Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access removal and now no internet connection


  • This topic is locked This topic is locked
45 replies to this topic

#1 beachdog2001

beachdog2001

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 03:53 PM

Hello, first post here. I had a Zero Access infection and after reading through several forums and trying various suggestions, I seem to have removed it. Combofix runs (I now know that I shouldn't have run this, but it did find and eliminate the Zero Access rootkit) and now no longer sees any infections, Malawarebytes now runs and sees nothing as does Spybot. However, I now have no internet connection and I cannot seem to start my NOD32 service. I tried to repair the NOD32 and it fialed saying someting called NUPD98.msi cold not be found. I have tried various things like registering the service, flushing DNS etc., removing NOD32, all to no avail. I cannot start the Windows firewall as it says that I have a dead connection. The message in the taskbar is that I have limited or no connectivity. Repairing the internet also does nothing. I have also tried rolling back the driver, uninstalling and reinstalling the device and that kind of thing. I also can now no longer install NOD32 as the service cannot be started.

So something is still on my system that is preventing me from having an internet connection (I know it works becuase I am using another computer on the same wireless to write this post) and running NOD32 and Windows Firewall.

I have attached the requested files as well as the most recent Combofix file and a TDSSKiller log.

DDS.txt.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by Bill at 9:48:33 on 2011-09-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1741 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - c:\progra~1\kingsoft\xdict\IEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - c:\progra~1\kingsoft\xdict\IEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\www.update
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304915029234
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
R3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2008-2-15 136832]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [2007-7-2 138112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2009-6-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
txtfile=c:\windows\notepad.exe %1
.
=============== Created Last 30 ================
.
2011-09-19 16:00:56 98816 ----a-w- c:\windows\sed.exe
2011-09-19 16:00:56 518144 ----a-w- c:\windows\SWREG.exe
2011-09-19 16:00:56 256000 ----a-w- c:\windows\PEV.exe
2011-09-19 16:00:56 208896 ----a-w- c:\windows\MBR.exe
2011-09-19 02:12:15 -------- d-sha-r- C:\cmdcons
2011-09-18 23:32:10 -------- d--h--w- c:\windows\PIF
2011-09-18 17:41:32 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-18 17:41:32 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-09-16 12:46:04 -------- d-----w- c:\program files\common files\Macrovision Shared
2011-09-16 12:41:09 12288 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\pmdg\dlls\PMDG_HUD_interface.dll
2011-09-16 12:41:02 1193984 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\pmdg\livery manager\PMDG_Livery_Manager.exe
2011-09-16 12:41:01 536576 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\PMDG_737NGX_3.dll
2011-09-16 12:41:01 4542464 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\PMDG_737NGX_2.dll
2011-09-16 12:40:57 96723456 ----a-w- c:\program files\microsoft games\microsoft flight simulator x\gauges\PMDG_737NGX.dll
2011-09-16 12:40:56 268624 ----a-r- c:\program files\microsoft games\microsoft flight simulator x\FnpCommsSoap.dll
2011-09-05 17:04:56 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-09-16 14:07:14 273504 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-09-16 14:07:14 273504 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-09-16 14:07:14 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-09-16 12:36:10 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 17:07:12 4184 --sha-w- c:\documents and settings\all users\application data\KGyGaAvL.sys
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-28 22:22:32 640221 ----a-w- c:\program files\UninstallNA.exe
2009-11-20 22:00:38 514546 ----a-w- c:\program files\UninstalEurope.exe
.
============= FINISH: 9:50:41.81 ===============

ComboFix.txt
ComboFix 11-09-19.01 - Bill 09/19/2011 9:02.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1611 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\windows\system32\nvdispco3220150.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))
.
.
2011-09-18 23:32 . 2011-09-18 23:32 -------- d--h--w- c:\windows\PIF
2011-09-18 21:17 . 2011-09-18 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-18 17:41 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-18 17:41 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-09-16 12:59 . 2011-09-16 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-09-16 12:46 . 2011-09-16 12:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-09-16 12:41 . 2011-08-16 09:18 12288 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\PMDG\dlls\PMDG_HUD_interface.dll
2011-09-16 12:41 . 2011-07-29 23:33 1193984 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\PMDG\Livery Manager\PMDG_Livery_Manager.exe
2011-09-16 12:41 . 2011-08-16 09:40 4542464 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX_2.dll
2011-09-16 12:41 . 2011-02-16 07:39 536576 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX_3.dll
2011-09-16 12:40 . 2011-08-16 09:40 96723456 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX.dll
2011-09-16 12:40 . 2010-11-21 01:01 268624 ----a-r- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FnpCommsSoap.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-16 12:36 . 2011-07-01 01:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 17:07 . 2009-08-09 22:45 4184 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-09-01 00:00 . 2011-02-21 19:10 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-02-28 22:22 . 2010-02-28 22:07 640221 ----a-w- c:\program files\UninstallNA.exe
2009-11-20 22:00 . 2009-11-20 21:49 514546 ----a-w- c:\program files\UninstalEurope.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerWord 2002.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerWord 2002.lnk
backup=c:\windows\pss\PowerWord 2002.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-19 03:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2008-04-14 00:12 50176 ----a-w- c:\windows\eHome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-03 05:19 118784 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 23:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 23:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-25 06:09 13895272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-25 06:09 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2009-06-23 02:29 83232 ----a-w- c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-15 18:22 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
2003-08-15 03:11 139264 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"SysmonLog"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"Messenger"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"CiSvc"=3 (0x3)
"Alerter"=3 (0x3)
"mnmsrvc"=3 (0x3)
"O&O Defrag"=2 (0x2)
"YahooAUService"=2 (0x2)
"nvUpdatusService"=2 (0x2)
"NVSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\feelThere\\b737\\737setup.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\Update.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN64.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real Environment Xtreme 2.0\\rexwxengine2.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_c603f141f5d06682_0002.000c_84b0b64057e101c1\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\QQ.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\auclt.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_901a5af215981e5c\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_6c5ded94660015dc\\ACARS.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2/15/2008 5:51 PM 136832]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [7/2/2007 8:36 AM 138112]
R4 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys --> c:\windows\system32\DRIVERS\epfwtdir.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/14/2009 1:59 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: {{8DE0FCD4-5EB5-11D3-AD25-00002100131B} - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
IE: {{C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
Trusted Zone: microsoft.com\www.update
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-19 09:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1e,cb,d4,c1,b2,88,02,c6,be,2a,61,b1,2e,75,1c,24,d9,d8,8b,4f,d2,
06,aa,99,17,92,5a,50,d2,f4,9c,c5,48,3e,d8,55,06,05,b4,b2,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86e781ac-84a8-4deb-ab81-869fdafdf293}]
@Denied: (Full) (Everyone)
"Model"=dword:0000010d
"Therad"=dword:00000012
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="961C73C65041C6F60B62D2CD29D8D77735158DE7A961B158FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A2D97226D213B555A6A0AC4980AC7933077FCAE2297DE79B5D9E35589879DEFD34247E84B8EC266668CEEF0355B4EF5A09982E2DFE26924AF4D5DBB6563912E9CDE68E48A8BD7E1CB7F110B54D9D1D6F6BB7FABF6A3BE7A393E896E775CF5B48FD9D8ECE0F668D679F507AAA29E221BC60692DC98417FD0340E4DC2271E6DBCE41771677EE03A4F430D60089902F9C8A2F00F25A3794DDEC169ADB801AAB2CD82766EB061EB2861B8EB8285EFCB19CC7AC0C31E8C3958784C19E730095D0566552209021C4166BD0F06E2C1A3D9EA804CA6900CCBDFE6B96874C39055C0C5A96FA1E33D562D60031A632FC90F5AEB8F388B1A8458C38EF8FBBBEF4533B16AAB36AA0BA12C91DE3FD0D83BA7A9B1B3B717A45ACF16C2EEF01C957A297522D2E28012840A91E18AA1A1AA43E74F9A48E78CA49BFD9EBD3B820AFBBF3DF1892BF82B2FA90D35AFA5C0DD59E10FD300F0B2BB726C6E570998B49FE554D9C538CAF7586A3AE2CCB7CF5835B3A6FFDAF23F6CC11866063B07C1FF860D0C727A1E4BFD7976FCEB29556E6CC5C894E3941AA90473CDBD98238761ED10B9EAD387468A6261472DBC92C4793DC1E5D545FFD7609283459B8DAE70826184FF4816E0F68117CC18171B9D914D3CBF5CC5BFD55D9841E04F73364733749B68ECDF6CB0CBB1D9FF4B6E2AC3C00F25551B4718C8AAC1D7F4EF3B47D610D8C3B40E4F7B7563C5D761B7035B34559B1DA32335ADFB3495F46C74CDC678E146B586CBA1E7B3046590CB1D0A0403AEB44DDAB2B0CB73B11CB0E3AC500462A5ED3E3B317BD472EBC8C8DCE3E942C360B5208E4C4B0336067D81702E825A4B80126D6C680D72B3805E4CF96E1B131250E77A39BE9A65536B2EDC71102086F1114BA50ECC5279E8B87464947ABCDEE4ACF45A29F4A8188A360E828EC2017F860335A9000F617FCB9B28794ADCC72E8B92E3E96545A0898635E1AE5AE19F6F4A480427FEDE8C88226F8736F2DBA5C86DF0C5AB934CE32B504A148D0040400FE339F26A53A3711548A4F48BEBE31FC13784F87E64924B1746721AA5E2CBCBB12B23B2CB079BC77F5F22F3B096C2CFB3E9664A39C3519E6CC45D86FA70063EA121FFCEB73D69AB85441967179D6EFB01B9E3883812C32689C28C837E865DC80C2499775E31137C6BC2907875DAF812A214A3E6EDBF5B48222EF7316045B5125CCD33F4A9BF8BAC360B4868B283F2BA7AB29EDA2976F2D32034EE116FCF22C3340B62C61D7F6930B583F9E00715FFA227B9C40CD458769ABC6499EB4FD509E3A8C3E1C227B03F0261D795CDB7481C4BFB158351618"
.
Completion time: 2011-09-19 09:10:30
ComboFix-quarantined-files.txt 2011-09-19 16:10
ComboFix2.txt 2011-09-19 03:23
.
Pre-Run: 79,804,448,768 bytes free
Post-Run: 79,791,710,208 bytes free
.
- - End Of File - - 396CDF5D4FF222F92454069F22E83533

