[Dixter]

Here you are. Results of the same script after redirecting to OpenDNS servers and flushing the local cache.


Windows IP Configuration



Host Name . . . . . . . . . . . . : ComputerName

Primary Dns Suffix . . . . . . . : DomainName.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : DomainName.local

DomainName.local



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : DomainName.local

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-21-70-AF-EC-FC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.80.40.76

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.80.40.1

DHCP Server . . . . . . . . . . . : 10.80.40.15

DNS Servers . . . . . . . . . . . : 208.67.222.222

208.67.220.220

Primary WINS Server . . . . . . . : 10.80.40.15

Lease Obtained. . . . . . . . . . : Friday, December 07, 2012 10:51:27 PM

Lease Expires . . . . . . . . . . : Saturday, December 15, 2012 10:51:27 PM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Dell Wireless 1395 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-23-4D-C5-5C-0B


Server: resolver1.opendns.com
Address: 208.67.222.222

Name: google.com
Address: 92.123.68.97

Server: resolver1.opendns.com
Address: 208.67.222.222

Name: www.bing.com
Address: 92.123.68.97

Server: resolver1.opendns.com
Address: 208.67.222.222

Name: bing.com
Address: 131.253.13.32

Server: resolver1.opendns.com
Address: 208.67.222.222

Name: yahoo.com
Addresses: 98.138.253.109, 98.139.183.24, 72.30.38.140



Pinging google.com [92.123.68.97] with 32 bytes of data:



Reply from 92.123.68.97: bytes=32 time=18ms TTL=54

Reply from 92.123.68.97: bytes=32 time=17ms TTL=54



Ping statistics for 92.123.68.97:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 18ms, Average = 17ms



Pinging www.bing.com [92.123.68.97] with 32 bytes of data:



Reply from 92.123.68.97: bytes=32 time=17ms TTL=54

Reply from 92.123.68.97: bytes=32 time=25ms TTL=54



Ping statistics for 92.123.68.97:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 25ms, Average = 21ms



Pinging bing.com [131.253.13.32] with 32 bytes of data:



Request timed out.

Request timed out.



Ping statistics for 131.253.13.32:

Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),



Pinging yahoo.com [98.138.253.109] with 32 bytes of data:



Reply from 98.138.253.109: bytes=32 time=63ms TTL=50

Reply from 98.138.253.109: bytes=32 time=59ms TTL=50



Ping statistics for 98.138.253.109:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 59ms, Maximum = 63ms, Average = 61ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 70 af ec fc ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 23 4d c5 5c 0b ...... Dell Wireless 1395 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.80.40.1 10.80.40.76 1
10.80.40.0 255.255.255.0 10.80.40.76 10.80.40.76 10
10.80.40.76 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.80.40.76 10.80.40.76 10
255.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 1
255.255.255.255 255.255.255.255 10.80.40.76 3 1
Default Gateway: 10.80.40.1
===========================================================================
Persistent Routes:
None

[Advertisements]

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the textbox. Do not include the word Code
  

  :OTL
  IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  IE - HKCU\..\SearchScopes\{94F63E4A-09D5-43FB-8091-3E234762C3B5}: "URL" = http://www.google.co...1I7ADFA_enUS488 <http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7ADFA_enUS488>
  IE - HKCU\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  
  :Files
  ipconfig /flushdns /c
  :Commands
  [PURITY]
  [emptyjava]
  [EMPTYFLASH]
  

• Then click the Run Fix button at the top.
• Click .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

[gringo_pr]

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the textbox. Do not include the word Code
  

  :OTL
  IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  IE - HKLM\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  IE - HKCU\..\SearchScopes\{94F63E4A-09D5-43FB-8091-3E234762C3B5}: "URL" = http://www.google.co...1I7ADFA_enUS488 <http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8&rlz=1I7ADFA_enUS488>
  IE - HKCU\..\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}: "URL" = http://www.google.co...g}&sourceid=ie7 <http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7>
  
  :Files
  ipconfig /flushdns /c
  :Commands
  [PURITY]
  [emptyjava]
  [EMPTYFLASH]
  

• Then click the Run Fix button at the top.
• Click .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

[Dixter]

Hey Gringo,

It looks like someone came in on Saturday and shut the computer down. I should be able to run the OTL script tomorrow after someone at the site can boot the computer for me. I'll post the results just as soon as I have them for you. Thanks Gringo!

[gringo_pr]

no problem!!

