - - 536482E474CB52B216D26D977AA4FE33

********************************************************************************************************

A note about ESET: The first couple of times I tried to run it, it would not run. It kept asking me something about Proxy settings. So I ran it in Safe Mode and it worked. Then I reran it in regular mode and it worked. The results of both the Safe Mode and regular mode log was the same.

A note about Acrobat Reader: It was really hard to remove Acrobat 7.0. I got stuck on a couple of files in the Programs Folder related to Active X that simply would not delete. I finally downloaded a program from Cnet called MoveOnBoot which was able to delete the files after a restart. This program has since shown up on the ESET scan. Afterward, I had a really hard time getting Reader X to work. When I tried to open it, it kept saying it was missing an MSI file and couldn't finish it's install (which I thought it already was installed). I ended up reinstalling Reader 9.0, updating it and then reinstalling ReaderX. I noticed afterward that all the Reader 9.0 files are still in the program folder. I don't know if this is a problem or not but I wanted to make you aware of it.

OK, on to your questions:

1) I have no idea what EMBOS is. The computer in question is my work computer which is on a small network and accesses the internet through a server. There may be things related to how the network was setup or how if functions that I have no clue about. Also, he computer has close to a dozen profiles on if due to having numerous users over the year. Sorry I can't be of more help on this one. I think I would have to talk to our IT consultant ($$$) to possibly get an answer.

2) Yes I was using LogMeIn to access my work computer over the weekend and run those logs necessary to get assistance from this forum. I use the free version of LogMeIn sporadically to work from home.

3) I already told you about my trials with Adobe above.

4) I've absolutely no idea what this file is: 2011-08-29 02:17:30 62976 --sha-r- c:\windows\system32\countryt.dll

Once again, I apologize for not getting back to you sooner. It was my birthday last weekend so I was pretty distracted for a few days, but now I'm back and ready to tackle this problem. I appreciate the help you've given me thus far and look forward to your next response.

-Jonathan
 
1) I have no idea what EMBOS is. The computer in question is my work computer which is on a small network and accesses the internet through a server. There may be things related to how the network was setup or how if functions that I have no clue about. Also, he computer has close to a dozen profiles on if due to having numerous users over the year. Sorry I can't be of more help on this one. I think I would have to talk to our IT consultant ($$$) to possibly get an answer.
Click to expand...
Yes, you will need the IT for the office to handle this>

1. There is work related software> you don't know what it is.
2. You are not aware of the network settings.
3. Access is through the work network and server.
4. The system has been/is being used by multiple users with probable specific entries for each of their profiles< with no known cleaning in between.
5. Regarding these entries: :
1). mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
And this from the registry "EMBOS"="c:\windows\system32\countryt.dll" [2011-08-29 62976]
The only description of this I could find was:
"embOS is a priority-controlled real time operating system, designed to be used as foundation for the development of embedded real-time applications."
Click to expand...
And I could not find any appropriate information for countryt.dll and nothing for xtpafprh
and this:
2). 2011-09-14 17:16:46 -------- d-----w- c:\documents and settings\jonathanadmin\application data\EMCO
2011-09-14 17:16:23 -------- d-----w- c:\program files\EMCO
EMCO Software is a leader in the world of solutions for network management and system administration.
Click to expand...
Clearly they are work related. But whether the entries are correct as they show or whether they can be infected with malware is something I cannot determine.
==================================================
The proxy is from McAfee
====================
Adobe Reader:
1. Update first
2. Then remove old version in Add/Remove Programs
3. You don't remove the Program folder because you did the update
4. Active X objects are found in the addons. Open Manage Addons through Tools in IE: look in both 1. addons currently on system and 2> addons previously on system. If Adobe Reader outdated entries are seen> highlight and delete.
I'm not sure what you did to this- usually it's a simple update, then uninstall. The got the MSI Error which os the installer error most likely because you were in Safe Mode ad it doesn't work in Safe Mode>
=================================================
You were asked not to make changes unless instructed:
. I finally downloaded a program from Cnet called MoveOnBoot which was able to delete the files after a restart[/b]
=================================================
There is one active entry in Eset: It is questionable> A lot of user who used CNet for download and having the Win32/InstallCore.C[b/] reported out when they run n AV Scan> Another entry for the same thing Is in a restore point
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)
    Code: 
    :Files  
C:\Documents and Settings\JonathanAdmin\Local Settings\temp\ICReinstall\cnet_MoveOnBootSetup_exe.exe
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
-----
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin

I'm sorry I can't be of more help Jonathan> But your system will be safer in the hands of an IT who is trained to recognize all ter work related entries and not risk removing or in some way changing processes needed to perform your job>
Click to expand...
 
The end is here...

Bobbye,

Thanks for all your help thus far. I will see if I can get an IT consultant to come and help me remove this virus. Otherwise, I'll just have to learn to live with it.

regarding your comments in the last post:

1) I disabled McAfee real time scanning and firewall when ever I was running anti-malware programs to try and keep it from interfering with things

2) I updated Adobe Reader to version X. The folder for version 9.0 is still in the Program Folders area, but Version 9.0 is not listed in Add Remove Programs, so I cannot remove it that way.

3) I removed all the outdated Adobe Active X related files using MoveOnBoot which I downloaded from Cnet.com. I only did this because I was trying to follow the instructions you gave me on how to remove Adobe 7.0 and those instructions were telling me to delete files that Windows would not let me delete in any other way I knew how.

4) Here is the Log from OTMoveIt3:

All processes killed
========== FILES ==========
File/Folder C:\Documents and Settings\JonathanAdmin\Local Settings\temp\ICReinstall\cnet_MoveOnBootSetup_exe.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: chelsea
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes

User: info
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: jonathan
->Temp folder emptied: 7725300 bytes
->Temporary Internet Files folder emptied: 27877728 bytes
->Java cache emptied: 101434 bytes
->FireFox cache emptied: 38138968 bytes
->Flash cache emptied: 3163 bytes

User: JonathanAdmin
->Temp folder emptied: 840219 bytes
->Temporary Internet Files folder emptied: 6891696 bytes
->Java cache emptied: 278836 bytes
->FireFox cache emptied: 54847243 bytes
->Flash cache emptied: 1390 bytes

User: Karen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: karenadmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: lanny
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Lannyadmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: orlanda
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Rebuilding Together
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Ryan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Scott
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ScottAdmin
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Tita
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Valerie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: vol1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9850 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4061464 bytes

Total Files Cleaned = 134.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 09162011_091305

Files moved on Reboot...

Registry entries deleted on Reboot...

Thanks again for all your help. Even if we weren't ultimately successful at least I know I did all I could to try and remove this virus before telling my boss we need to shell out some coin to squash it for good. Take care and happy trails.

-Jonathan
 
5) Oh yeah, and about the MSI error. I was not working in Safe Mode, so I don't think that was the problem. I went into safe mode to try and get ESET to work. Once it did, I got out of Safe Mode and continued doing everything in regular mode. I think the MSI error had something to do with me deleting something while following the manual uninstall instructions for Acrobat 7.0.
 
Let's try one more thing> If you still have Combofix on the system, create a System Restore point then go ahead and run the script below as directed. If you have already uninstalled Combofix downliad again and run it. Create a new System Restore point, then run the following sceipt:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\countryt.dll
Folder::
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\JonathanAdmin\Local Settings\Application Data\Temp
DDS::
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
mRun: [EMBOS] rundll32 "c:\windows\system32\countryt.dll",xtpafprh
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EMBOS"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
===================================
Post the new log for me. Let me know if redirect has been resolved.
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
836
uber_beetle
uber_beetle
A
Microsoft breaks users' PCs again with latest Windows 11 update
Replies
19
Views
440
trparky
T
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back