TDSKiller.txt
2011/09/19 09:29:20.0046 1292 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/19 09:29:20.0125 1292 ================================================================================
2011/09/19 09:29:20.0125 1292 SystemInfo:
2011/09/19 09:29:20.0125 1292
2011/09/19 09:29:20.0125 1292 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/19 09:29:20.0125 1292 Product type: Workstation
2011/09/19 09:29:20.0125 1292 ComputerName: HPPC
2011/09/19 09:29:20.0125 1292 UserName: Bill
2011/09/19 09:29:20.0125 1292 Windows directory: C:\WINDOWS
2011/09/19 09:29:20.0125 1292 System windows directory: C:\WINDOWS
2011/09/19 09:29:20.0125 1292 Processor architecture: Intel x86
2011/09/19 09:29:20.0125 1292 Number of processors: 2
2011/09/19 09:29:20.0125 1292 Page size: 0x1000
2011/09/19 09:29:20.0125 1292 Boot type: Normal boot
2011/09/19 09:29:20.0125 1292 ================================================================================
2011/09/19 09:29:21.0343 1292 Initialize success
2011/09/19 09:29:25.0468 1504 ================================================================================
2011/09/19 09:29:25.0468 1504 Scan started
2011/09/19 09:29:25.0484 1504 Mode: Manual;
2011/09/19 09:29:25.0484 1504 ================================================================================
2011/09/19 09:29:26.0656 1504 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/19 09:29:26.0781 1504 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/19 09:29:27.0000 1504 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/19 09:29:27.0125 1504 AFD (672b696345f26167ad985b9392d30cb0) C:\WINDOWS\System32\drivers\afd.sys
2011/09/19 09:29:27.0218 1504 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/09/19 09:29:27.0343 1504 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/19 09:29:27.0796 1504 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/09/19 09:29:28.0156 1504 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/19 09:29:28.0593 1504 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/19 09:29:28.0703 1504 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/19 09:29:28.0937 1504 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/19 09:29:29.0062 1504 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/19 09:29:29.0187 1504 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/19 09:29:29.0406 1504 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/19 09:29:29.0609 1504 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/19 09:29:29.0718 1504 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/19 09:29:30.0031 1504 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/19 09:29:30.0671 1504 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/19 09:29:30.0828 1504 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/19 09:29:30.0984 1504 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/19 09:29:31.0109 1504 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/19 09:29:31.0218 1504 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/19 09:29:31.0421 1504 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/19 09:29:31.0578 1504 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/19 09:29:31.0703 1504 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/19 09:29:31.0812 1504 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/19 09:29:31.0921 1504 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/19 09:29:32.0031 1504 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/19 09:29:32.0140 1504 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/19 09:29:32.0250 1504 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/19 09:29:32.0359 1504 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/19 09:29:32.0484 1504 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/19 09:29:32.0734 1504 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/19 09:29:33.0046 1504 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/19 09:29:33.0187 1504 ialm (b076eb745ec3c669d4ae953225366f1d) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/19 09:29:33.0328 1504 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/19 09:29:33.0562 1504 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/09/19 09:29:33.0687 1504 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/19 09:29:33.0812 1504 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/19 09:29:33.0937 1504 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/19 09:29:34.0078 1504 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/19 09:29:34.0218 1504 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/19 09:29:34.0343 1504 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/19 09:29:34.0453 1504 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/19 09:29:34.0578 1504 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/19 09:29:34.0687 1504 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/19 09:29:34.0796 1504 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/19 09:29:34.0906 1504 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/19 09:29:35.0031 1504 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/19 09:29:35.0281 1504 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/19 09:29:35.0406 1504 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/19 09:29:35.0531 1504 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/19 09:29:35.0625 1504 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/19 09:29:35.0750 1504 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/19 09:29:35.0953 1504 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/19 09:29:36.0093 1504 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/19 09:29:36.0250 1504 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/19 09:29:36.0375 1504 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/19 09:29:36.0500 1504 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/19 09:29:36.0640 1504 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/19 09:29:36.0765 1504 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/19 09:29:36.0875 1504 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/19 09:29:37.0000 1504 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/19 09:29:37.0125 1504 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/19 09:29:37.0234 1504 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/19 09:29:37.0359 1504 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/19 09:29:37.0468 1504 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/19 09:29:37.0578 1504 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/19 09:29:37.0687 1504 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/19 09:29:37.0828 1504 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/19 09:29:37.0968 1504 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/19 09:29:38.0093 1504 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/19 09:29:38.0234 1504 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/19 09:29:38.0984 1504 nv (8b2c874897ea498da012284e12f9db2b) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/19 09:29:39.0890 1504 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/19 09:29:40.0031 1504 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/19 09:29:40.0171 1504 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/19 09:29:40.0296 1504 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/19 09:29:40.0406 1504 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/19 09:29:40.0515 1504 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/19 09:29:40.0625 1504 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/19 09:29:40.0828 1504 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/19 09:29:40.0953 1504 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/19 09:29:41.0656 1504 pfc (e5ac9f8c128b597dd7919af96b84172e) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/19 09:29:41.0796 1504 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/19 09:29:41.0906 1504 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/19 09:29:42.0015 1504 Ps2 (bffdb363485501a38f0bca83aec810db) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/09/19 09:29:42.0140 1504 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/19 09:29:42.0250 1504 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/19 09:29:42.0359 1504 PxHelp20 (7e1eacdecba39e0b2a35306426f0decc) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/09/19 09:29:42.0921 1504 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/19 09:29:43.0031 1504 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/19 09:29:43.0140 1504 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/19 09:29:43.0250 1504 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/19 09:29:43.0359 1504 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/19 09:29:43.0468 1504 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/19 09:29:43.0593 1504 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/19 09:29:43.0734 1504 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/19 09:29:43.0875 1504 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/19 09:29:44.0031 1504 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2011/09/19 09:29:44.0140 1504 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2011/09/19 09:29:44.0250 1504 SaiH0763 (c427eec18fbdf6d69de0c8b974eb450a) C:\WINDOWS\system32\DRIVERS\SaiH0763.sys
2011/09/19 09:29:44.0359 1504 SaiH0BAC (08c38a94187e86e986aff71cb7e8a925) C:\WINDOWS\system32\DRIVERS\SaiH0BAC.sys
2011/09/19 09:29:44.0531 1504 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/19 09:29:44.0656 1504 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/19 09:29:44.0984 1504 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/19 09:29:45.0234 1504 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/19 09:29:45.0562 1504 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/19 09:29:45.0687 1504 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/19 09:29:45.0843 1504 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/19 09:29:45.0984 1504 SunkFilt (2087b202cfe8a2f8a59cecfffbec58d5) C:\WINDOWS\System32\Drivers\sunkfilt.sys
2011/09/19 09:29:46.0187 1504 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/19 09:29:46.0281 1504 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/19 09:29:46.0781 1504 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/19 09:29:46.0921 1504 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/19 09:29:47.0062 1504 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/09/19 09:29:47.0203 1504 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/19 09:29:47.0343 1504 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/19 09:29:47.0484 1504 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/19 09:29:47.0750 1504 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/09/19 09:29:47.0890 1504 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/19 09:29:48.0140 1504 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/19 09:29:48.0281 1504 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/19 09:29:48.0390 1504 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/19 09:29:48.0500 1504 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/19 09:29:48.0609 1504 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/19 09:29:48.0750 1504 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/19 09:29:48.0875 1504 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/19 09:29:49.0000 1504 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/19 09:29:49.0109 1504 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/19 09:29:49.0250 1504 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/09/19 09:29:49.0375 1504 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/19 09:29:49.0515 1504 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/19 09:29:49.0718 1504 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/19 09:29:49.0953 1504 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/19 09:29:50.0125 1504 {6080A529-897E-4629-A488-ABA0C29B635E} (61002db7b6efb5711685b9d79b8e8ce6) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/09/19 09:29:50.0265 1504 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (35ce2baa708ea038ab72359de87bab87) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/09/19 09:29:50.0312 1504 MBR (0x1B8) (8cc68602644010dfdb2a22cb60ddf258) \Device\Harddisk0\DR0
2011/09/19 09:29:50.0328 1504 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk5\DR11
2011/09/19 09:29:50.0359 1504 Boot (0x1200) (fc6e3fdb7d04e47419fe1c631d6a998d) \Device\Harddisk0\DR0\Partition0
2011/09/19 09:29:50.0406 1504 Boot (0x1200) (5c20e53a0682b5b8e4d9ff8961357ae9) \Device\Harddisk0\DR0\Partition1
2011/09/19 09:29:50.0421 1504 Boot (0x1200) (bbc1983051391f7aefeb1794f36db9e2) \Device\Harddisk5\DR11\Partition0
2011/09/19 09:29:50.0437 1504 ================================================================================
2011/09/19 09:29:50.0437 1504 Scan finished
2011/09/19 09:29:50.0437 1504 ================================================================================
2011/09/19 09:29:50.0453 0564 Detected object count: 0
2011/09/19 09:29:50.0453 0564 Actual detected object count: 0

I do have the MBR.dat file that another website suggested running as a help to people doing diagnostics. I have not posted anywhere else.

Whatever help you can provide would be great. I hope Ihave complied with the instructions provided on how to post here. I have heard some people still have this infection even after reformatting and reinstalling everything. Is this possible? Will a reformat remove this infection for sure?

Note: About halfway through running GMER, the PC froze up and I had to start it over after a hard reboot. It is running now. I will post it here when it is finished but it will probably need 2 hours to finish.

Bill Barrette

Attached Files



BC AdBot (Login to Remove)

 


#2 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 05:36 PM

Ok, I can't get GMER to finish. It seems to finish, although I htink there are more files to go and I tr to save and the PC locks up. Says I don't have enough resources to save the file. SO that is twice now. NOw what?

#3 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:14 PM

Posted 19 September 2011 - 06:33 PM

Hi beachdog2001,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. :welcome:
My name is sundavis, I will be helping you to deal with your Malware problems today.

Go to Device Manager, click on View menu, press show hidden devices, under Non-Plug and Play Drivers. Please report if any other yellow exclamations still present. Thanks.


Step1

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    TCPIP.sys
    IPsec.sys
    Afd.sys
    :reg
    HKLM\SYSTEM\CurrentControlSet\Services\TCPIP /s
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_TCPIP /s
    HKLM\SYSTEM\CurrentControlSet\Services\AFD /s
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_AFD /s
    HKLM\System\CurrentControlSet\Services\IPSEC /s
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

#4 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 07:14 PM

Well, now Device Manager won't open :mellow: Doing the System look now.

#5 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 07:16 PM

Ok, now working. No yellow exclamations under Non Plug and Play

#6 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 07:42 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 17:21 on 19/09/2011 by Bill
Administrator - Elevation successful

========== filefind ==========

Searching for "TCPIP.sys"
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys --a---- 361600 bytes [11:59 20/06/2008] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys --a---- 360960 bytes [10:44 20/06/2008] [10:44 20/06/2008] 744E57C99232201AE98C49168B918F48
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys --a---- 361600 bytes [11:51 20/06/2008] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys --a---- 361600 bytes [11:59 20/06/2008] [11:59 20/06/2008] AD978A1B783B5719720CFF204B666C8E
C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys -----c- 360320 bytes [23:50 14/06/2009] [10:45 20/06/2008] 2A5554FC5B1E04E131230E3CE035C3F9
C:\WINDOWS\ERDNT\cache\tcpip.sys --a---- 361600 bytes [02:41 19/09/2011] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\ServicePackFiles\i386\tcpip.sys ------- 361344 bytes [06:14 04/08/2004] [19:20 13/04/2008] 93EA8D04EC73A85DB02EB8805988F733
C:\WINDOWS\system32\dllcache\tcpip.sys -----c- 361600 bytes [11:51 20/06/2008] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D
C:\WINDOWS\system32\drivers\tcpip.sys --a---- 361600 bytes [08:59 14/06/2009] [11:51 20/06/2008] 9AEFA14BD6B182D61E3119FA5F436D3D

Searching for "IPsec.sys"
C:\WINDOWS\$NtServicePackUninstall$\ipsec.sys -----c- 74752 bytes [23:50 14/06/2009] [06:14 04/08/2004] 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\ServicePackFiles\i386\ipsec.sys ------- 75264 bytes [06:14 04/08/2004] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91
C:\WINDOWS\system32\drivers\ipsec.sys --a---- 75264 bytes [08:56 14/06/2009] [19:19 13/04/2008] 23C74D75E36E7158768DD63D92789A91

Searching for "Afd.sys"
C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys --a---- 138496 bytes [03:31 15/07/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4
C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys --a---- 138496 bytes [15:07 16/10/2008] [15:07 16/10/2008] 38D7B715504DA4741DF35E3594FE2099
C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys --a---- 138368 bytes [10:44 20/06/2008] [10:44 20/06/2008] D99DDFFB33DEACDCF20717CB520379F6
C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys --a---- 138496 bytes [11:40 20/06/2008] [11:40 20/06/2008] E3049B90FE06F3F740B7CFDA44995E2C
C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys --a---- 138496 bytes [11:48 20/06/2008] [11:48 20/06/2008] D6EE6014241D034E63C49A50CB2B442A
C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys --a---- 138368 bytes [21:53 14/06/2009] [09:48 14/08/2008] 6A0397376853E604DE8E1E7A87FC08AC
C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys --a---- 138496 bytes [21:53 14/06/2009] [10:04 14/08/2008] 7E775010EF291DA96AD17CA4B17137D7
C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys --a---- 138496 bytes [21:53 14/06/2009] [10:34 14/08/2008] 4D43E74F2A1239D53929B82600F1971C
C:\WINDOWS\$NtServicePackUninstall$\afd.sys -----c- 138368 bytes [23:50 14/06/2009] [09:51 14/08/2008] 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\ServicePackFiles\i386\afd.sys ------- 138112 bytes [06:14 04/08/2004] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD
C:\WINDOWS\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3GDR\afd.sys --a---- 138496 bytes [03:31 15/07/2011] [13:22 16/02/2011] 355556D9E580915118CD7EF736653A89
C:\WINDOWS\SoftwareDistribution\Download\402b80bba3eb5ba477eeaa840ad0e146\SP3QFE\afd.sys --a---- 138496 bytes [03:31 15/07/2011] [13:25 16/02/2011] 8D499B1276012EB907E7A9E0F4D8FDA4
C:\WINDOWS\system32\dllcache\afd.sys -----c- 138496 bytes [11:40 20/06/2008] [13:22 16/02/2011] 355556D9E580915118CD7EF736653A89
C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [08:55 14/06/2009] [13:22 16/02/2011] 672B696345F26167AD985B9392D30CB0