[gringo_pr]

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo

[Dixter]

Hey Gringo,

I'm very sorry not getting back to you sooner. I have no excuse other than I simply forgot to post the results. Here is what the OTL script came back with:


========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{94F63E4A-09D5-43FB-8091-3E234762C3B5}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{94F63E4A-09D5-43FB-8091-3E234762C3B5}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C9D3A52F-DA0F-497C-BFD1-3886C86FF426}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\PCT\cmd.bat deleted successfully.
C:\PCT\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: administrator.DomainName
->Java cache emptied: 0 bytes

User: All Users

User: CAdmin
->Java cache emptied: 0 bytes

User: Default User

User: dheart
->Java cache emptied: 173780 bytes

User: FullVinh
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService

User: PAdmin

User: QBDataServiceUser18

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 456 bytes

User: administrator.DomainName
->Flash cache emptied: 701 bytes

User: All Users

User: CAdmin
->Flash cache emptied: 492 bytes

User: Default User

User: dheart
->Flash cache emptied: 1269 bytes

User: FullVinh

User: LocalService

User: NetworkService

User: PAdmin

User: QBDataServiceUser18

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.61.5 log created on 12122012_140912



I also went ahead and ran a portion of the router.bat to demonstrate that the behavior is still happening after running the OTL script.


Pinging google.com [92.123.68.97] with 32 bytes of data:
Reply from 92.123.68.97: bytes=32 time=17ms TTL=54
Reply from 92.123.68.97: bytes=32 time=18ms TTL=54

Ping statistics for 92.123.68.97:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 18ms, Average = 17ms


Pinging www.bing.com [92.123.68.97] with 32 bytes of data:
Reply from 92.123.68.97: bytes=32 time=44ms TTL=54
Reply from 92.123.68.97: bytes=32 time=20ms TTL=54

Ping statistics for 92.123.68.97:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 44ms, Average = 32ms


Pinging bing.com [131.253.13.32] with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 131.253.13.32:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=621ms TTL=50
Reply from 98.139.183.24: bytes=32 time=558ms TTL=50

Ping statistics for 98.139.183.24:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 558ms, Maximum = 621ms, Average = 589ms


Thanks again Gringo and keep the suggestions coming. I'm really hoping we can figure this one out.

[gringo_pr]

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

[gringo_pr]

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo

[Dixter]

Sorry Gringo, been under the weather. Here are the most recent requested results:


MiniToolBox by Farbar Version: 25-11-2012
Ran by Administrator (administrator) on 18-12-2012 at 17:21:19
Running from "C:\PCT"
Microsoft Windows XP Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Broadcom NetXtreme 57xx Gigabit Controller = Local Area Connection (Connected)
1394 Net Adapter = 1394 Connection 2 (Connected)
Dell Wireless 1395 WLAN Mini-Card = Wireless Network Connection (Media disconnected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=static addr=10.80.40.15 register=PRIMARY
add dns name="Local Area Connection" addr=8.8.8.8 index=2
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : ComputerName

Primary Dns Suffix . . . . . . . : DomainName.local

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : DomainName.local

DomainName.local



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : DomainName.local

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-21-70-AF-EC-FC

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.80.40.76

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.80.40.1

DHCP Server . . . . . . . . . . . : 10.80.40.15

DNS Servers . . . . . . . . . . . : 10.80.40.15

8.8.8.8

Primary WINS Server . . . . . . . : 10.80.40.15

Lease Obtained. . . . . . . . . . : Tuesday, December 18, 2012 7:40:19 AM

Lease Expires . . . . . . . . . . : Wednesday, December 26, 2012 7:40:19 AM



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Dell Wireless 1395 WLAN Mini-Card

Physical Address. . . . . . . . . : 00-23-4D-C5-5C-0B

Server: ServerName.DomainName.local
Address: 10.80.40.15

DNS request timed out.
timeout was 2 seconds.


Pinging google.com [87.125.87.99] with 32 bytes of data:



Reply from 87.125.87.99: bytes=32 time=22ms TTL=54

Reply from 87.125.87.99: bytes=32 time=17ms TTL=54



Ping statistics for 87.125.87.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 17ms, Maximum = 22ms, Average = 19ms

Server: ServerName.DomainName.local
Address: 10.80.40.15

Name: yahoo.com
Addresses: 72.30.38.140, 98.138.253.109, 98.139.183.24



Pinging yahoo.com [98.138.253.109] with 32 bytes of data:



Reply from 98.138.253.109: bytes=32 time=58ms TTL=50

Reply from 98.138.253.109: bytes=32 time=89ms TTL=50



Ping statistics for 98.138.253.109:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 58ms, Maximum = 89ms, Average = 73ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 70 af ec fc ...... Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport
0x3 ...00 23 4d c5 5c 0b ...... Dell Wireless 1395 WLAN Mini-Card - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.80.40.1 10.80.40.76 10
10.80.40.0 255.255.255.0 10.80.40.76 10.80.40.76 10
10.80.40.76 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.80.40.76 10.80.40.76 10
255.255.255.255 255.255.255.255 10.80.40.76 10.80.40.76 1
255.255.255.255 255.255.255.255 10.80.40.76 3 1
Default Gateway: 10.80.40.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\system32\PGPlsp.dll [68664] (PGP Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\PGPlsp.dll [68664] (PGP Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================



System errors:
=============
Error: (12/17/2012 10:04:47 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and Windows XP x86 (KB2729450).

Error: (12/17/2012 10:04:35 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2698023).

Error: (12/17/2012 10:03:40 AM) (Source: Windows Update Agent) (User: )
Description: Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Vista, and Windows Server 2008 x86 (KB2698023).

Error: (12/10/2012 07:45:15 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (12/07/2012 05:40:03 PM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.25 TCS service terminated unexpectedly. It has done this 1 time(s).

Error: (12/07/2012 05:40:03 PM) (Source: Service Control Manager) (User: )
Description: The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/07/2012 05:28:52 PM) (Source: TermServDevices) (User: )
Description: Driver Kyocera CS-2560 required for printer WebEx Document Loader is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/07/2012 05:28:51 PM) (Source: TermServDevices) (User: )
Description: Driver Kyocera CS-2560 required for printer Kyocera CS-2560 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/07/2012 05:28:50 PM) (Source: TermServDevices) (User: )
Description: Driver HP LaserJet P4515 PCL6 required for printer HP LaserJet P4515 PCL6 is unknown. Contact the administrator to install the driver before you log in again.

Error: (12/07/2012 05:28:16 PM) (Source: TermServDevices) (User: )
Description: Driver HP LaserJet 4050 Series PCL 5 required for printer HP LaserJet 4050 Series PCL 5 is unknown. Contact the administrator to install the driver before you log in again.


Microsoft Office Sessions:
=========================
Error: (12/06/2012 03:33:11 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1202 seconds with 600 seconds of active time. This session ended with a crash.

Error: (11/30/2012 03:02:17 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 601 seconds with 540 seconds of active time. This session ended with a crash.

Error: (09/11/2012 11:56:27 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 5161 seconds with 60 seconds of active time. This session ended with a crash.

Error: (09/11/2012 10:30:17 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 9695 seconds with 480 seconds of active time. This session ended with a crash.

Error: (08/20/2012 09:43:21 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1202 seconds with 120 seconds of active time. This session ended with a crash.

Error: (03/07/2012 01:19:25 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2416 seconds with 180 seconds of active time. This session ended with a crash.

Error: (01/19/2012 02:45:03 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 601 seconds with 600 seconds of active time. This session ended with a crash.

Error: (12/06/2011 01:15:52 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1492 seconds with 0 seconds of active time. This session ended with a crash.

Error: (12/06/2011 00:50:50 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 4242 seconds with 1860 seconds of active time. This session ended with a crash.