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000003 (3)
"ImagePath"="System32\DRIVERS\tcpip.sys"
"DisplayName"="TCP/IP Protocol Driver"
"Group"="PNP_TDI"
"DependOnService"="IPSec"
"DependOnGroup"=" "
"Description"="TCP/IP Protocol Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Linkage]
"Bind"="\Device\{A547F9FC-DD17-4442-A11E-870E2F98F8A8} \Device\{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4} \Device\NdisWanIp"
"Route"=""{A547F9FC-DD17-4442-A11E-870E2F98F8A8}" "{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4}" "NdisWanIp""
"Export"="\Device\Tcpip_{A547F9FC-DD17-4442-A11E-870E2F98F8A8} \Device\Tcpip_{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4} \Device\Tcpip_{043D93F9-95DD-4B6F-B797-31D19833963B} \Device\Tcpip_{E6EE9AC3-3FE5-4022-B91B-D00FC894632F}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters]
"NV Hostname"="HPPC"
"DataBasePath"="%SystemRoot%\System32\drivers\etc"
"ForwardBroadcasts"= 0x0000000000 (0)
"IPEnableRouter"= 0x0000000000 (0)
"Domain"=""
"Hostname"="HPPC"
"SearchList"=""
"UseDomainNameDevolution"= 0x0000000001 (1)
"DeadGWDetectDefault"= 0x0000000001 (1)
"DontAddDefaultGatewayDefault"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Adapters]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Adapters\NdisWanIp]
"LLInterface"="WANARP"
"IpConfig"="Tcpip\Parameters\Interfaces\{043D93F9-95DD-4B6F-B797-31D19833963B} Tcpip\Parameters\Interfaces\{E6EE9AC3-3FE5-4022-B91B-D00FC894632F}"
"NumInterfaces"= 0x0000000002 (2)
"IpInterfaces"=f9 93 3d 04 dd 95 6f 4b b7 97 31 d1 98 33 96 3b c3 9a ee e6 e5 3f 22 40 b9 1b d0 0f c8 94 63 2f (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Adapters\{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4}]
"LLInterface"="ARP1394"
"IpConfig"="Tcpip\Parameters\Interfaces\{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Adapters\{A547F9FC-DD17-4442-A11E-870E2F98F8A8}]
"LLInterface"=""
"IpConfig"="Tcpip\Parameters\Interfaces\{A547F9FC-DD17-4442-A11E-870E2F98F8A8}"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\DNSRegisteredAdapters]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{043D93F9-95DD-4B6F-B797-31D19833963B}]
"UseZeroBroadcast"= 0x0000000000 (0)
"EnableDHCP"= 0x0000000000 (0)
"IPAddress"="0.0.0.0"
"SubnetMask"="0.0.0.0"
"DefaultGateway"=" "
"EnableDeadGWDetect"= 0x0000000001 (1)
"DontAddDefaultGateway"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{8FED6E24-A50E-4CAD-BBD0-B0414ACF97D4}]
"UseZeroBroadcast"= 0x0000000000 (0)
"EnableDHCP"= 0x0000000001 (1)
"IPAddress"="0.0.0.0"
"SubnetMask"="0.0.0.0"
"DefaultGateway"=" "
"DefaultGatewayMetric"=" "
"NameServer"=""
"Domain"=""
"RegistrationEnabled"= 0x0000000001 (1)
"RegisterAdapterName"= 0x0000000000 (0)
"TCPAllowedPorts"="0"
"UDPAllowedPorts"="0"
"RawIPAllowedProtocols"="0"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{A547F9FC-DD17-4442-A11E-870E2F98F8A8}]
"UseZeroBroadcast"= 0x0000000000 (0)
"EnableDeadGWDetect"= 0x0000000001 (1)
"EnableDHCP"= 0x0000000001 (1)
"IPAddress"="0.0.0.0"
"SubnetMask"="0.0.0.0"
"DefaultGateway"=" "
"DefaultGatewayMetric"=" "
"NameServer"=""
"Domain"=""
"RegistrationEnabled"= 0x0000000001 (1)
"RegisterAdapterName"= 0x0000000000 (0)
"TCPAllowedPorts"="0"
"UDPAllowedPorts"="0"
"RawIPAllowedProtocols"="0"
"NTEContextList"="0x00000002"
"DhcpClassIdBin"= (REG_BINARY)
"DhcpServer"="255.255.255.255"
"Lease"= 0x0000000000 (0)
"LeaseObtainedTime"= 0x004e77da5e (1316477534)
"T1"= 0x004e77da5e (1316477534)
"T2"= 0x004e77da5e (1316477534)
"LeaseTerminatesTime"= 0x007fffffff (2147483647)
"IPAutoconfigurationAddress"="169.254.105.231"
"IPAutoconfigurationMask"="255.255.0.0"
"IPAutoconfigurationSeed"= 0x00fb29ceda (-81146150)
"AddressType"= 0x0000000001 (1)
"IsServerNapAware"= 0x0000000000 (0)
"DhcpIPAddress"="169.254.105.231"
"DhcpSubnetMask"="255.255.0.0"
"DhcpRetryTime"= 0x0000000121 (289)
"DhcpRetryStatus"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\{E6EE9AC3-3FE5-4022-B91B-D00FC894632F}]
"UseZeroBroadcast"= 0x0000000000 (0)
"EnableDHCP"= 0x0000000000 (0)
"IPAddress"="0.0.0.0"
"SubnetMask"="0.0.0.0"
"DefaultGateway"=" "
"EnableDeadGWDetect"= 0x0000000001 (1)
"DontAddDefaultGateway"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\PersistentRoutes]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters\Winsock]
"UseDelayedAcceptance"= 0x0000000000 (0)
"HelperDllName"="%SystemRoot%\System32\wshtcpip.dll"
"MaxSockAddrLength"= 0x0000000010 (16)
"MinSockAddrLength"= 0x0000000010 (16)
"Mapping"=0b 00 00 00 03 00 00 00 02 00 00 00 01 00 00 00 06 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 01 00 00 00 06 00 00 00 02 00 00 00 02 00 00 00 11 00 00 00 02 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 02 00 00 00 11 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Performance]
"Close"="CloseTcpIpPerformanceData"
"Collect"="CollectTcpIpPerformanceData"
"Library"="Perfctrs.dll"
"Open"="OpenTcpIpPerformanceData"
"Object List"="502 510 546 582 638 658"
"Disable Performance Counters"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\ServiceProvider]
"Class"= 0x0000000008 (8)
"DnsPriority"= 0x00000007d0 (2000)
"HostsPriority"= 0x00000001f4 (500)
"LocalPriority"= 0x00000001f3 (499)
"ProviderPath"="%SystemRoot%\System32\wsock32.dll"
"NetbtPriority"= 0x00000007d1 (2001)
"Name"="TCP/IP"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Enum]
"0"="Root\LEGACY_TCPIP\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_TCPIP]
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_TCPIP\0000]
"Service"="Tcpip"
"Legacy"= 0x0000000001 (1)
"ConfigFlags"= 0x0000000000 (0)
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="TCP/IP Protocol Driver"
"Capabilities"= 0x0000000000 (0)
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\0030"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_TCPIP\0000\LogConf]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_TCPIP\0000\Control]
"ActiveService"="Tcpip"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
"DisplayName"="AFD Networking Support Environment"
"Group"="TDI"
"Description"="AFD Networking Support Environment"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Enum]
"0"="Root\LEGACY_AFD\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_AFD]
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_AFD\0000]
"Service"="AFD"
"Legacy"= 0x0000000001 (1)
"ConfigFlags"= 0x0000000000 (0)
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="AFD Networking Support Environment"
"Capabilities"= 0x0000000000 (0)
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\0001"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_AFD\0000\LogConf]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_AFD\0000\Control]
"ActiveService"="AFD"


[HKEY_LOCAL_MACHINE\SYSTEM|CurrentControlSet\Services\IPSEC]
(Unable to open key - key not found)

[HKEY_LOCAL_MACHINE\SYSTEM|CurrentControlSet\Enum\Root\Legacy_IPSEC]
(Unable to open key - key not found)

-= EOF =-

#7 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:14 PM

Posted 19 September 2011 - 08:07 PM

Hi beachdog2001,



Please delete the existing copy of ComboFix, and get a new one. Besides that, we need to run SystemLook one more time. You should wait some time until the SystemLook "Look" button reappears and then copy and paste the contents in your next reply.


Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
FCopy::
C:\WINDOWS\ServicePackFiles\i386\afd.sys | c:\windows\system32\drivers\afd.sys

FixCSet:: 


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. <If not, reboot manually)
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :reg
    HKLM\System\CurrentControlSet\Services\IPSEC /s
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC /s
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


In your next reply, please post the following logs:

1.ComboFix log
2.SystemLook log

Advise me if that fixed your network connectivity and reply back with the results from the logs.

Edited by sundavis, 19 September 2011 - 08:08 PM.


#8 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 19 September 2011 - 08:53 PM

Connectivity now restored, but cannot connect to the internet for some reason. Logs below:

ComboFix 11-09-19.01 - Bill 09/19/2011 18:24:37.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1609 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\windows\system32\nvdispco3220150.dll
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\afd.sys --> c:\windows\system32\drivers\afd.sys
.
((((((((((((((((((((((((( Files Created from 2011-08-20 to 2011-09-20 )))))))))))))))))))))))))))))))
.
.
2011-09-18 23:32 . 2011-09-18 23:32 -------- d--h--w- c:\windows\PIF
2011-09-18 21:17 . 2011-09-18 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-18 17:41 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-18 17:41 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-09-16 12:59 . 2011-09-16 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-09-16 12:46 . 2011-09-16 12:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-09-16 12:40 . 2010-11-21 01:01 268624 ----a-r- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FnpCommsSoap.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-16 12:36 . 2011-07-01 01:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 17:07 . 2009-08-09 22:45 4184 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-09-01 00:00 . 2011-02-21 19:10 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-02-28 22:22 . 2010-02-28 22:07 640221 ----a-w- c:\program files\UninstallNA.exe
2009-11-20 22:00 . 2009-11-20 21:49 514546 ----a-w- c:\program files\UninstalEurope.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-19_16.08.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-12-17 04:29 . 2011-09-20 01:36 88722 c:\windows\system32\perfc009.dat
- 2003-12-17 04:29 . 2011-09-19 03:31 88722 c:\windows\system32\perfc009.dat
+ 2003-12-17 04:29 . 2011-09-20 01:36 503868 c:\windows\system32\perfh009.dat
- 2003-12-17 04:29 . 2011-09-19 03:31 503868 c:\windows\system32\perfh009.dat
+ 2009-06-14 08:55 . 2008-04-13 19:19 138112 c:\windows\system32\dllcache\afd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerWord 2002.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerWord 2002.lnk
backup=c:\windows\pss\PowerWord 2002.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-19 03:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2008-04-14 00:12 50176 ----a-w- c:\windows\eHome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-03 05:19 118784 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 23:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 23:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-25 06:09 13895272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-25 06:09 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2009-06-23 02:29 83232 ----a-w- c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-15 18:22 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
2003-08-15 03:11 139264 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"SysmonLog"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"Messenger"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"CiSvc"=3 (0x3)
"Alerter"=3 (0x3)
"mnmsrvc"=3 (0x3)
"O&O Defrag"=2 (0x2)
"YahooAUService"=2 (0x2)
"nvUpdatusService"=2 (0x2)
"NVSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\feelThere\\b737\\737setup.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\Update.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN64.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real Environment Xtreme 2.0\\rexwxengine2.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_c603f141f5d06682_0002.000c_84b0b64057e101c1\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\QQ.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\auclt.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_901a5af215981e5c\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_6c5ded94660015dc\\ACARS.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2/15/2008 5:51 PM 136832]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [7/2/2007 8:36 AM 138112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/14/2009 1:59 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Settings,ProxyOverride = <local>
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: {{8DE0FCD4-5EB5-11D3-AD25-00002100131B} - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
IE: {{C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-19 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1e,cb,d4,c1,b2,88,02,c6,be,2a,61,b1,2e,75,1c,24,d9,d8,8b,4f,d2,
06,aa,99,17,92,5a,50,d2,f4,9c,c5,48,3e,d8,55,06,05,b4,b2,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86e781ac-84a8-4deb-ab81-869fdafdf293}]
@Denied: (Full) (Everyone)
"Model"=dword:0000010d
"Therad"=dword:00000012
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="961C73C65041C6F60B62D2CD29D8D77735158DE7A961B158FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A2D97226D213B555A6A0AC4980AC7933077FCAE2297DE79B5D9E35589879DEFD34247E84B8EC266668CEEF0355B4EF5A09982E2DFE26924AF4D5DBB6563912E9CDE68E48A8BD7E1CB7F110B54D9D1D6F6BB7FABF6A3BE7A393E896E775CF5B48FD9D8ECE0F668D679F507AAA29E221BC60692DC98417FD0340E4DC2271E6DBCE41771677EE03A4F430D60089902F9C8A2F00F25A3794DDEC169ADB801AAB2CD82766EB061EB2861B8EB8285EFCB19CC7AC0C31E8C3958784C19E730095D0566552209021C4166BD0F06E2C1A3D9EA804CA6900CCBDFE6B96874C39055C0C5A96FA1E33D562D60031A632FC90F5AEB8F388B1A8458C38EF8FBBBEF4533B16AAB36AA0BA12C91DE3FD0D83BA7A9B1B3B717A45ACF16C2EEF01C957A297522D2E28012840A91E18AA1A1AA43E74F9A48E78CA49BFD9EBD3B820AFBBF3DF1892BF82B2FA90D35AFA5C0DD59E10FD300F0B2BB726C6E570998B49FE554D9C538CAF7586A3AE2CCB7CF5835B3A6FFDAF23F6CC11866063B07C1FF860D0C727A1E4BFD7976FCEB29556E6CC5C894E3941AA90473CDBD98238761ED10B9EAD387468A6261472DBC92C4793DC1E5D545FFD7609283459B8DAE70826184FF4816E0F68117CC18171B9D914D3CBF5CC5BFD55D9841E04F73364733749B68ECDF6CB0CBB1D9FF4B6E2AC3C00F25551B4718C8AAC1D7F4EF3B47D610D8C3B40E4F7B7563C5D761B7035B34559B1DA32335ADFB3495F46C74CDC678E146B586CBA1E7B3046590CB1D0A0403AEB44DDAB2B0CB73B11CB0E3AC500462A5ED3E3B317BD472EBC8C8DCE3E942C360B5208E4C4B0336067D81702E825A4B80126D6C680D72B3805E4CF96E1B131250E77A39BE9A65536B2EDC71102086F1114BA50ECC5279E8B87464947ABCDEE4ACF45A29F4A8188A360E828EC2017F860335A9000F617FCB9B28794ADCC72E8B92E3E96545A0898635E1AE5AE19F6F4A480427FEDE8C88226F8736F2DBA5C86DF0C5AB934CE32B504A148D0040400FE339F26A53A3711548A4F48BEBE31FC13784F87E64924B1746721AA5E2CBCBB12B23B2CB079BC77F5F22F3B096C2CFB3E9664A39C3519E6CC45D86FA70063EA121FFCEB73D69AB85441967179D6EFB01B9E3883812C32689C28C837E865DC80C2499775E31137C6BC2907875DAF812A214A3E6EDBF5B48222EF7316045B5125CCD33F4A9BF8BAC360B4868B283F2BA7AB29EDA2976F2D32034EE116FCF22C3340B62C61D7F6930B583F9E00715FFA227B9C40CD458769ABC6499EB4FD509E3A8C3E1C227B03F0261D795CDB7481C4BFB158351618"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
.
**************************************************************************
.
Completion time: 2011-09-19 18:41:39 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-20 01:41
ComboFix2.txt 2011-09-19 16:10
ComboFix3.txt 2011-09-19 03:23
.
Pre-Run: 79,804,895,232 bytes free
Post-Run: 80,278,593,536 bytes free
.
- - End Of File - - 291CE9A1B08AEEE5DC83918AD650504A


SystemLook 30.07.11 by jpshortstuff
Log created at 18:45 on 19/09/2011 by Bill
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC]
"Type"= 0x0000000001 (1)
"Start"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"Tag"= 0x0000000004 (4)
"ImagePath"="System32\DRIVERS\ipsec.sys"
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\Security]
"Security"=01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 (REG_BINARY)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\Enum]
"0"="Root\LEGACY_IPSEC\0000"
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC]
"NextInstance"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC\0000]
"Service"="IPSec"
"Legacy"= 0x0000000001 (1)
"ConfigFlags"= 0x0000000000 (0)
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="IPSEC driver"
"Capabilities"= 0x0000000000 (0)
"Driver"="{8ECC055D-047F-11D1-A537-0000F8753ED1}\0015"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC\0000\LogConf]
(No values found)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\Legacy_IPSEC\0000\Control]
"ActiveService"="IPSec"


-= EOF =-

#9 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:14 PM

Posted 19 September 2011 - 11:32 PM

Hi beachdog2001,



Step1

  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
DDS::
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Please go the this thread to download TCP/IP repair . Click on the two buttons (reset/repair). Reboot your pc afterwards. and check your connection.

Click Start>Run> Type/Paste ipconfig /flushdns into run box and hit enter. Refer to this thread if you don't know how.

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Open IE, select Tools > Internet Options. Select the Connections tab.
  • If you are using LAN, click "LAN Settings" button. If you are using Dial-up or Virtual Private Network connection, select necessary connection and click "Settings" button.
  • In the "Proxy Server" area, uncheck the check mark next to Use a proxy server for ....
  • Click OK.
  • Click Privacy tab and press Sites button, click Remove all button if there are some urls out there.
  • Click Advanced tab and click on Reset button
  • In the Reset Internet Explorer Settings dialog box, click Reset to confirm.

After that, What I'd like you to do is a hard reset with your router if you have one. Leave it on, and there should be a little pinhole in the back of the unit. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). Then change your admin login and password--make it a strong password. You may also want to ask your ISP for help in case there are custom settings that need to be maintained.



Step3

  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Under the Standard Registry box change it to All
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste the following bolded text:


    /md5start
    explorer.exe
    winlogon.exe
    userinit.exe
    svchost.exe
    volsnap.sys
    afd.sys
    /md5stop
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.exe
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    C:\program files\common files\data\* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90

  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  • Copy and paste both logs back here in your next reply.


In your next reply, please post back:

1.ComboFix.txt
2.OTListIt.txt and Extra.txt Thanks

Let me know if you have any remaining issues on your pc.

#10 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 20 September 2011 - 01:35 AM

Thanks for the help so far. Did everything you suggested and still no internet connection. AFter running OTL, I did NOT run any of the OTL FIX options. Once we get this issue dealt with, we can move onto the other issue which was that I can't install NOD32 and I also had the problem where .exe files wouldn't run either becuas I didn't ahve permission or the path couldn't be found. Doesn't seem like much of a problem now but there could be other programs like this that I don't know about yet. Need to check this somehow. Also, earlier problem was that GMER couldn't finish running for some reason. Maybe these are all related.

Combofix.txt

ComboFix 11-09-19.01 - Bill 09/19/2011 22:44:08.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1608 [GMT -7:00]
Running from: c:\documents and settings\Bill\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Pass LEGAL for license information. Built Sat Jun 25 23:20 2011c:\windows\system32\nvdispco3220150.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-20 to 2011-09-20 )))))))))))))))))))))))))))))))
.
.
2011-09-18 23:32 . 2011-09-18 23:32 -------- d--h--w- c:\windows\PIF
2011-09-18 21:17 . 2011-09-18 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-18 17:41 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-09-18 17:41 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-09-16 12:59 . 2011-09-16 12:59 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-09-16 12:46 . 2011-09-16 12:46 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-09-16 12:41 . 2011-08-16 09:18 12288 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\PMDG\dlls\PMDG_HUD_interface.dll
2011-09-16 12:41 . 2011-07-29 23:33 1193984 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\PMDG\Livery Manager\PMDG_Livery_Manager.exe
2011-09-16 12:41 . 2011-08-16 09:40 4542464 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX_2.dll
2011-09-16 12:41 . 2011-02-16 07:39 536576 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX_3.dll
2011-09-16 12:40 . 2011-08-16 09:40 96723456 ----a-w- c:\program files\Microsoft Games\Microsoft Flight Simulator X\Gauges\PMDG_737NGX.dll
2011-09-16 12:40 . 2010-11-21 01:01 268624 ----a-r- c:\program files\Microsoft Games\Microsoft Flight Simulator X\FnpCommsSoap.dll
2011-09-05 17:04 . 2011-09-05 17:04 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-16 12:36 . 2011-07-01 01:27 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-11 17:07 . 2009-08-09 22:45 4184 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-09-01 00:00 . 2011-02-21 19:10 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
2011-06-30 21:02 . 2011-06-30 21:02 106496 ----a-r- c:\documents and settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
2010-02-28 22:22 . 2010-02-28 22:07 640221 ----a-w- c:\program files\UninstallNA.exe
2009-11-20 22:00 . 2009-11-20 21:49 514546 ----a-w- c:\program files\UninstalEurope.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-19_16.08.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2003-12-17 04:29 . 2011-09-20 01:36 88722 c:\windows\system32\perfc009.dat
- 2003-12-17 04:29 . 2011-09-19 03:31 88722 c:\windows\system32\perfc009.dat
+ 2003-12-17 04:29 . 2011-09-20 01:36 503868 c:\windows\system32\perfh009.dat
- 2003-12-17 04:29 . 2011-09-19 03:31 503868 c:\windows\system32\perfh009.dat
+ 2009-06-14 08:55 . 2008-04-13 19:19 138112 c:\windows\system32\drivers\afd.sys
+ 2009-06-14 08:55 . 2008-04-13 19:19 138112 c:\windows\system32\dllcache\afd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-6-18 53248]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PowerWord 2002.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PowerWord 2002.lnk
backup=c:\windows\pss\PowerWord 2002.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 19:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
2003-06-19 03:19 53248 ----a-w- c:\hp\bin\AUTOTKIT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2008-04-14 00:12 50176 ----a-w- c:\windows\eHome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-10-03 05:19 118784 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-16 23:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-02-16 23:15 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 23:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2011-05-25 06:09 13895272 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2011-05-25 06:09 111208 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2009-06-23 02:29 83232 ----a-w- c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 23:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-15 18:22 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
2003-08-15 03:11 139264 ----a-w- c:\program files\Multimedia Card Reader\shwicon2k.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 17:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"SysmonLog"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"Messenger"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"ehSched"=2 (0x2)
"CiSvc"=3 (0x3)
"Alerter"=3 (0x3)
"mnmsrvc"=3 (0x3)
"O&O Defrag"=2 (0x2)
"YahooAUService"=2 (0x2)
"nvUpdatusService"=2 (0x2)
"NVSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Program Files\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\feelThere\\b737\\737setup.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\Update.exe"=
"c:\\Program Files\\FSFDT\\FWInn\\FWINN64.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Real Environment Xtreme 2.0\\rexwxengine2.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_c603f141f5d06682_0002.000c_84b0b64057e101c1\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\QQ.exe"=
"c:\\Documents and Settings\\Bill\\Application Data\\Tencent\\QQ\\STemp\\~TXQQIntl~0\\program files\\Tencent\\QQIntl\\Bin\\auclt.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_901a5af215981e5c\\ACARS.exe"=
"c:\\Documents and Settings\\Bill\\Local Settings\\Apps\\2.0\\OENELP7W.1LQ\\JHMM0REJ.ZCT\\acar..tion_d3355201e441073d_0002.000d_6c5ded94660015dc\\ACARS.exe"=
.
R3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2/15/2008 5:51 PM 136832]
R3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [7/2/2007 8:36 AM 138112]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/14/2009 1:59 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
IE: {{8DE0FCD4-5EB5-11D3-AD25-00002100131B} - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
IE: {{C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - c:\progra~1\Kingsoft\XDict\IEPlugin.dll
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-19 22:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1e,cb,d4,c1,b2,88,02,c6,be,2a,61,b1,2e,75,1c,24,d9,d8,8b,4f,d2,
06,aa,99,17,92,5a,50,d2,f4,9c,c5,48,3e,d8,55,06,05,b4,b2,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{86e781ac-84a8-4deb-ab81-869fdafdf293}]
@Denied: (Full) (Everyone)
"Model"=dword:0000010d
"Therad"=dword:00000012
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="961C73C65041C6F60B62D2CD29D8D77735158DE7A961B158FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407A2D97226D213B555A6A0AC4980AC7933077FCAE2297DE79B5D9E35589879DEFD34247E84B8EC266668CEEF0355B4EF5A09982E2DFE26924AF4D5DBB6563912E9CDE68E48A8BD7E1CB7F110B54D9D1D6F6BB7FABF6A3BE7A393E896E775CF5B48FD9D8ECE0F668D679F507AAA29E221BC60692DC98417FD0340E4DC2271E6DBCE41771677EE03A4F430D60089902F9C8A2F00F25A3794DDEC169ADB801AAB2CD82766EB061EB2861B8EB8285EFCB19CC7AC0C31E8C3958784C19E730095D0566552209021C4166BD0F06E2C1A3D9EA804CA6900CCBDFE6B96874C39055C0C5A96FA1E33D562D60031A632FC90F5AEB8F388B1A8458C38EF8FBBBEF4533B16AAB36AA0BA12C91DE3FD0D83BA7A9B1B3B717A45ACF16C2EEF01C957A297522D2E28012840A91E18AA1A1AA43E74F9A48E78CA49BFD9EBD3B820AFBBF3DF1892BF82B2FA90D35AFA5C0DD59E10FD300F0B2BB726C6E570998B49FE554D9C538CAF7586A3AE2CCB7CF5835B3A6FFDAF23F6CC11866063B07C1FF860D0C727A1E4BFD7976FCEB29556E6CC5C894E3941AA90473CDBD98238761ED10B9EAD387468A6261472DBC92C4793DC1E5D545FFD7609283459B8DAE70826184FF4816E0F68117CC18171B9D914D3CBF5CC5BFD55D9841E04F73364733749B68ECDF6CB0CBB1D9FF4B6E2AC3C00F25551B4718C8AAC1D7F4EF3B47D610D8C3B40E4F7B7563C5D761B7035B34559B1DA32335ADFB3495F46C74CDC678E146B586CBA1E7B3046590CB1D0A0403AEB44DDAB2B0CB73B11CB0E3AC500462A5ED3E3B317BD472EBC8C8DCE3E942C360B5208E4C4B0336067D81702E825A4B80126D6C680D72B3805E4CF96E1B131250E77A39BE9A65536B2EDC71102086F1114BA50ECC5279E8B87464947ABCDEE4ACF45A29F4A8188A360E828EC2017F860335A9000F617FCB9B28794ADCC72E8B92E3E96545A0898635E1AE5AE19F6F4A480427FEDE8C88226F8736F2DBA5C86DF0C5AB934CE32B504A148D0040400FE339F26A53A3711548A4F48BEBE31FC13784F87E64924B1746721AA5E2CBCBB12B23B2CB079BC77F5F22F3B096C2CFB3E9664A39C3519E6CC45D86FA70063EA121FFCEB73D69AB85441967179D6EFB01B9E3883812C32689C28C837E865DC80C2499775E31137C6BC2907875DAF812A214A3E6EDBF5B48222EF7316045B5125CCD33F4A9BF8BAC360B4868B283F2BA7AB29EDA2976F2D32034EE116FCF22C3340B62C61D7F6930B583F9E00715FFA227B9C40CD458769ABC6499EB4FD509E3A8C3E1C227B03F0261D795CDB7481C4BFB158351618"
.
Completion time: 2011-09-19 22:56:55
ComboFix-quarantined-files.txt 2011-09-20 05:56
ComboFix2.txt 2011-09-20 01:41
ComboFix3.txt 2011-09-19 16:10
ComboFix4.txt 2011-09-19 03:23
.
Pre-Run: 80,282,370,048 bytes free
Post-Run: 80,267,096,064 bytes free
.
- - End Of File - - 7762902286126658B76A2212939F7EE0

OTL.txt
OTL logfile created on: 9/19/2011 11:15:09 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 84.20% Memory free
4.92 Gb Paging File | 4.73 Gb Available in Paging File | 96.18% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 180.27 Gb Total Space | 74.77 Gb Free Space | 41.48% Space Free | Partition Type: NTFS
Drive D: | 6.03 Gb Total Space | 1.01 Gb Free Space | 16.81% Space Free | Partition Type: NTFS
Drive K: | 0.36 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 1.81 Gb Total Space | 1.76 Gb Free Space | 97.12% Space Free | Partition Type: FAT

Computer Name: HPPC | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/19 22:43:30 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
PRC - [2011/09/16 05:46:04 | 001,044,816 | ---- | M] (Flexera Software, Inc.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - [2011/09/16 05:46:04 | 001,044,816 | ---- | M] (Flexera Software, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/07/24 11:15:14 | 000,185,632 | ---- | M] (Protexis Inc.) [On_Demand | Stopped] -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe -- (PSI_SVC_2)
SRV - [2006/06/02 01:52:58 | 000,339,456 | ---- | M] (O&O Software GmbH) [Disabled | Stopped] -- C:\WINDOWS\system32\oodag.exe -- (O&O Defrag)