Error: (11/18/2011 03:24:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2039 seconds with 480 seconds of active time. This session ended with a crash.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 2.1.2)
ABBYY FineReader for ScanSnap ™ 4.0 (Version: 8.00.245.56422)
Adobe Acrobat 8 Standard - English, Français, Deutsch (Version: 8.1.4)
Adobe Acrobat 8.1.4 Standard (Version: 8.1.4)
Adobe Flash Player 11 ActiveX (Version: 11.5.502.135)
AuthenTec Fingerprint Sensor Minimum Install (Version: 7.8.1.0)
biolsp patch (Version: 01.00.02.0005)
Broadcom Management Programs (Version: 10.20.03)
CardMinder (Version: V4.0L10)
CardMinder V3.1 (Version: 3.1.10.1)
Checkpoint Tools for PPC (Version: 2009.0.27)
Citrix Presentation Server Client (Version: 10.00.52110)
Conexant HDA D330 MDC V.92 Modem (Version: 7.74.00)
Crystal Reports9 (Version: 2005.1020.1239.0001)
Dell Drivers MSI (Version: 01.00.00.0010)
Dell Embassy Trust Suite by Wave Systems (Version: 02.01.00.026)
Dell Touchpad (Version: 10.1.2.0)
Dell Wireless WLAN Card Utility (Version: 4.170.77.13)
Digital Line Detect (Version: 1.21)
Document Manager Lite (Version: 06.06.00.066)
EMBASSY Security Center (Version: 03.06.00.031)
EMBASSY Security Setup (Version: 03.06.00.027)
EMBASSY Trust Suite by Wave Systems (Version: 02.01.01.25)
ESC Home Page Plugin (Version: 03.01.00.018)
ESET Online Scanner v3
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892) (Version: 9.3.4053)
Gemalto (Version: 01.00.00.0010)
GemSafe Standard Edition 5.1 (Version: 5.10.000.007)
GFI Business Agent (Version: 5.0.4464)
Global fx Components (Version: 11.11.1203.1009)
Google Chrome (Version: 23.0.1271.97)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3607.2246)
Google Update Helper (Version: 1.3.21.123)
ITSupport247-DPMA (Version: 5.1.7)
Java Auto Updater (Version: 2.0.7.2)
Java™ 6 Update 37 (Version: 6.0.370)
Java™ 6 Update 7 (Version: 1.6.0.70)
LogMeIn (Version: 4.0.680)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Access Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office InfoPath MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Outlook MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Professional Plus 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (French) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6425.1000)
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6425.1000)
Microsoft OLE DB Provider for Visual FoxPro (Version: 9.0.0.3504)
Microsoft Outlook Personal Folders Backup (Version: 1.10.0.0)
Microsoft Silverlight (Version: 4.1.10329.0)
Microsoft Software Update for Web Folders (English) 12 (Version: 12.0.6425.1000)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (PRACTICESOLUTION) (Version: 9.3.4035.00)
Microsoft SQL Server Native Client (Version: 9.00.4035.00)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.4035.00)
Microsoft SQL Server VSS Writer (Version: 9.00.4035.00)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft WSE 3.0 (Version: 3.0.5305.0)
Modem Diagnostic Tool (Version: 1.0.24.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
MSXML 6.0 Parser (Version: 6.10.1129.0)
NetWaiting (Version: 2.5.53)
NTRU TCG Software Stack (Version: 2.1.25)
NVIDIA Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
PaperVision Document Viewer Controls (Version: 66)
PGP Desktop (Version: 9.9.1.287)
PPC e-Practice Aids Compilation and Review Engagements (8-08) (Version: 2008.8.6)
PPC Practice Aids Audits of 403(b) Plans (4-09) (Version: 2009.4.8)
PPC Practice Aids Audits of Employee Benefit Plans (2-09) (Version: 2009.2.21)
PPC Practice Aids Audits of Nonpublic Companies (1-09) (Version: 2009.1.4)
PPC Practice Aids Audits of Nonpublic Companies (11-09) (Version: 2009.11.11)
PPC Practice Aids Compilation and Review Engagements (7-09) (Version: 2009.7.5)
PPC Practice Aids Quality Control (2-09) (Version: 2009.2.7)
PPCWebMultiSelect (Version: 1.3.6)
Preboot Manager (Version: 2.0.1.2)
Private Information Manager (Version: 06.01.00.023)
ProSystem fx Practice Management (Version: 2010.10.03
ProSystem fx Workstation
QB Connection Diagnostic Tool (Version: 3.0.0.0)
QuickBooks Pro 2008 (Version: 18.0.4010.606)
QuickSet (Version: 8.3.17)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Drag-to-Disc (Version: 9.1)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
ScanSnap (Version: 5.0.11.1)
ScanSnap Manager (Version: V5.0L11)
ScanSnap Organizer (Version: 3.1.12.1)
ScanSnap Organizer (Version: 4.0.11.1)
ScanSnap Organizer (Version: V4.0L11)
Secure Update (Version: 05.04.00.010)
Security Wizards (Version: 01.04.00.014)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
SonicWALL SSL-VPN NetExtender (Version: 2.5.70)
SupportSoft Assisted Service (Version: 15)
Symantec Ghost Console Client (Version: 115.00.2141)
System Files (Version: 20.11.1122.1400)
Tax Forms Helper 2011 10.0
Trusted Drive Manager (Version: 2.1.1.2)
tsp patch (Version: 01.00.00.0000)
TValue 5
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Outlook 2007 Junk Email Filter (KB2443839)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB975364) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
upekmsi (Version: 02.00.03.0000)
Wave Infrastructure Installer (Version: 05.00.01.0050)
Wave Support Software (Version: 05.07.00.026)
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Search 4.0 (Version: 04.00.6001.503)
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

========================= Memory info: ===================================

Percentage of memory in use: 25%
Total physical RAM: 3582.05 MB
Available physical RAM: 2660.41 MB
Total Pagefile: 5463.95 MB
Available Pagefile: 4583.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.65 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:74.43 GB) (Free:47.34 GB) NTFS
3 Drive o: (Data) (Network) (Total:837.25 GB) (Free:419.58 GB) NTFS
4 Drive q: (Data) (Network) (Total:837.25 GB) (Free:419.58 GB) NTFS
5 Drive r: (Data) (Network) (Total:837.25 GB) (Free:419.58 GB) NTFS

========================= Users: ========================================

User accounts for \\ComputerName

Administrator Guest HelpAssistant
jeff QBDataServiceUser18 SUPPORT_388945a0

========================= Minidump Files ==================================

C:\WINDOWS\Minidump\Mini031811-01.dmp
C:\WINDOWS\Minidump\Mini032311-01.dmp

**** End of log ****

[gringo_pr]

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

[gringo_pr]

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo

[gringo_pr]

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

[gringo_pr]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.