========== Driver Services (SafeList) ==========

DRV - [2009/03/25 06:29:52 | 000,130,432 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009/03/05 19:22:56 | 000,138,112 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiH0BAC.sys -- (SaiH0BAC)
DRV - [2008/02/15 17:51:22 | 000,136,832 | ---- | M] (Saitek) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SaiH0763.sys -- (SaiH0763)
DRV - [2004/10/07 18:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/10/01 10:24:02 | 002,279,424 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2003/09/03 10:01:22 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/08/13 21:50:36 | 000,039,648 | ---- | M] (Alcor Micro Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Sunkfilt.sys -- (SunkFilt)
DRV - [2002/10/04 16:04:10 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2001/06/04 15:00:00 | 000,014,112 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 89 DD B6 01 AA E2 24 42 AD 29 99 83 12 17 A8 58 [binary data]
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 89 DD B6 01 AA E2 24 42 AD 29 99 83 12 17 A8 58 [binary data]
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 89 DD B6 01 AA E2 24 42 AD 29 99 83 12 17 A8 58 [binary data]
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 89 DD B6 01 AA E2 24 42 AD 29 99 83 12 17 A8 58 [binary data]
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@qq.com/npqscall,version=1.0.0: %commonprogramfiles%\tencent\NPQSCALL\npqscall.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2011/09/19 22:53:20 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\..\Toolbar\WebBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoTBar.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Joyo - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\Program Files\Kingsoft\XDict\IEPlugin.dll ()
O9 - Extra Button: PowerWord - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\Program Files\Kingsoft\XDict\IEPlugin.dll ()
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O15 - HKU\S-1-5-21-2354447427-3512076405-1411424341-1007\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1304915029234 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A547F9FC-DD17-4442-A11E-870E2F98F8A8}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Bill\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003/12/16 22:45:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/06/12 17:32:07 | 000,000,279 | R--- | M] () - K:\AutoRun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/19 23:12:15 | 000,582,656 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2011/09/19 23:01:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\XP TCPIP Repair
[2011/09/19 23:01:09 | 000,000,000 | ---D | C] -- C:\Program Files\XP TCPIP Repair
[2011/09/19 22:56:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2011/09/19 22:41:27 | 004,218,004 | R--- | C] (Swearware) -- C:\Documents and Settings\Bill\Desktop\ComboFix.exe
[2011/09/19 09:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill\Desktop\gmer
[2011/09/19 09:32:46 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Bill\Desktop\aswMBR.exe
[2011/09/19 09:29:12 | 001,404,208 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Bill\Desktop\TDSSKiller.exe
[2011/09/19 09:00:56 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/19 09:00:56 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/19 09:00:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/19 09:00:56 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/19 09:00:42 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/19 08:16:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/09/18 19:12:15 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/18 19:09:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/18 17:24:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/18 16:32:10 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2011/09/18 16:28:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/18 16:22:34 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bill\Recent
[2011/09/18 14:43:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/18 14:43:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/09/18 14:24:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/18 14:24:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/09/16 05:59:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2011/09/16 05:46:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Macrovision Shared
[2011/09/16 05:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PMDG Simulations
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/19 23:04:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/19 22:53:20 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/19 22:43:30 | 000,582,656 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill\Desktop\OTL.exe
[2011/09/19 19:27:52 | 003,913,959 | ---- | M] () -- C:\WINDOWS\System32\OODBS.lor
[2011/09/19 18:36:56 | 000,503,868 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/09/19 18:36:56 | 000,088,722 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/09/19 17:10:34 | 000,139,264 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\SystemLook.exe
[2011/09/19 09:33:47 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Bill\Desktop\MBR.dat
[2011/09/19 09:31:32 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Bill\Desktop\aswMBR.exe
[2011/09/19 08:58:32 | 004,218,004 | R--- | M] (Swearware) -- C:\Documents and Settings\Bill\Desktop\ComboFix.exe
[2011/09/19 08:17:33 | 000,702,658 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/09/18 19:56:49 | 000,000,353 | RHS- | M] () -- C:\boot.ini
[2011/09/18 19:50:27 | 000,001,634 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to ACARS.exe.lnk
[2011/09/18 16:20:26 | 000,000,237 | ---- | M] () -- C:\Boot.bak
[2011/09/16 15:03:31 | 000,002,367 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Navigraph nDAC 3.lnk
[2011/09/16 13:58:37 | 000,000,328 | ---- | M] () -- C:\WINDOWS\CDU.1
[2011/09/16 13:58:37 | 000,000,328 | ---- | M] () -- C:\WINDOWS\CDU.0
[2011/09/16 13:58:36 | 000,000,587 | ---- | M] () -- C:\WINDOWS\Pitch Target
[2011/09/16 13:58:36 | 000,000,572 | ---- | M] () -- C:\WINDOWS\Roll Target
[2011/09/16 13:58:36 | 000,000,567 | ---- | M] () -- C:\WINDOWS\Roll Error
[2011/09/16 13:58:36 | 000,000,567 | ---- | M] () -- C:\WINDOWS\Pitch Error
[2011/09/16 13:58:36 | 000,000,567 | ---- | M] () -- C:\WINDOWS\Gyro Speed
[2011/09/16 13:58:36 | 000,000,524 | ---- | M] () -- C:\WINDOWS\Mode2ATimer
[2011/09/16 13:58:36 | 000,000,524 | ---- | M] () -- C:\WINDOWS\Mode2_AltGain_timer
[2011/09/16 13:58:36 | 000,000,521 | ---- | M] () -- C:\WINDOWS\Mode2BTimer
[2011/09/16 07:07:14 | 000,273,504 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/09/16 07:07:14 | 000,273,504 | ---- | M] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/09/16 07:07:14 | 000,000,001 | ---- | M] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/09/15 10:07:35 | 000,000,068 | ---- | M] () -- C:\WINDOWS\XDICT.INI
[2011/09/15 09:46:13 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/13 15:56:28 | 001,404,208 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Bill\Desktop\TDSSKiller.exe
[2011/09/11 10:07:12 | 000,004,184 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/19 17:16:32 | 000,139,264 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\SystemLook.exe
[2011/09/19 09:33:47 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Bill\Desktop\MBR.dat
[2011/09/19 09:00:56 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/19 09:00:56 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/19 09:00:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/19 09:00:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/19 09:00:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/19 08:17:10 | 000,702,658 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
[2011/09/18 19:50:27 | 000,001,634 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Internet Explorer\Quick Launch\Shortcut to ACARS.exe.lnk
[2011/09/16 06:32:21 | 000,000,328 | ---- | C] () -- C:\WINDOWS\CDU.1
[2011/09/16 06:32:21 | 000,000,328 | ---- | C] () -- C:\WINDOWS\CDU.0
[2011/09/16 06:32:20 | 000,000,587 | ---- | C] () -- C:\WINDOWS\Pitch Target
[2011/09/16 06:32:20 | 000,000,572 | ---- | C] () -- C:\WINDOWS\Roll Target
[2011/09/16 06:32:20 | 000,000,567 | ---- | C] () -- C:\WINDOWS\Roll Error
[2011/09/16 06:32:20 | 000,000,567 | ---- | C] () -- C:\WINDOWS\Pitch Error
[2011/09/16 06:32:20 | 000,000,567 | ---- | C] () -- C:\WINDOWS\Gyro Speed
[2011/09/16 06:32:20 | 000,000,524 | ---- | C] () -- C:\WINDOWS\Mode2ATimer
[2011/09/16 06:32:20 | 000,000,524 | ---- | C] () -- C:\WINDOWS\Mode2_AltGain_timer
[2011/09/16 06:32:20 | 000,000,521 | ---- | C] () -- C:\WINDOWS\Mode2BTimer
[2011/07/23 12:21:37 | 000,273,504 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb1.bin
[2011/07/23 12:21:37 | 000,273,504 | ---- | C] () -- C:\WINDOWS\System32\nvdrsdb0.bin
[2011/07/23 12:21:37 | 000,000,001 | ---- | C] () -- C:\WINDOWS\System32\nvdrssel.bin
[2011/07/23 12:21:18 | 002,123,582 | ---- | C] () -- C:\WINDOWS\System32\nvdata.data
[2011/07/06 16:28:13 | 000,013,156 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\oho45670jhtln10456ryx7n76ua8ewi4y71308qj
[2010/09/10 09:06:22 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/30 22:52:04 | 000,128,152 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/25 22:15:57 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\PFP120JPR.{PB
[2010/08/25 22:15:57 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Bill\Application Data\PFP120JCM.{PB
[2010/08/25 21:50:56 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Bill\Local Settings\Application Data\fusioncache.dat
[2010/02/28 15:07:25 | 000,640,221 | ---- | C] () -- C:\Program Files\UninstallNA.exe
[2009/11/20 14:49:14 | 000,514,546 | ---- | C] () -- C:\Program Files\UninstalEurope.exe
[2009/10/31 20:41:49 | 000,000,090 | -HS- | C] () -- C:\WINDOWS\cnerolf.dat
[2009/08/09 15:45:11 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\16930FCD41.sys
[2009/08/09 15:45:10 | 000,004,184 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2009/06/26 12:49:55 | 000,000,487 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/06/24 16:57:30 | 000,000,068 | ---- | C] () -- C:\WINDOWS\XDICT.INI
[2009/06/15 16:02:58 | 000,000,014 | ---- | C] () -- C:\Program Files\settings.cfg
[2009/06/14 21:11:17 | 000,000,090 | -HS- | C] () -- C:\WINDOWS\cnerolf.bin
[2009/06/14 20:53:04 | 000,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2009/06/14 18:21:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\exctrlst.INI
[2009/06/14 14:17:56 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2009/06/14 13:30:23 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2009/06/14 13:30:23 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2009/06/14 01:58:34 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2009/06/14 01:58:34 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2009/06/14 01:58:30 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2009/06/14 01:58:25 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2009/06/14 01:58:16 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2009/06/14 01:57:48 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2009/06/14 01:57:48 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2009/06/14 01:56:33 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2009/06/14 01:56:03 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll
[2008/02/15 17:51:22 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763.Dll
[2008/02/15 17:51:22 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_0C.dll
[2008/02/15 17:51:22 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_10.dll
[2008/02/15 17:51:22 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_0A.dll
[2008/02/15 17:51:22 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_07.dll
[2008/02/15 17:51:22 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_09.dll
[2008/02/15 17:51:22 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_0402.dll
[2008/02/15 17:51:22 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\SaiC0763_11.dll
[2007/07/02 08:50:54 | 000,007,168 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_0402.dll
[2007/07/02 08:50:54 | 000,005,632 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_11.dll
[2007/07/02 08:50:52 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_0C.dll
[2007/07/02 08:50:52 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_10.dll
[2007/07/02 08:50:52 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_0A.dll
[2007/07/02 08:50:52 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_09.dll
[2007/07/02 08:50:50 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC_07.dll
[2007/07/02 08:46:40 | 000,851,968 | ---- | C] () -- C:\WINDOWS\System32\SaiC0BAC.Dll
[2006/03/09 07:21:33 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2003/12/17 07:08:40 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003/12/17 06:29:26 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\mshrml.ini
[2003/12/17 02:09:37 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2003/12/17 02:09:02 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2003/12/17 02:09:02 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2003/12/17 02:04:11 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2003/12/17 01:47:28 | 000,090,112 | R--- | C] () -- C:\WINDOWS\bwUnin-6.2.3.66.exe
[2003/12/17 01:45:51 | 000,029,259 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2003/12/17 01:45:28 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\syscontr.dll
[2003/12/17 01:44:51 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2003/12/17 01:39:03 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2003/12/17 01:24:09 | 000,000,892 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2003/12/17 00:10:11 | 000,014,676 | ---- | C] () -- C:\WINDOWS\hpdins01.dat
[2003/12/17 00:10:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpzmdl01.dat
[2003/12/16 23:50:31 | 000,001,040 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
[2003/12/16 23:09:08 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2003/12/16 23:09:08 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2003/12/16 23:08:44 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2003/12/16 22:50:41 | 000,000,813 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/12/16 22:48:41 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/12/16 22:41:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/12/16 21:30:15 | 000,000,667 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/12/16 21:29:11 | 000,503,868 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/12/16 21:29:11 | 000,088,722 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/12/16 14:35:04 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/12/16 14:34:04 | 000,222,432 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/11/12 11:54:00 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/09/23 01:19:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

========== LOP Check ==========

[2009/07/24 16:05:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2010/05/24 07:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Caphyon
[2009/06/16 00:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CaptainSim
[2009/06/14 12:20:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/09/18 08:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\METAR_Temp
[2010/11/27 19:53:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Navigraph
[2010/08/26 10:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nHancer
[2009/06/14 19:43:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2009/08/24 16:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/09/19 08:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/07/12 08:20:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\ACARS
[2010/11/16 09:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\DMCache
[2011/07/14 20:21:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\ElevatedDiagnostics
[2003/12/17 06:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\interMute
[2010/08/25 22:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\InterVideo
[2010/08/25 22:16:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\KSE
[2011/05/02 08:07:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\SampleView
[2011/04/19 22:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Tencent
[2003/12/17 06:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\interMute
[2003/12/17 06:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Michelle\Application Data\interMute

========== Purity Check ==========



========== Custom Scans ==========


< >


< MD5 for: AFD.SYS >
[2008/04/13 12:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\ServicePackFiles\i386\afd.sys
[2008/04/13 12:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\system32\dllcache\afd.sys
[2008/04/13 12:19:23 | 000,138,112 | ---- | M] (Microsoft Corporation) MD5=322D0E36693D6E24A2398BEE62A268CD -- C:\WINDOWS\system32\drivers\afd.sys
[2008/10/16 08:07:58 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=38D7B715504DA4741DF35E3594FE2099 -- C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008/08/14 03:34:26 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=4D43E74F2A1239D53929B82600F1971C -- C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2008/08/14 02:51:43 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=55E6E1C51B6D30E54335750955453702 -- C:\WINDOWS\$NtServicePackUninstall$\afd.sys
[2008/08/14 02:48:52 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=6A0397376853E604DE8E1E7A87FC08AC -- C:\WINDOWS\$hf_mig$\KB956803\SP2QFE\afd.sys
[2008/08/14 03:04:36 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=7E775010EF291DA96AD17CA4B17137D7 -- C:\WINDOWS\$hf_mig$\KB956803\SP3GDR\afd.sys
[2011/02/16 06:25:05 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=8D499B1276012EB907E7A9E0F4D8FDA4 -- C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2008/06/20 04:48:03 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=D6EE6014241D034E63C49A50CB2B442A -- C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008/06/20 03:44:08 | 000,138,368 | ---- | M] (Microsoft Corporation) MD5=D99DDFFB33DEACDCF20717CB520379F6 -- C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys
[2008/06/20 04:40:08 | 000,138,496 | ---- | M] (Microsoft Corporation) MD5=E3049B90FE06F3F740B7CFDA44995E2C -- C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys

< MD5 for: EXPLORER.EXE >
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 04:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 03:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ERDNT\cache\svchost.exe
[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/13 17:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe
[2004/08/04 00:56:57 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 00:56:57 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/13 17:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< MD5 for: VOLSNAP.SYS >
[2008/04/13 11:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\ServicePackFiles\i386\volsnap.sys
[2008/04/13 11:41:01 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=4C8FCB5CC53AAB716D810740FE59D025 -- C:\WINDOWS\system32\drivers\volsnap.sys
[2004/08/03 23:00:16 | 000,052,352 | ---- | M] (Microsoft Corporation) MD5=EE4660083DEBA849FF6C485D944B379B -- C:\WINDOWS\$NtServicePackUninstall$\volsnap.sys

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:57 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 17:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %ALLUSERSPROFILE%\Application Data\*. >
[2011/07/02 10:10:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/06/14 21:01:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/09/25 21:23:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/07/24 16:05:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Borland
[2010/05/24 07:50:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Caphyon
[2009/06/16 00:12:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CaptainSim
[2009/08/09 15:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Corel
[2009/06/14 12:20:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2011/09/16 05:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FLEXnet
[2009/06/15 20:59:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InstallShield
[2011/02/21 12:11:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/18 08:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\METAR_Temp
[2011/07/03 14:20:01 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2011/07/14 21:56:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2010/11/27 19:53:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Navigraph
[2010/08/26 10:50:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\nHancer
[2011/07/23 23:06:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/07/23 10:24:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NVIDIA Corporation
[2009/06/14 19:43:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Saitek
[2003/12/16 22:51:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/08/24 16:50:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2011/09/18 16:22:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/09/19 08:30:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/14 14:06:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/08/29 16:19:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!

< %ALLUSERSPROFILE%\Application Data\*.exe /s >
[2011/03/30 10:29:02 | 000,319,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.0.1\5820\AcrobatUpdater.exe
[2011/03/30 10:29:02 | 000,937,920 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.0.1\5820\AdobeARM.exe
[2011/03/30 10:29:02 | 000,319,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Application Data\Adobe\ARM\Reader_10.0.1\5820\ReaderUpdater.exe
[2010/07/26 21:37:22 | 001,040,198 | ---- | M] (KSE) -- C:\Documents and Settings\All Users\Application Data\Caphyon\Advanced Installer\{7D66915F-05FF-4F59-B2D3-AA2E58506F72}\nHancer32Setup.exe
[2009/09/15 07:56:28 | 007,386,384 | ---- | M] (Acresso Software Inc.) -- C:\Documents and Settings\All Users\Application Data\Corel\Downloads\540232237_910008\1251059117272\WPOX4HF2.exe
[2011/09/18 15:21:42 | 009,852,544 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
[2010/07/21 21:56:23 | 027,630,760 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\All Users\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
[2010/06/14 17:23:14 | 000,607,472 | ---- | M] (Yahoo! Inc.) -- C:\Documents and Settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe

< %APPDATA%\*. >
[2011/07/12 08:20:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\ACARS
[2011/02/20 12:24:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Adobe
[2010/08/25 22:16:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Apple Computer
[2010/08/25 22:16:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Corel
[2010/11/16 09:02:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\DMCache
[2011/07/14 20:21:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\ElevatedDiagnostics
[2010/08/25 22:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Help
[2003/12/16 22:46:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Identities
[2010/08/25 22:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\InstallShield
[2003/12/17 06:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\interMute
[2010/08/25 22:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\InterVideo
[2010/08/25 22:16:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\KSE
[2010/08/25 22:16:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Macromedia
[2011/02/21 12:11:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Malwarebytes
[2011/09/18 11:27:21 | 000,000,000 | --SD | M] -- C:\Documents and Settings\Bill\Application Data\Microsoft
[2010/09/12 20:35:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Real Environment Simulations, Inc
[2011/05/02 08:07:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\SampleView
[2010/08/25 22:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Sonic
[2003/12/16 23:32:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Sun
[2011/09/19 20:52:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\teamspeak2
[2011/04/19 22:37:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Tencent
[2010/08/25 22:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\WinRAR
[2010/08/29 16:32:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Bill\Application Data\Yahoo!

< %APPDATA%\*.exe /s >
[2008/02/26 14:43:54 | 000,655,136 | ---- | M] (Corel Corporation) -- C:\Documents and Settings\Bill\Application Data\Corel\WordPerfect Office X4\User Config\InitLBar.exe
[2011/04/19 22:36:17 | 000,106,496 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
[2011/04/19 22:36:17 | 000,106,496 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
[2011/06/30 14:02:42 | 000,018,718 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\ARPPRODUCTICON.exe
[2011/06/30 14:02:42 | 000,106,496 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut1_EDD4ABB1C1B34A9D84CE33FBFB5D3639.exe
[2011/06/30 14:02:42 | 000,018,718 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut2_E88611396FF84AFCB2EE5C1594058E02.exe
[2011/06/30 14:02:42 | 000,106,496 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut311_0951773981FA4AB2BC21B7DCEC95892A.exe
[2011/06/30 14:02:42 | 000,106,496 | R--- | M] (Macrovision Corporation) -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{3CA54984-A14B-42FE-9FF1-7EA90151D725}\NewShortcut31_2F252077BA3F4362913955273A708467.exe
[2003/12/17 01:19:14 | 000,000,766 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Collapse_Deluxe.exe
[2003/12/17 01:19:14 | 000,000,766 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Cubis_Deluxe.exe
[2003/12/17 01:19:14 | 000,000,766 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Mah_Jong_Tiles_Deluxe.exe
[2003/12/17 01:19:15 | 000,000,766 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__TextTwist_Deluxe.exe
[2003/12/17 01:19:15 | 000,000,766 | R--- | M] () -- C:\Documents and Settings\Bill\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Word_MoJo_Deluxe.exe
[2011/06/30 14:01:53 | 026,383,736 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\AuTemp\Y(X326HO27Z}ZOATP8Z]037\1308810826632148160\QQIntl1.1.exe
[2011/06/30 14:02:04 | 000,031,096 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\SafeBase\QQSafeUD.exe
[2011/04/20 06:23:10 | 000,031,048 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\SafeBase\selfupdate.exe
[2011/04/19 22:35:43 | 000,611,648 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\auclt.exe
[2011/04/19 22:35:44 | 000,124,224 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\bugreport.exe
[2011/04/19 22:35:44 | 000,136,512 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\QQ.exe
[2011/04/19 22:35:44 | 000,075,072 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\QQPI.exe
[2011/04/19 22:35:44 | 000,031,040 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\SelfUpdate.exe
[2011/04/19 22:35:44 | 000,136,512 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\StorageTool.exe
[2011/04/19 22:35:44 | 000,460,096 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\Timwp.exe
[2011/04/19 22:35:44 | 000,035,648 | ---- | M] (tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\TSFSCAN.exe
[2011/04/19 22:35:44 | 000,152,896 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQ1033~0\program files\Tencent\QQ2009\Bin\TXPlatform.exe
[2011/06/30 14:02:05 | 000,036,680 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\QQUninst.exe
[2011/06/30 14:02:04 | 000,619,896 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\auclt.exe
[2011/06/30 14:02:04 | 000,132,472 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\bugreport.exe
[2011/06/30 14:02:04 | 000,144,760 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\QQ.exe
[2011/06/30 14:02:04 | 000,079,224 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\QQPI.exe
[2011/06/30 14:02:05 | 000,031,096 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\QQSafeUD.exe
[2011/04/20 06:07:30 | 000,031,048 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\SelfUpdate.exe
[2011/06/30 14:02:05 | 000,132,472 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\StorageTool.exe
[2011/06/30 14:02:05 | 000,468,344 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\Timwp.exe
[2011/06/30 14:02:05 | 000,124,280 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\TXOPShow.exe
[2011/06/30 14:02:05 | 000,152,952 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\TXPlatform.exe
[2011/06/30 14:02:04 | 000,031,096 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\Application Data\Tencent\QQ\SafeBase\QQSafeUD.exe
[2011/06/30 14:02:05 | 000,036,680 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\QQUninst.exe
[2011/06/30 14:02:04 | 000,619,896 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\auclt.exe
[2011/06/30 14:02:04 | 000,132,472 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\bugreport.exe
[2011/06/30 14:02:04 | 000,144,760 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\QQ.exe
[2011/06/30 14:02:04 | 000,079,224 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\QQPI.exe
[2011/06/30 14:02:05 | 000,031,096 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\QQSafeUD.exe
[2011/06/30 14:02:05 | 000,132,472 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\StorageTool.exe
[2011/06/30 14:02:05 | 000,468,344 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\Timwp.exe
[2011/06/30 14:02:05 | 000,124,280 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\TXOPShow.exe
[2011/06/30 14:02:05 | 000,152,952 | ---- | M] (Tencent) -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\program files\Tencent\QQIntl\Bin\TXPlatform.exe
[2011/06/30 14:02:04 | 000,103,240 | ---- | M] () -- C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~1\SysDir\InstAsm.exe

< %SYSTEMDRIVE%\*.* >
[2009/06/14 22:24:39 | 000,173,412 | ---- | M] () -- C:\1125734.jpg
[2003/12/16 22:45:52 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2002/08/30 17:07:40 | 000,068,116 | ---- | M] () -- C:\Billa.JPG
[2011/09/18 16:20:26 | 000,000,237 | ---- | M] () -- C:\Boot.bak
[2011/09/18 19:56:49 | 000,000,353 | RHS- | M] () -- C:\boot.ini
[2003/07/30 12:00:00 | 000,245,920 | RHS- | M] () -- C:\cmldr
[2011/09/19 22:56:56 | 000,015,824 | ---- | M] () -- C:\ComboFix.txt
[2003/12/16 22:45:52 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1028.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1031.txt
[2007/11/07 08:00:40 | 000,010,134 | ---- | M] () -- C:\eula.1033.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1036.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1040.txt
[2007/11/07 08:00:40 | 000,000,118 | ---- | M] () -- C:\eula.1041.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.1042.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.2052.txt
[2007/11/07 08:00:40 | 000,017,734 | ---- | M] () -- C:\eula.3082.txt
[2009/07/15 14:18:14 | 000,298,231 | ---- | M] () -- C:\Fig.29.jpg
[2009/11/10 12:36:42 | 000,001,328 | ---- | M] () -- C:\FSUIPC_reg.bin
[2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
[2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
[2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
[2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
[2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
[2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
[2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
[2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
[2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
[2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
[2003/12/16 22:45:52 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2003/12/16 22:45:52 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/06/14 14:30:53 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/06/14 16:56:45 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/09/19 23:03:48 | 3221,225,472 | -HS- | M] () -- C:\pagefile.sys
[2011/09/18 17:58:04 | 000,000,359 | ---- | M] () -- C:\rkill.log
[2011/09/19 09:32:25 | 000,037,910 | ---- | M] () -- C:\TDSSKiller.2.5.22.0_19.09.2011_09.29.20_log.txt
[2007/11/07 08:00:40 | 000,005,686 | ---- | M] () -- C:\vcredist.bmp
[2007/11/07 08:09:22 | 001,442,522 | ---- | M] () -- C:\VC_RED.cab
[2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI
[2009/06/15 20:32:33 | 000,000,146 | ---- | M] () -- C:\YServer.txt

< %SYSTEMDRIVE%\*.exe >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< C:\program files\common files\data\* /s >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2003/12/16 14:33:22 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2003/12/16 14:33:22 | 000,626,688 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2003/12/16 14:33:22 | 000,405,504 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >

Extras.txt
OTL Extras logfile created on: 9/19/2011 11:15:09 PM - Run 1
OTL by OldTimer - Version 3.2.29.1 Folder = C:\Documents and Settings\Bill\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.68 Gb Available Physical Memory | 84.20% Memory free
4.92 Gb Paging File | 4.73 Gb Available in Paging File | 96.18% Paging File free
Paging file location(s): C:\pagefile.sys 3072 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 180.27 Gb Total Space | 74.77 Gb Free Space | 41.48% Space Free | Partition Type: NTFS
Drive D: | 6.03 Gb Total Space | 1.01 Gb Free Space | 16.81% Space Free | Partition Type: NTFS
Drive K: | 0.36 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 1.81 Gb Total Space | 1.76 Gb Free Space | 97.12% Space Free | Partition Type: FAT

Computer Name: HPPC | User Name: Bill | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\FSFDT\Control Panel\FSFDTCP.exe" = C:\Program Files\FSFDT\Control Panel\FSFDTCP.exe:*:Enabled:Control Panel -- (FS - French Dev Team)
"C:\Program Files\FSFDT\FWInn\FWINN.exe" = C:\Program Files\FSFDT\FWInn\FWINN.exe:*:Enabled:FWInn -- ()
"C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsx.exe" = C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsx.exe:*:Enabled:Microsoft Flight Simulator X -- (Microsoft Corp.)
"C:\Program Files\FSFDT\FSInn UI\FSInnUI.exe" = C:\Program Files\FSFDT\FSInn UI\FSInnUI.exe:*:Enabled:FSInn UI -- (.)
"C:\Program Files\FSFDT\FSInn UI VVL\FSInnUIVVL.exe" = C:\Program Files\FSFDT\FSInn UI VVL\FSInnUIVVL.exe:*:Enabled:FSInn UI VVL -- (FS - French Dev Team)
"C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\feelThere\b737\737setup.exe" = C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\feelThere\b737\737setup.exe:*:Enabled:737-300 PIC Setup Utility -- (feelThere)
"C:\Program Files\Spybot - Search & Destroy\Update.exe" = C:\Program Files\Spybot - Search & Destroy\Update.exe:*:Enabled:Update.exe -- (Safer Networking Limited)
"C:\Program Files\FSFDT\FWInn\FWINN64.exe" = C:\Program Files\FSFDT\FWInn\FWINN64.exe:*:Enabled:FWINN64.exe -- ()
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Real Environment Xtreme 2.0\rexwxengine2.exe" = C:\Program Files\Real Environment Xtreme 2.0\rexwxengine2.exe:*:Enabled:REX Weather Engine 2.0 (FSX) -- (Real Environment Simulations)
"C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_c603f141f5d06682_0002.000c_84b0b64057e101c1\ACARS.exe" = C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_c603f141f5d06682_0002.000c_84b0b64057e101c1\ACARS.exe:*:Enabled:UVA ACARS -- (JPS)
"C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\QQ.exe" = C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\QQ.exe:*:Enabled:QQ International -- (Tencent)
"C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\auclt.exe" = C:\Documents and Settings\Bill\Application Data\Tencent\QQ\STemp\~TXQQIntl~0\program files\Tencent\QQIntl\Bin\auclt.exe:*:Enabled:QQ2009 -- (Tencent)
"C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_d3355201e441073d_0002.000d_901a5af215981e5c\ACARS.exe" = C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_d3355201e441073d_0002.000d_901a5af215981e5c\ACARS.exe:*:Enabled:UVA ACARS -- (JPS)
"C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_d3355201e441073d_0002.000d_6c5ded94660015dc\ACARS.exe" = C:\Documents and Settings\Bill\Local Settings\Apps\2.0\OENELP7W.1LQ\JHMM0REJ.ZCT\acar..tion_d3355201e441073d_0002.000d_6c5ded94660015dc\ACARS.exe:*:Enabled:UVA ACARS -- (JPS)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}" = WordPerfect Office X4
"{000AB2ED-5741-4C30-A1A4-0FCB8A529000}" = WordPerfect Office X4
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0965D484-1777-4BA5-8C3A-095A6B0D2696}_is1" = Driver Sweeper 1.5.5
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0DC9C45C-966C-488D-B97E-5C68E161CDCC}" = SceneryTech South America Landclass v1.0
"{145CACAF-9B34-41FC-BE49-7D510A253E78}" = Multimedia Card Reader
"{1A655D51-1423-48A3-B748-8F5A0BE294C8}" = Microsoft Visual J# .NET Redistributable Package 1.1
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{1DF03ECE-6AF4-414E-B118-C316F151A9A2}" = Corel WordPerfect Office - iFilter
"{1E90660B-8460-498E-B781-44FF5D99396E}" = Navigraph nDAC 3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows
"{1F95C156-BE36-4D73-B22F-BDE3538B09A8}" = FS Recorder 2.0 beta 4 for FSX
"{20708FD5-E94D-4097-A21E-E28564CDBC06}" = PMDG 737 8900 NGX
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2A267BC6-F77F-4DD4-825F-7AEB1F68B4B1}" = HpSdpAppCoreApp
"{2B5DDFFF-F347-489E-861D-98D02D00472D}" = PMDG744X_PW_UA2
"{3248F0A8-6813-11D6-A77B-00B0D0150170}" = J2SE Runtime Environment 5.0 Update 17
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CA54984-A14B-42FE-9FF1-7EA90151D725}" = Tencent QQ
"{3E85C49F-637A-46D3-B27E-A1D7EE136A5A}" = Beech 1900D
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4847BBB9-EADD-4C92-90BF-4223B0892FF6}" = Microsoft Flight Simulator X Service Pack 2
"{4873CC58-69D8-490D-9E5C-001DC2EE2000}" = WordPerfect Lightning
"{4873CC58-69D8-490D-9E5C-001DC2EE2010}" = WordPerfect Lightning - Messages
"{4873CC58-69D8-490D-9E5C-001DC2EE2020}" = WordPerfect Lightning - IPM
"{4873CC58-69D8-490D-9E5C-001DC2EE2100}" = WordPerfect Lightning - EN
"{53480370-6CA2-47EC-BC05-02B4B9271C31}" = O&O Defrag Professional Edition
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C87827F-75BE-4D5C-AF7B-88D48D9BFFD7}" = PowerWord 2002
"{6D6A26D5-492A-49BD-B30D-546B2F3E4793}" = Real Environment Xtreme - Overdrive
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7148F0A8-6813-11D6-A77B-00B0D0142000}" = Java 2 Runtime Environment, SE v1.4.2
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7D001707-1AB3-4D0E-A171-49F278F2406F}" = FSX Beechcraft 1900D
"{83FC981A-5557-4A2D-9C36-ED133DC5BFB9}" = SceneryTech Europe Landclass v1.1
"{85DF6786-66AA-42EE-8616-AE456B07BD99}" = Microsoft Flight Simulator SimConnect Client v10.0.61242.0
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{8CEEB410-205D-4CB7-AB3E-086400DFC851}" = Embraer ERJ 170-100SE
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0000-0000-0000000FF1CE}" = Microsoft Office Access 2007
"{90120000-0015-0000-0000-0000000FF1CE}_Access_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0000-0000-0000000FF1CE}_Access_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_Access_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0000-0000-0000000FF1CE}" = Microsoft Office Word 2007
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0000-0000-0000000FF1CE}_WORD_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_WORD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_Access_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_WORD_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_Access_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_WORD_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_Access_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_WORD_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_Access_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_Access_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_WORD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_Access_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90AD8C11-ED4A-4AE7-BB70-7740C452C999}" = Visual J# .NET Redistributable Package
"{939227BD-19D8-4684-8A04-31AC9F6A564C}" = Scan
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = RecordNow!
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD Player
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{AC76BA86-7AD7-2447-0000-800000000003}" = Chinese Simplified Fonts Support For Adobe Reader 8
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AC76BA86-7AD7-5760-0000-800000000003}" = Japanese Fonts Support For Adobe Reader 8
"{B0650E3D-FDCA-4908-B74B-0CC1731BDB93}" = Microsoft Tool Web Package : EXCTRLST.EXE
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 275.33
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0B6E1E2-F9FA-4C9C-8548-4ACE0B780B51}" = FS Recorder 1.331 for FSX
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D37CDE33-16DC-423D-B7C8-40F98EBFFEDC}" = PMDG744X_PW_UA
"{DA17C501-E443-4371-873C-3C79373A2E33}" = SceneryTech Africa Landclass v1.0
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}" = WordPerfect Office X4 - ICA
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529010}" = WordPerfect Office X4 - Common
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529011}" = WordPerfect Office X4 - WP
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529012}" = WordPerfect Office X4 - QP
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529013}" = WordPerfect Office X4 - PR
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529014}" = WordPerfect Office X4 - Content
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529016}" = WordPerfect Office X4 - Skins
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529017}" = WordPerfect Office X4 - Filters
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529018}" = WordPerfect Office X4 - Graphics
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529023}" = WordPerfect Office X4 - System
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529030}" = WordPerfect Office X4 - Migration Manager
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529040}" = WordPerfect Office X4 - IPM
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529046}" = WordPerfect Office X4 - IPM T EN
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529050}" = WordPerfect Office X4 - PerfectExperts
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529080}" = WordPerfect Office X4 - MAIL
"{DCDAB2ED-5741-4C30-A1A4-0FCB8A529100}" = WordPerfect Office X4 - EN
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E91C757A-854C-4057-A67D-7FAE297B2016}" = SceneryTech North America Landclass v1.4
"{EAB979F7-84A6-47B6-AB39-CA73A6EEAE69}" = PMDG744X_PW_UA3
"{EDCEE320-0FB3-4197-9F86-8C1CCF2278FB}" = PMDG 747-400/400F for FSX
"{EFF0D84D-C49A-461E-BC21-D6ED8B2C0D5D}" = SceneryTech Indo-Pacific Landclass v1.0
"{F22EE695-4EF1-4188-A209-FD959A494F7B}" = SceneryTech Asia Landclass v1.0
"{F32F502E-4398-4159-B3C9-3336AEDE6FEB}" = Real Environment Xtreme 2.0
"{F6EE49FD-B736-4888-A05A-115F3B1160FA}" = WordPerfect Lightning - MSOM
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Access" = Microsoft Office Access 2007
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Alaska-Hawaii Terrain Mesh for FSX2.0.0 beta (PB100219)" = FSGenesis Alaska-Hawaii Terrain Mesh for FSX
"B752PRO_FSX" = 757-200 Base Pack
"BackWeb-137903 Uninstaller" = Updates from HP
"Canada Terrain Mesh for FSX1.0.0" = FSGenesis Canada Terrain Mesh for FSX
"CCleaner" = CCleaner
"Cypress Base Terrain Mesh for FSX1.0.0" = FSGenesis Cypress Base Terrain Mesh for FSX
"Desktop FLV Player_is1" = FLVhosting Desktop FLV Player Ver 2.00
"FSFDT FSCopilot" = FSFDT FSCopilot
"FSFDT FSInn" = FSFDT FSInn
"FSGenesis World Terrain Mesh for FSX" = FSGenesis World Terrain Mesh for FSX
"Ground Environment X Africa-Middle East1.0" = Ground Environment X Africa-Middle East
"Ground Environment X Europe" = Ground Environment X Europe
"Ground Environment X North America" = Ground Environment X North America
"ie8" = Windows Internet Explorer 8
"InstallShield_{145CACAF-9B34-41FC-BE49-7D510A253E78}" = Multimedia Card Reader
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"IrfanView" = IrfanView (remove only)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Mexico Terrain Mesh for FSX1.2.0" = FSGenesis Mexico Terrain Mesh for FSX
"Mexico Terrain Mesh for FSX2.0.0" = FSGenesis Mexico Terrain Mesh for FSX
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205" = Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205
"North America Terrain Mesh for FSX -- East2.0.0" = FSGenesis North America Terrain Mesh for FSX -- East
"North America Terrain Mesh for FSX -- Plains2.0.0" = FSGenesis North America Terrain Mesh for FSX -- Plains
"North America Terrain Mesh for FSX -- Rockies2.0.0" = FSGenesis North America Terrain Mesh for FSX -- Rockies
"North America Terrain Mesh for FSX -- West Coast2.0.0" = FSGenesis North America Terrain Mesh for FSX -- West Coast
"Northern Russia & Siberia Terrain Mesh for FSX1.0.0" = FSGenesis Northern Russia & Siberia Terrain Mesh for FSX
"Rhode Island Airport Terrain Adjustment Pack - FSX1.0" = FSGenesis Rhode Island Airport Terrain Adjustment Pack - FSX
"Slovakia Base Terrain Mesh for FSX1.0.0" = FSGenesis Slovakia Base Terrain Mesh for FSX
"SP1_9527A496-5DF9-412A-ADC7-168BA5379CA6" = Microsoft Flight Simulator X Service Pack 1
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"TreeX_is1" = TreeX V2
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WORD" = Microsoft Office Word 2007
"XP TCP/IP Repair_is1" = XP TCP/IP Repair 2.1
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2354447427-3512076405-1411424341-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"0792f7a54ceb6e42" = ACARS - 1
"737 Pilot in Command (FSX)" = 737 Pilot in Command (FSX)
"e5e5e6e88c3c27bb" = ACARS

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/18/2011 5:17:23 PM | Computer Name = HPPC | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 9/18/2011 9:05:02 PM | Computer Name = HPPC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STOPzilla!\SZPro5.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 9/18/2011 9:07:09 PM | Computer Name = HPPC | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\STOPzilla!\SZPro5.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 9/19/2011 11:03:02 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11706
Description = Product: ESET NOD32 Antivirus -- Error 1706. An installation package
for the product ESET NOD32 Antivirus cannot be found. Try the installation again
using a valid copy of the installation package 'NUP98D9.msi'.

Error - 9/19/2011 11:30:33 AM | Computer Name = HPPC | Source = pctsSvc.exe | ID = 0
Description =

Error - 9/19/2011 11:47:24 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11321
Description = Product: ESET NOD32 Antivirus -- Error 1321. The Installer has insufficient
privileges to modify this file: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe.

Error - 9/19/2011 11:47:25 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11321
Description = Product: ESET NOD32 Antivirus -- Error 1321. The Installer has insufficient
privileges to modify this file: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe.

Error - 9/19/2011 11:47:26 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11321
Description = Product: ESET NOD32 Antivirus -- Error 1321. The Installer has insufficient
privileges to modify this file: C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe.

Error - 9/19/2011 11:48:38 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11920
Description = Product: ESET NOD32 Antivirus -- Error 1920. Service 'Eset Service'
(ekrn) failed to start. Verify that you have sufficient privileges to start system
services.

Error - 9/19/2011 11:49:11 AM | Computer Name = HPPC | Source = MsiInstaller | ID = 11920
Description = Product: ESET NOD32 Antivirus -- Error 1920. Service 'Eset Service'
(ekrn) failed to start. Verify that you have sufficient privileges to start system
services.

[ System Events ]
Error - 9/19/2011 8:12:45 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7023
Description = The IPSEC Services service terminated with the following error: %%10050

Error - 9/19/2011 8:12:45 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%10050

Error - 9/19/2011 8:12:45 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147952450

Error - 9/19/2011 8:13:58 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7022
Description = The Net.Tcp Port Sharing Service service hung on starting.

Error - 9/19/2011 9:35:46 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7022
Description = The Net.Tcp Port Sharing Service service hung on starting.

Error - 9/19/2011 9:56:54 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7022
Description = The Net.Tcp Port Sharing Service service hung on starting.

Error - 9/19/2011 10:30:16 PM | Computer Name = HPPC | Source = Service Control Manager | ID = 7022
Description = The Net.Tcp Port Sharing Service service hung on starting.

Error - 9/19/2011 10:37:34 PM | Computer Name = HPPC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 000EA6663B4E has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 9/20/2011 2:06:11 AM | Computer Name = HPPC | Source = Service Control Manager | ID = 7022
Description = The Net.Tcp Port Sharing Service service hung on starting.

Error - 9/20/2011 2:12:57 AM | Computer Name = HPPC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 000EA6663B4E has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).


< End of report >

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:14 PM

Posted 20 September 2011 - 04:24 AM

Hi beachdog2001,




Step1

We need to scan your system with this special tool.

  • Please download Junction.zip and save it on your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start >> Run >> Copy/paste the following bolded command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  • A command window opens starting to scan the system. Wait until a log file opens. Copy and paste the content in your next reply.


Step2

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

[HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

[HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
"XMLHTTP_UUID_Default"=-

Name the file as fix.reg, making sure save as type is set to " All Files ". It should look like Posted Image
Double click it and an information box will pop up asking if you want to merge the information in the file into the registry, click yes. After that, Reboot your computer.



Step3

  • After the reboot, we will reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
  • After that, Reboot your computer and see if you can access your connection.
.


In your next reply, please post back:

1.Junction.txt

Let me know how things went.

#12 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 20 September 2011 - 12:01 PM

Thanks for your continued help, much appreaciated. Did what you suggested and still no internet connection with Yahoo. The TCI[ icon is blinking though.


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\Documents and Settings\Administrator: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\CaptainSim\FSX\p751\csp751_4.2.log: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\CaptainSim\FSX\p751\csp751_4.4.log: Access is denied.


...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\Bill\Programs\Administrative Tools: Access is denied.


..

...
Failed to open \\?\c:\\e693bba87a4a0fd589ec646bc2cf26\amd64: Access is denied.



Failed to open \\?\c:\\e693bba87a4a0fd589ec646bc2cf26\i386: Access is denied.




...

...

...

...
Failed to open \\?\c:\\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe: Access is denied.




...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.ilg: Access is denied.


...

...
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\firefox.exe: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


.

...

...

...

...

\\?\c:\\WINDOWS\$NtUninstallKB33872$\1031945806: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



...

...

...

...

...

...

...\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492

\\?\c:\\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5
Substitute Name: C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5



...

...

...

...

...

...

...

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:14 PM

Posted 20 September 2011 - 12:45 PM

Hi beachdog2001,


After performing the following Step1, you should be able to reinstall Eset antivirus accordingly. If run into problems, please run ESET Uninstaller first as instructed in this thread . BTW, did you have XP Install CD handy? Advise me in your next reply.


Step1

  • Download GrantPerms.zip and save it to your desktop.
  • Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
  • Copy and paste the following in the code box:
    c:\\Documents and Settings\Bill\Programs\Administrative Tools
    c:\\e693bba87a4a0fd589ec646bc2cf26\amd64
    c:\\e693bba87a4a0fd589ec646bc2cf26\i386
    c:\\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    c:\\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.ilg
    c:\\Program Files\Malwarebytes' Anti-Malware\firefox.exe
    c:\\Qoobox\BackEnv
    
  • Click Unlock. When it is done click "OK".
  • Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
  • Restart the computer.


Step2

Go to start > run and type cmd. A dos Window will appear. Please type netsh winsock reset and netsh int ip reset one at a time and press Enter. Restart the computer and check the connection. If no joy, proceed the following:

Go to Device Manager, click on View menu, press show hidden devices, check if any yellow exclamation marks still present. Advise me in your next reply.

If no, For each controller under "Network adapters" right click and select "Uninstall". After that, Select "Computer" in Device Manager, right click and select "Scan for hardware changes" Reboot normally and check the connection.


Let me know if you have any remaining issues on your pc.

#14 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 20 September 2011 - 03:40 PM

I do not have a Windows XP CD. This is an older HP computer that came with XP preinstalled. I do have the HP recovery disks as well as the D drive which is a recovery drive only. I ran everything as you suggested and still I can't seem to connect to the internet even though the adapter icon is blinking and appears to work (webpages won't display). I can repair the connection just fine. All the IP address, DNS, stuff seems to be correct although WINS Server is blank. I ran the Windows connection problems diagnostic and all seems OK except can't connect to the internet and they suggest talking to the ISP provider, which basically means that they have no idea what the problem is. There is a log available if that is of use It is not the ISP provider as I am sitting right next to the PC with my laptop talking to you on the same connection (only wireless). I am able to ping 127.0.0.1, my IP address and the DNS server just fine. I am able to ping my computer name etc. I think all that is OK. Perhaps the problem is with Internet Explorer permissions. When I click on a page and get the "Internet Explorer cannot display the webpage message", there is the option do "Diagnose Connection Problems", I get an "Error on page" message with a yellow exclamaion point at the bottom and nothing comes up.

I got the ESET program to finish installing but it won't run and one of the services I am used to seeing is missing. I get a "Can't communicate with the kernel" message. I am going to try downloading a new copy of the NOD32 and see what happens, but I need to wait to get my unsername and password from them before I can do this. I think it will be the same result.

No yellow exclamation points under Hidden Devices, not has there been. I was unable to unistall a network adapter called Direct Parallel and a bunch of WAN ports and got a message that perhaps this is needed to boot. I realized that these show becuas I still had Shown Hidden devices checked. WHen I unchecked this, I had not network adpaters remaining.

By the way, regarding the command netsh into ip reset, I got an error message that that command is not complete and is some missing comand information and they suggest adding reset resetlog.txt to the end of it, which I did. Not sure if that is correct or not. Below is the log that you asked for.


GrantPerms by Farbar
Ran by Bill at 2011-09-20 11:57:33

===============================================
\\?\c:\\Documents and Settings\Bill\Programs\Administrative Tools

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
HPPC\Bill FULL ALLOW (I)
HPPC\Bill FULL ALLOW (CI)(OI)(IO)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\e693bba87a4a0fd589ec646bc2cf26\amd64

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\e693bba87a4a0fd589ec646bc2cf26\i386

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


\\?\c:\\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.ilg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\Program Files\Malwarebytes' Anti-Malware\firefox.exe

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (NI)
NT AUTHORITY\SYSTEM FULL ALLOW (NI)
BUILTIN\Users READ/EXECUTE ALLOW (NI)


\\?\c:\\Qoobox\BackEnv

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

#15 beachdog2001

beachdog2001
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 20 September 2011 - 03:49 PM

Here is the Windows Network Diagnostic log that I mentioned earlier in case it is useful to you.

<?xml version="1.0" ?>
<?xml-stylesheet type='text/xsl' href="xpnetdiag.xsl" ?>
<xpnetdiag>

<title>
Network Diagnostics for Windows XP
</title>
<lastRunText>
Last diagnostic run time:
</lastRunText>
<rejectText>
REJECT
</rejectText>
<indeterminateText>
INDETERMINATE
</indeterminateText>
<confirmText>
CONFIRM
</confirmText>
<timeStamp>
09/19/11 20:59:22
</timeStamp>
<component name="HTTP, HTTPS, FTP Diagnostic" startDiagnosisTime="09/19/11 20:59:22">

<rootCause name="HTTP, HTTPS, FTP connectivity" status="confirm">

<trace traceType="warn" text="FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
">

</trace>
<trace traceType="warn" text="HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
">

</trace>
<trace traceType="warn" text="HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
">

</trace>
<trace traceType="warn" text="FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
">

</trace>
<trace traceType="warn" text="HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
">

</trace>
<trace traceType="warn" text="HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
">

</trace>
<trace traceType="error" text="Could not make an HTTP connection.">

</trace>
<trace traceType="error" text="Could not make an HTTPS connection.">

</trace>
<trace traceType="error" text="Could not make an FTP connection.">

</trace>
</rootCause>
</component>
<component name="Network Adapter Diagnostic" startDiagnosisTime="09/19/11 20:59:25">

<rootCause name="Network location detection" status="reject">

<trace traceType="info" text="Using home Internet connection">

</trace>
</rootCause>
<rootCause name="Network adapter identification" status="reject">

<trace traceType="info" text="Network connection: Name=Local Area Connection, Device=Realtek RTL8139/810x Family Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN">

</trace>
<trace traceType="info" text="Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394">

</trace>
<trace traceType="info" text="Ethernet connection selected">

</trace>
</rootCause>
<rootCause name="Network adapter status" status="reject">

<trace traceType="info" text="Network connection status: Connected">

</trace>
</rootCause>
</component>
<component name="WinSock Diagnostic" startDiagnosisTime="09/19/11 20:59:25">

<rootCause name="WinSock status" status="reject">

<trace traceType="info" text="All base service provider entries are present in the Winsock catalog.">

</trace>
<trace traceType="info" text="The Winsock Service provider chains are valid.">

</trace>
<trace traceType="info" text="Provider entry MSAFD Tcpip [TCP/IP] passed the loopback communication test.">

</trace>
<trace traceType="info" text="Provider entry MSAFD Tcpip [UDP/IP] passed the loopback communication test.">

</trace>
<trace traceType="info" text="Provider entry RSVP UDP Service Provider passed the loopback communication test.">

</trace>
<trace traceType="info" text="Provider entry RSVP TCP Service Provider passed the loopback communication test.">

</trace>
<trace traceType="info" text="Connectivity is valid for all Winsock service providers.">

</trace>
</rootCause>
</component>
<component name="Wireless Diagnostic" startDiagnosisTime="09/19/11 20:59:26">

<rootCause name="Wireless - Service disabled" status="reject">

</rootCause>
<rootCause name="Wireless - User SSID" status="reject">

</rootCause>
<rootCause name="Wireless - First time setup" status="reject">

</rootCause>
<rootCause name="Wireless - Radio off" status="reject">

</rootCause>
<rootCause name="Wireless - Out of range" status="reject">

</rootCause>
<rootCause name="Wireless - Hardware issue" status="reject">

</rootCause>
<rootCause name="Wireless - Novice user" status="reject">

</rootCause>
<rootCause name="Wireless - Ad-hoc network" status="reject">

</rootCause>
<rootCause name="Wireless - Less preferred" status="reject">

</rootCause>
<rootCause name="Wireless - 802.1x enabled" status="reject">

</rootCause>
<rootCause name="Wireless - Configuration mismatch" status="reject">

</rootCause>
<rootCause name="Wireless - Low SNR" status="reject">

</rootCause>
</component>
<component name="IP Configuration Diagnostic" startDiagnosisTime="09/19/11 20:59:26">

<rootCause name="Invalid IP address" status="reject">

<trace traceType="info" text="Valid IP address detected: 192.168.1.64">

</trace>
</rootCause>
</component>
<component name="IP Layer Diagnostic" startDiagnosisTime="09/19/11 20:59:26">

<rootCause name="Corrupted IP routing table" status="reject">

<trace traceType="info" text="The default route is valid">

</trace>
<trace traceType="info" text="The loopback route is valid">

</trace>
<trace traceType="info" text="The local host route is valid">

</trace>
<trace traceType="info" text="The local subnet route is valid">

</trace>
</rootCause>
<rootCause name="Invalid ARP cache entries" status="reject">

<trace traceType="action" text="The ARP cache has been flushed">

</trace>
</rootCause>
</component>
<component name="Gateway Diagnostic" startDiagnosisTime="09/19/11 20:59:26">

<rootCause name="Gateway" status="indeterminate">

<trace traceType="info" text="The following proxy configuration is being used by IE:
Automatically Detect Settings:Enabled
Automatic Configuration Script:
Proxy Server:
Proxy Bypass list:
">

</trace>
<trace traceType="info" text="Could not get proxy settings via the Automatic Proxy Configuration mechanism">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="action" text="Automated repair: Reset network connection">

</trace>
<trace traceType="action" text="Disabling the network adapter">

</trace>
<trace traceType="action" text="Enabling the network adapter">

</trace>
<trace traceType="info" text="Network adapter successfully enabled">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="action" text="Manual repair: Reboot modem">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="info" text="Waiting some time for the modem/router to stabilize">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="info" text="Waiting some time for the modem/router to stabilize">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="info" text="Waiting some time for the modem/router to stabilize">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="info" text="Waiting some time for the modem/router to stabilize">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
<trace traceType="info" text="Waiting some time for the modem/router to stabilize">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="This computer has the following default gateway entry(ies):
192.168.1.254">

</trace>
<trace traceType="info" text="This computer has the following IP address(es):
192.168.1.64">

</trace>
<trace traceType="info" text="The default gateway is in the same subnet as this computer">

</trace>
<trace traceType="info" text="The default gateway entry is a valid unicast address">

</trace>
<trace traceType="info" text="The default gateway address was resolved via ARP in 1 try(ies)">

</trace>
<trace traceType="info" text="The default gateway was reached via ICMP Ping in 1 try(ies)">

</trace>
<trace traceType="warn" text="Hostname www.microsoft.com could not be resolved (Error code 0x2afc). Could be either gateway or DNS issue">

</trace>
</rootCause>
</component>
<component name="DNS Client Diagnostic" startDiagnosisTime="09/19/11 21:00:30">

<rootCause name="DNS - Not a home user scenario" status="reject">

<trace traceType="info" text="Using Web Proxy: no">

</trace>
<trace traceType="info" text="Resolving name ok for (www.microsoft.com): no">

</trace>
</rootCause>
<rootCause name="No DNS servers" status="reject">

</rootCause>
<rootCause name="DNS failure" status="confirm">

<trace traceType="info" text="Query [www.microsoft.com] against DNS Server 192.168.1.254, (Type = 0x1, Options = 0x10e8) returns 0x2726">

</trace>
<trace traceType="action" text="Automated repair: Renew IP address">

</trace>
<trace traceType="action" text="Releasing the current IP address...">

</trace>
<trace traceType="action" text="Successfully released the current IP address">

</trace>
<trace traceType="action" text="Renewing the IP address...">

</trace>
<trace traceType="action" text="Successfully renewed the current IP address">

</trace>
<trace traceType="info" text="Query [www.microsoft.com] against DNS Server 192.168.1.254, (Type = 0x1, Options = 0x10e8) returns 0x2726">

</trace>
<trace traceType="info" text="Redirecting user to support call">

</trace>
</rootCause>
</component>
</xpnetdiag>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users